To protect sections on page table level each section
needs to be aligned on page size (4KB).
Set sections alignment in linker script.
Signed-off-by: Evgeniy Baskov <[email protected]>
---
arch/x86/boot/compressed/vmlinux.lds.S | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/x86/boot/compressed/vmlinux.lds.S b/arch/x86/boot/compressed/vmlinux.lds.S
index 112b2375d021..6be90f1a1198 100644
--- a/arch/x86/boot/compressed/vmlinux.lds.S
+++ b/arch/x86/boot/compressed/vmlinux.lds.S
@@ -27,21 +27,27 @@ SECTIONS
HEAD_TEXT
_ehead = . ;
}
+ . = ALIGN(PAGE_SIZE);
.rodata..compressed : {
+ _compressed = .;
*(.rodata..compressed)
+ _ecompressed = .;
}
+ . = ALIGN(PAGE_SIZE);
.text : {
_text = .; /* Text */
*(.text)
*(.text.*)
_etext = . ;
}
+ . = ALIGN(PAGE_SIZE);
.rodata : {
_rodata = . ;
*(.rodata) /* read-only data */
*(.rodata.*)
_erodata = . ;
}
+ . = ALIGN(PAGE_SIZE);
.data : {
_data = . ;
*(.data)
--
2.35.1
On Tue, 6 Sept 2022 at 12:41, Evgeniy Baskov <[email protected]> wrote:
>
> To protect sections on page table level each section
> needs to be aligned on page size (4KB).
>
> Set sections alignment in linker script.
>
> Signed-off-by: Evgeniy Baskov <[email protected]>
> ---
> arch/x86/boot/compressed/vmlinux.lds.S | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/arch/x86/boot/compressed/vmlinux.lds.S b/arch/x86/boot/compressed/vmlinux.lds.S
> index 112b2375d021..6be90f1a1198 100644
> --- a/arch/x86/boot/compressed/vmlinux.lds.S
> +++ b/arch/x86/boot/compressed/vmlinux.lds.S
> @@ -27,21 +27,27 @@ SECTIONS
> HEAD_TEXT
> _ehead = . ;
> }
> + . = ALIGN(PAGE_SIZE);
> .rodata..compressed : {
> + _compressed = .;
Why are you adding these?
> *(.rodata..compressed)
> + _ecompressed = .;
> }
> + . = ALIGN(PAGE_SIZE);
On other EFI architectures, we only distinguish between R-X and RW-
regions, and alignment between .rodata and .text is unnecessary. Do we
really need to deviate from that here?
> .text : {
> _text = .; /* Text */
> *(.text)
> *(.text.*)
> _etext = . ;
> }
> + . = ALIGN(PAGE_SIZE);
> .rodata : {
> _rodata = . ;
> *(.rodata) /* read-only data */
> *(.rodata.*)
> _erodata = . ;
> }
> + . = ALIGN(PAGE_SIZE);
> .data : {
> _data = . ;
> *(.data)
> --
> 2.35.1
>
On 2022-10-19 10:01, Ard Biesheuvel wrote:
> On Tue, 6 Sept 2022 at 12:41, Evgeniy Baskov <[email protected]> wrote:
>>
>> To protect sections on page table level each section
>> needs to be aligned on page size (4KB).
>>
>> Set sections alignment in linker script.
>>
>> Signed-off-by: Evgeniy Baskov <[email protected]>
>> ---
>> arch/x86/boot/compressed/vmlinux.lds.S | 6 ++++++
>> 1 file changed, 6 insertions(+)
>>
>> diff --git a/arch/x86/boot/compressed/vmlinux.lds.S
>> b/arch/x86/boot/compressed/vmlinux.lds.S
>> index 112b2375d021..6be90f1a1198 100644
>> --- a/arch/x86/boot/compressed/vmlinux.lds.S
>> +++ b/arch/x86/boot/compressed/vmlinux.lds.S
>> @@ -27,21 +27,27 @@ SECTIONS
>> HEAD_TEXT
>> _ehead = . ;
>> }
>> + . = ALIGN(PAGE_SIZE);
>> .rodata..compressed : {
>> + _compressed = .;
>
> Why are you adding these?
It is used for address compressed kernel blob during memory protection
setup.
Although it can be addressed via different symbols, I though that
addressing
sections data in a common way (through linker generated symbols) would
be better.
I can remove or mention the change in commit message (for now I will do
the latter).
>
>> *(.rodata..compressed)
>> + _ecompressed = .;
>> }
>> + . = ALIGN(PAGE_SIZE);
>
> On other EFI architectures, we only distinguish between R-X and RW-
> regions, and alignment between .rodata and .text is unnecessary. Do we
> really need to deviate from that here?
I though that leaving a huge compressed kernel blob executable is
undesirable, so I decided to split it out. I can make it either RW- or
R-X
if it would be more acceptable.
>
>
>> .text : {
>> _text = .; /* Text */
>> *(.text)
>> *(.text.*)
>> _etext = . ;
>> }
>> + . = ALIGN(PAGE_SIZE);
>> .rodata : {
>> _rodata = . ;
>> *(.rodata) /* read-only data */
>> *(.rodata.*)
>> _erodata = . ;
>> }
>> + . = ALIGN(PAGE_SIZE);
>> .data : {
>> _data = . ;
>> *(.data)
>> --
>> 2.35.1
>>