[PATCH v1 40/54] hardening: disable some features when EFI runtime support is enabled

[Ahmad Fatoum]

The way we compile the barebox EFI runtime makes it clash with some
of our hardening measures:

- ARM_MMU_PERMISSIONS: currently handles only a single text/rodata
  section, but with .efi_runtime we have twice of each, but the code
  can't yet handle applying permissions. But even with that fixed, eFI
  payloads expet to be mapped RWX apparently? Needs some more thought
  put into it.

- Stack protector: Stack protector sits outside of EFI runtime section
  for now.

Signed-off-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
---
 arch/arm/Kconfig      | 1 +
 lib/Kconfig.hardening | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
index 4b7f5b83c67e..ae3de9504a9b 100644
--- a/arch/arm/Kconfig
+++ b/arch/arm/Kconfig
@@ -414,6 +414,7 @@ config ARM_UNWIND
 
 config ARM_MMU_PERMISSIONS
 	bool "Map with extended RO/X permissions"
+	depends on !EFI_RUNTIME
 	default y
 	help
 	  Enable this option to map readonly sections as readonly, executable
diff --git a/lib/Kconfig.hardening b/lib/Kconfig.hardening
index 3b3ba6267aec..59dd02c9cfae 100644
--- a/lib/Kconfig.hardening
+++ b/lib/Kconfig.hardening
@@ -169,6 +169,7 @@ config STACKPROTECTOR_NONE
 config STACKPROTECTOR_STRONG
 	bool "Strong"
 	depends on $(cc-option,-fstack-protector-strong)
+	depends on !EFI_RUNTIME
 	select STACKPROTECTOR
 	help
 	  This option turns on the "stack-protector" GCC feature. This
@@ -196,6 +197,7 @@ config STACKPROTECTOR_ALL
 	bool "All"
 	depends on $(cc-option,-fstack-protector-all)
 	depends on COMPILE_TEST
+	depends on !EFI_RUNTIME
 	select STACKPROTECTOR
 	help
 	  This pushes and verifies stack protector canaries on all functions,
-- 
2.47.3