[PATCH 0/3] efi: arm64: Set NX compat flag where appropriate
Ard Biesheuvel
ardb at kernel.org
Fri Mar 10 04:50:23 PST 2023
PE/COFF images that can tolerate running under a strict W^X policy when
it comes to firmware provided allocations should indicate so, by setting
the associated bit in the PE/COFF header.
Today, this makes little difference, but going forward, restricted
policies regarding secure boot and measured boot (e.g., MS Secured-core)
may refuse to run such images altogether.
Given that the zboot and arm64 EFI stub implementations do not rely on
firmware provided mappings being writable and executable at the same
time, let's set this bit.
Note that a change landed in v6.3 where we no longer tolerate this
unless we remap the relocated kernel code read-only/executable
explicitly (patch #2)
Cc: Peter Jones <pjones at redhat.com>
Cc: Gerd Hoffmann <kraxel at redhat.com>
Cc: Ilias Apalodimas <ilias.apalodimas at linaro.org>
Cc: Kees Cook <keescook at chromium.org>
Ard Biesheuvel (3):
efi/libstub: zboot: Mark zboot EFI application as NX compatible
efi/libstub: arm64: Remap relocated image with strict permissions
arm64: efi: Set NX compat flag in PE/COFF header
arch/arm64/kernel/efi-header.S | 2 +-
drivers/firmware/efi/libstub/arm64-stub.c | 1 +
drivers/firmware/efi/libstub/zboot-header.S | 2 +-
3 files changed, 3 insertions(+), 2 deletions(-)
--
2.39.2
More information about the linux-arm-kernel
mailing list