This is a note to let you know that I've just added the patch titled
arm64: efi: Set NX compat flag in PE/COFF header
to the 6.2-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
arm64-efi-set-nx-compat-flag-in-pe-coff-header.patch
and it can be found in the queue-6.2 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From 3c66bb1918c262dd52fb4221a8d372619c5da70a Mon Sep 17 00:00:00 2001
From: Ard Biesheuvel <ardb@xxxxxxxxxx>
Date: Fri, 10 Mar 2023 13:30:05 +0100
Subject: arm64: efi: Set NX compat flag in PE/COFF header
From: Ard Biesheuvel <ardb@xxxxxxxxxx>
commit 3c66bb1918c262dd52fb4221a8d372619c5da70a upstream.
The PE/COFF header has a NX compat flag which informs the firmware that
the application does not rely on memory regions being mapped with both
executable and writable permissions at the same time.
This is typically used by the firmware to decide whether it can set the
NX attribute on all allocations it returns, but going forward, it may be
used to enforce a policy that only permits applications with the NX flag
set to be loaded to begin wiht in some configurations, e.g., when Secure
Boot is in effect.
Even though the arm64 version of the EFI stub may relocate the kernel
before executing it, it always did so after disabling the MMU, and so we
were always in line with what the NX compat flag conveys, we just never
bothered to set it.
So let's set the flag now.
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
arch/arm64/kernel/efi-header.S | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/kernel/efi-header.S
+++ b/arch/arm64/kernel/efi-header.S
@@ -66,7 +66,7 @@
.long .Lefi_header_end - .L_head // SizeOfHeaders
.long 0 // CheckSum
.short IMAGE_SUBSYSTEM_EFI_APPLICATION // Subsystem
- .short 0 // DllCharacteristics
+ .short IMAGE_DLL_CHARACTERISTICS_NX_COMPAT // DllCharacteristics
.quad 0 // SizeOfStackReserve
.quad 0 // SizeOfStackCommit
.quad 0 // SizeOfHeapReserve
Patches currently in stable-queue which might be from ardb@xxxxxxxxxx are
queue-6.2/efi-libstub-use-relocated-version-of-kernel-s-struct.patch
queue-6.2/efi-libstub-smbios-use-length-member-instead-of-reco.patch
queue-6.2/efi-earlycon-reprobe-after-parsing-config-tables.patch
queue-6.2/arm64-efi-use-smbios-processor-version-to-key-off-am.patch
queue-6.2/arm64-efi-set-nx-compat-flag-in-pe-coff-header.patch
queue-6.2/efi-libstub-zboot-mark-zboot-efi-application-as-nx-compatible.patch
queue-6.2/efi-sysfb_efi-fix-dmi-quirks-not-working-for-simpledrm.patch
