This is a note to let you know that I've just added the patch titled
x86/efistub: Remap kernel text read-only before dropping NX attribute
to the 6.1-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
x86-efistub-remap-kernel-text-read-only-before-dropping-nx-attribute.patch
and it can be found in the queue-6.1 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From stable+bounces-40259-greg=kroah.com@xxxxxxxxxxxxxxx Fri Apr 19 10:12:24 2024
From: Ard Biesheuvel <ardb+git@xxxxxxxxxx>
Date: Fri, 19 Apr 2024 10:11:29 +0200
Subject: x86/efistub: Remap kernel text read-only before dropping NX attribute
To: stable@xxxxxxxxxxxxxxx
Message-ID: <20240419081105.3817596-48-ardb+git@xxxxxxxxxx>
From: Ard Biesheuvel <ardb@xxxxxxxxxx>
[ Commit 9c55461040a9264b7e44444c53d26480b438eda6 upstream ]
Currently, the EFI stub invokes the EFI memory attributes protocol to
strip any NX restrictions from the entire loaded kernel, resulting in
all code and data being mapped read-write-execute.
The point of the EFI memory attributes protocol is to remove the need
for all memory allocations to be mapped with both write and execute
permissions by default, and make it the OS loader's responsibility to
transition data mappings to code mappings where appropriate.
Even though the UEFI specification does not appear to leave room for
denying memory attribute changes based on security policy, let's be
cautious and avoid relying on the ability to create read-write-execute
mappings. This is trivially achievable, given that the amount of kernel
code executing via the firmware's 1:1 mapping is rather small and
limited to the .head.text region. So let's drop the NX restrictions only
on that subregion, but not before remapping it as read-only first.
Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
arch/x86/boot/compressed/Makefile | 2 +-
arch/x86/boot/compressed/misc.c | 1 +
arch/x86/include/asm/boot.h | 1 +
drivers/firmware/efi/libstub/x86-stub.c | 11 ++++++++++-
4 files changed, 13 insertions(+), 2 deletions(-)
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -84,7 +84,7 @@ LDFLAGS_vmlinux += -T
hostprogs := mkpiggy
HOST_EXTRACFLAGS += -I$(srctree)/tools/include
-sed-voffset := -e 's/^\([0-9a-fA-F]*\) [ABCDGRSTVW] \(_text\|__bss_start\|_end\)$$/\#define VO_\2 _AC(0x\1,UL)/p'
+sed-voffset := -e 's/^\([0-9a-fA-F]*\) [ABCDGRSTVW] \(_text\|__start_rodata\|__bss_start\|_end\)$$/\#define VO_\2 _AC(0x\1,UL)/p'
quiet_cmd_voffset = VOFFSET $@
cmd_voffset = $(NM) $< | sed -n $(sed-voffset) > $@
--- a/arch/x86/boot/compressed/misc.c
+++ b/arch/x86/boot/compressed/misc.c
@@ -330,6 +330,7 @@ static size_t parse_elf(void *output)
return ehdr.e_entry - LOAD_PHYSICAL_ADDR;
}
+const unsigned long kernel_text_size = VO___start_rodata - VO__text;
const unsigned long kernel_total_size = VO__end - VO__text;
static u8 boot_heap[BOOT_HEAP_SIZE] __aligned(4);
--- a/arch/x86/include/asm/boot.h
+++ b/arch/x86/include/asm/boot.h
@@ -81,6 +81,7 @@
#ifndef __ASSEMBLY__
extern unsigned int output_len;
+extern const unsigned long kernel_text_size;
extern const unsigned long kernel_total_size;
unsigned long decompress_kernel(unsigned char *outbuf, unsigned long virt_addr,
--- a/drivers/firmware/efi/libstub/x86-stub.c
+++ b/drivers/firmware/efi/libstub/x86-stub.c
@@ -227,6 +227,15 @@ efi_status_t efi_adjust_memory_range_pro
rounded_end = roundup(start + size, EFI_PAGE_SIZE);
if (memattr != NULL) {
+ status = efi_call_proto(memattr, set_memory_attributes,
+ rounded_start,
+ rounded_end - rounded_start,
+ EFI_MEMORY_RO);
+ if (status != EFI_SUCCESS) {
+ efi_warn("Failed to set EFI_MEMORY_RO attribute\n");
+ return status;
+ }
+
status = efi_call_proto(memattr, clear_memory_attributes,
rounded_start,
rounded_end - rounded_start,
@@ -778,7 +787,7 @@ static efi_status_t efi_decompress_kerne
*kernel_entry = addr + entry;
- return efi_adjust_memory_range_protection(addr, kernel_total_size);
+ return efi_adjust_memory_range_protection(addr, kernel_text_size);
}
static void __noreturn enter_kernel(unsigned long kernel_addr,
Patches currently in stable-queue which might be from kroah.com@xxxxxxxxxxxxxxx are
queue-6.1/x86-boot-drop-pe-coff-.reloc-section.patch
queue-6.1/x86-sme-move-early-sme-kernel-encryption-handling-into-.head.text.patch
queue-6.1/x86-boot-omit-compression-buffer-from-pe-coff-image-memory-footprint.patch
queue-6.1/x86-mm-remove-p-d_page_mask-and-p-d_page_size-macros.patch
queue-6.1/x86-efi-drop-alignment-flags-from-pe-section-headers.patch
queue-6.1/x86-boot-increase-section-and-file-alignment-to-4k-512.patch
queue-6.1/x86-head-64-add-missing-__head-annotation-to-startup_64_load_idt.patch
queue-6.1/x86-boot-define-setup-size-in-linker-script.patch
queue-6.1/x86-boot-split-off-pe-coff-.data-section.patch
queue-6.1/x86-boot-derive-file-size-from-_edata-symbol.patch
queue-6.1/x86-boot-construct-pe-coff-.text-section-from-assembler.patch
queue-6.1/x86-boot-grab-kernel_info-offset-from-zoffset-header-directly.patch
queue-6.1/x86-sev-move-early-startup-code-into-.head.text-section.patch
queue-6.1/x86-boot-remove-the-bugger-off-message.patch
queue-6.1/x86-head-64-move-the-__head-definition-to-asm-init.h.patch
queue-6.1/x86-boot-drop-references-to-startup_64.patch
queue-6.1/x86-efistub-use-1-1-file-memory-mapping-for-pe-coff-.compat-section.patch
queue-6.1/x86-efi-drop-efi-stub-.bss-from-.data-section.patch
queue-6.1/x86-efi-disregard-setup-header-of-loaded-image.patch
queue-6.1/x86-efistub-remap-kernel-text-read-only-before-dropping-nx-attribute.patch
queue-6.1/x86-efistub-reinstate-soft-limit-for-initrd-loading.patch
queue-6.1/x86-boot-set-efi-handover-offset-directly-in-header-asm.patch
queue-6.1/x86-boot-drop-redundant-code-setting-the-root-device.patch
