Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp8483148rwi; Tue, 25 Oct 2022 07:15:11 -0700 (PDT) X-Google-Smtp-Source: AMsMyM4plgP4beCKjxa0j23MApLyPAZBv3JA54Z6SGLvDwZnCJMAhYavuybVNYokWF7fim4q6Zyq X-Received: by 2002:a17:902:d4c8:b0:186:6180:fb8e with SMTP id o8-20020a170902d4c800b001866180fb8emr28094722plg.132.1666707300416; Tue, 25 Oct 2022 07:15:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666707300; cv=none; d=google.com; s=arc-20160816; b=cugCqNHpSorDT50Xi00Z7IJldX3eaO1TCyDhaNmiytxTQ9nP68AOLxRbhWTpG0QcUU CSPZkqE87MCUX6iH8804PmhkWLnaG7M97ewjn8rFfzoXg1DsjHFLui9/GMUmnGfULMhY mq5/W9vFEk1L9xpEtLMmR7oTQw5Iv2rYKwJIe9J+X9lDcCfHDshSFb5XufwCOTi5bYA8 O+EG6WFymh/XS7Ubikgtb2d3BBSda2d1ynLhDPSmYdX4lvvtTTA7QFT0ryLDMOldMHlc n2L8DnRnW7Gt5REwa1dojT6vaz7bXAbHumv9P5SPfSWYI5SLNqSTzpbtWzs9SpIey5+Q rMQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-filter; bh=4eVW1eJcsrjHfvua5xgjsd3gl1WJesFtv8uJ2bacg94=; b=t6yvchW5WBn2JOfU92BrVMe7uGdSr8wb78YCAB3rIgjahV6Da7awVcg54lOAE8MP4b TPVy2YeEGsRX8VUXJ12SsofeZ8Go0z7L3vjdqQ3TaBgERQ+75zlDXXHtnTMP56yvPKA5 t0KD2aDiVM3y61Mwx2bYhbpUYS0s4QM7vz74hxYYgPRIJy5pX06jQQD/F5V0YpQz2JKd 5rsL/KVIWC36WjZB80pDRg8PDx/zUi96Sd3xngZBX87YWQVtaOLvTuoLkjB5ix2XC0JY qZg3cAHm64XJ8SMe8+FY5X9d4epT18xktK/x3UCFI8DwmSIwV6ETvfIz2q4FDQXhGDfM nIBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=rBX76ErH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v8-20020a634648000000b0046f13b06061si878686pgk.545.2022.10.25.07.14.45; Tue, 25 Oct 2022 07:15:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=rBX76ErH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232988AbiJYONt (ORCPT + 99 others); Tue, 25 Oct 2022 10:13:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46194 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233016AbiJYONo (ORCPT ); Tue, 25 Oct 2022 10:13:44 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C2994A98CD; Tue, 25 Oct 2022 07:13:33 -0700 (PDT) Received: from localhost.localdomain (unknown [83.149.199.65]) by mail.ispras.ru (Postfix) with ESMTPSA id 36DDE419E9F8; Tue, 25 Oct 2022 14:13:32 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 36DDE419E9F8 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1666707212; bh=4eVW1eJcsrjHfvua5xgjsd3gl1WJesFtv8uJ2bacg94=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=rBX76ErHdSBb9NvE24qugxdvfpl7OBObs2qpDC0JnIVm51/gGJdWGo8Q/JjnoRaMX fE1trKCitrGKWOyf6shizWHYbhJ7wrPMXgayRDhfyckm3NgtA8pEZT3n79LeHSLeh4 Qi8FMOclBpW78F8oMS9KJEKrSvasr2T0HQrRDr7k= From: Evgeniy Baskov To: Ard Biesheuvel Cc: Evgeniy Baskov , Borislav Petkov , Andy Lutomirski , Dave Hansen , Ingo Molnar , Peter Zijlstra , Thomas Gleixner , Alexey Khoroshilov , Peter Jones , lvc-project@linuxtesting.org, x86@kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v2 07/23] x86/build: Check W^X of vmlinux during build Date: Tue, 25 Oct 2022 17:12:45 +0300 Message-Id: <84186fd75772b89be1984d6da0764a65cdef0c29.1666705333.git.baskov@ispras.ru> X-Mailer: git-send-email 2.37.4 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Check if there are simultaneously writable and executable program segments in vmlinux ELF image and fail build if there are any. This would prevent accidental introduction of RWX segments. Signed-off-by: Evgeniy Baskov --- arch/x86/boot/compressed/Makefile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile index 3a261abb6d15..64de6c2b1740 100644 --- a/arch/x86/boot/compressed/Makefile +++ b/arch/x86/boot/compressed/Makefile @@ -112,11 +112,17 @@ vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_thunk_$(BITS).o vmlinux-objs-$(CONFIG_EFI) += $(obj)/efi.o efi-obj-$(CONFIG_EFI_STUB) = $(objtree)/drivers/firmware/efi/libstub/lib.a +quiet_cmd_wx_check = WXCHK $< +cmd_wx_check = if $(OBJDUMP) -p $< | grep "flags .wx" > /dev/null; \ + then (echo >&2 "$<: Simultaneously writable and executable sections are prohibited"; \ + /bin/false); fi + $(obj)/vmlinux: $(vmlinux-objs-y) $(efi-obj-y) FORCE $(call if_changed,ld) OBJCOPYFLAGS_vmlinux.bin := -R .comment -S $(obj)/vmlinux.bin: vmlinux FORCE + $(call cmd,wx_check) $(call if_changed,objcopy) targets += $(patsubst $(obj)/%,%,$(vmlinux-objs-y)) vmlinux.bin.all vmlinux.relocs -- 2.37.4