Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp687139ybt; Wed, 24 Jun 2020 08:49:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJweI265cMgDL9MJ1NDyQ4onKHH0RpNLGDXZgsio5YIEhrjw7/WhLURor7C2bubxzKkBIaGa X-Received: by 2002:a17:906:4c46:: with SMTP id d6mr24505751ejw.503.1593013776901; Wed, 24 Jun 2020 08:49:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593013776; cv=none; d=google.com; s=arc-20160816; b=sblmR8pgROdcTAvCzjY6OqmanU3PrZTlrY8G2tPm+CEnlEy3EXZjsozYdhQI1bJUUy cI87S0feZWcZIJhblzBvalEEGgc77sdARxslK4N+F/tOchcOeIeFRBkPe2XjEYGxw/SY XrD0kbd3JioffYr87y8yylNw2E7GGBOaxpcA66OBMO+asxyAxAWMppit56iU9IfMBvGG 8SiUZparPx9luRtgjLsb3bTfflh5HuGTixubksM8E4Jji3xt7BpH6Exwhv8qrOlnembk ai2qISwxrbDAKspwDvghvP68/Es3p5IjrE5cVyHe778Qf9UYN7dJAygQ7c6YFQDmU0a/ uc2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=SiOccSYDq3Ujl7Qm6Nh9lr81LZ11ZdVVR+s/kwlHeOU=; b=Oq8VAVLUwM73F8mX9hrXZw2OeoXoa51VjrjGoywQcTdFgk6Kc4CWmQztmhXC5PwN+u eqWGqVwybmG3lQwvsLE9WufV6e6JEteGgTF7hmMc62Kvwy4YbuoYm4ReTxQ5D4dKkxON P+rqDYvbgx0/CQWto3nhFKTe1CS4iStM8X9HvSjZI8RTcD622addMkIBQ9q/+yljODFb J8DyVlj3AKo1yXS1hvhUJHeSO0M96OS6Iv3jdnHQToOQgGFghLKO6kKNsHLCakQtLDjt YKzdPg8SQhtoNzNIDyQJnEAWBuS8eaOq/M+1EqmMRUs67tXoaKO3syGVxkl/5ef9jCfT ZZnA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nmm+51b9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w4si13141255ejj.300.2020.06.24.08.49.11; Wed, 24 Jun 2020 08:49:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=nmm+51b9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2404443AbgFXPsy (ORCPT + 99 others); Wed, 24 Jun 2020 11:48:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:41196 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404137AbgFXPsy (ORCPT ); Wed, 24 Jun 2020 11:48:54 -0400 Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com [209.85.210.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4BB7C20A8B; Wed, 24 Jun 2020 15:48:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1593013733; bh=SiOccSYDq3Ujl7Qm6Nh9lr81LZ11ZdVVR+s/kwlHeOU=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=nmm+51b9WSfuZVeBEdjeJFGECh07l9JW/yiiBpt1qkXd8cZx7k0aHGwmZnPz6pZG8 g8/1xJgtXyTnlK37REkGB5d+Ukr9b6G2pTfuGkkt3Kf46J6KyT/tw5sd0IjX4FSrDT 6g9b7KPsamhuad8caHmHZPS6HfQh/caZs2MDUlZU= Received: by mail-ot1-f50.google.com with SMTP id n5so2373531otj.1; Wed, 24 Jun 2020 08:48:53 -0700 (PDT) X-Gm-Message-State: AOAM531py8qiC6uBuO651wgI2n9EvG8A6aerPh55tTLNikdij6ZlElkR pI0VImorSsqheznzE+3v/tX5gkvgtxKLy12yWP8= X-Received: by 2002:a9d:4a8f:: with SMTP id i15mr393127otf.77.1593013732575; Wed, 24 Jun 2020 08:48:52 -0700 (PDT) MIME-Version: 1.0 References: <20200624014940.1204448-1-keescook@chromium.org> <20200624014940.1204448-4-keescook@chromium.org> <20200624033142.cinvg6rbg252j46d@google.com> <202006232143.66828CD3@keescook> <20200624104356.GA6134@willie-the-truck> <202006240820.A3468F4@keescook> <202006240844.7BE48D2B5@keescook> In-Reply-To: <202006240844.7BE48D2B5@keescook> From: Ard Biesheuvel Date: Wed, 24 Jun 2020 17:48:41 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v3 3/9] efi/libstub: Remove .note.gnu.property To: Kees Cook Cc: Will Deacon , Fangrui Song , Catalin Marinas , Mark Rutland , Peter Collingbourne , James Morse , Borislav Petkov , Thomas Gleixner , Ingo Molnar , Russell King , Masahiro Yamada , Arvind Sankar , Nick Desaulniers , Nathan Chancellor , Arnd Bergmann , X86 ML , clang-built-linux , linux-arch , linux-efi , Linux ARM , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 24 Jun 2020 at 17:45, Kees Cook wrote: > > On Wed, Jun 24, 2020 at 05:31:06PM +0200, Ard Biesheuvel wrote: > > On Wed, 24 Jun 2020 at 17:21, Kees Cook wrote: > > > > > > On Wed, Jun 24, 2020 at 12:46:32PM +0200, Ard Biesheuvel wrote: > > > > I'm not sure if there is a point to having PAC and/or BTI in the EFI > > > > stub, given that it runs under the control of the firmware, with its > > > > memory mappings and PAC configuration etc. > > > > > > Is BTI being ignored when the firmware runs? > > > > Given that it requires the 'guarded' attribute to be set in the page > > tables, and the fact that the UEFI spec does not require it for > > executables that it invokes, nor describes any means of annotating > > such executables as having been built with BTI annotations, I think we > > can safely assume that the EFI stub will execute with BTI disabled in > > the foreseeable future. > > yaaaaaay. *sigh* How long until EFI catches up? > > That said, BTI shouldn't _hurt_, right? If EFI ever decides to enable > it, we'll be ready? > Sure. Although I anticipate that we'll need to set some flag in the PE/COFF header to enable it, and so any BTI opcodes we emit without that will never take effect in practice.