Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp5758191rwb;
        Tue, 22 Nov 2022 04:41:27 -0800 (PST)
X-Google-Smtp-Source: AA0mqf49UwKqvYcIxuGmJ0OmK1flwEogOr7B71pEBU1Kq2HL9Adykrs65ydPdhsDM89pg3ZiDhLT
X-Received: by 2002:aa7:9057:0:b0:573:1d31:2b78 with SMTP id n23-20020aa79057000000b005731d312b78mr5982503pfo.61.1669120887498;
        Tue, 22 Nov 2022 04:41:27 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1669120887; cv=none;
        d=google.com; s=arc-20160816;
        b=vidssPCdtYHxm05hUvRQhauCVSuecxrEemw62nE58jDDfpzY+UQB4hAfhWvSfdAJkx
         rX7+EPNtxqPkZ9RvQK8RwoYs3IHuXIC+W174rwdgYxPg6mmVTjZn7i8qu3geN2YRyyW1
         KE3nyHipjmg6Gpi5AyBszMv4gktCRRn2R7vIBe7uq7E0vdNLW6wZsT4P8pd4s4bt+4z+
         FXBhe8GCNqUSlnkHLoQYG9QpyotRepLAIXErSnmDNbrAAqV2a/ro8N3pHVq1OJfoMqlu
         uXXggFCU4rtSXU2X2643BppyXGsFoO4u5ZF/l7PKxSFEMLKCVRQWnQVO23UlYu76MSmU
         BsxA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature:dkim-filter;
        bh=zJyjXdeGncN0/sCqkQ6LWnTu+HAOR00PivwRmGI/62E=;
        b=fAnIJFGPjsV5KkYD7FjkWkMTVsSeNB3C+Akc9Hh8ByZVZt1UZACwK+a7HCl8ZMAvUm
         oE2jVix3miqorM46sSU+tRXDt4lsZKerffBQBu4uzT1IPF/afp5LUVV/W/8eeMADudOf
         k9Upr40pmmAu9PEDdLzZfkZQKh+UMVSHbGAEMCqDQTFYn5ZwVf5X8X8N2p9CF/D5TvVb
         UVK1yQKjxHymcDgLjS44UTnK72+Q/wPWBruAZ5Z5NQ6Zdhg3+JD4nBosS/QdOtWSaYsK
         VLrZ+IfFfMihy9GwTaP4DFB56Z0qRxHHtEP4oPFMFTvf3kebPX7OQY54ozmq8fIueW33
         XVtA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=XOkIZdYO;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id z2-20020a6553c2000000b0047787372364si3961200pgr.363.2022.11.22.04.41.16;
        Tue, 22 Nov 2022 04:41:27 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=XOkIZdYO;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233240AbiKVLNX (ORCPT <rfc822;2bno13@gmail.com> + 90 others);
        Tue, 22 Nov 2022 06:13:23 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58972 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233013AbiKVLMt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 22 Nov 2022 06:12:49 -0500
Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2F354A4;
        Tue, 22 Nov 2022 03:12:48 -0800 (PST)
Received: from localhost.localdomain (unknown [83.149.199.65])
        by mail.ispras.ru (Postfix) with ESMTPSA id 0491940737C3;
        Tue, 22 Nov 2022 11:12:42 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 0491940737C3
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru;
        s=default; t=1669115562;
        bh=zJyjXdeGncN0/sCqkQ6LWnTu+HAOR00PivwRmGI/62E=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=XOkIZdYOveVvoUdyG5wJ1ub0mdhP43FQ/wnUmCYA90XpAOfHLev5q4XWjd+mmHXnX
         RvZZEsePoUe5/5lNRDYmdrM0J2lSA2lqxwSv0C5tolDpC9/FjmGGXfpF1KrlTUUqh/
         XXcfH0sglQeGoz6jxe4vQk2uu/eZ6L8XQG+M+5PM=
From:   Evgeniy Baskov <baskov@ispras.ru>
To:     Ard Biesheuvel <ardb@kernel.org>
Cc:     Evgeniy Baskov <baskov@ispras.ru>, Borislav Petkov <bp@alien8.de>,
        Andy Lutomirski <luto@kernel.org>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Ingo Molnar <mingo@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Alexey Khoroshilov <khoroshilov@ispras.ru>,
        Peter Jones <pjones@redhat.com>,
        "Limonciello, Mario" <mario.limonciello@amd.com>,
        joeyli <jlee@suse.com>, lvc-project@linuxtesting.org,
        x86@kernel.org, linux-efi@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: [PATCH v3 07/24] x86/build: Check W^X of vmlinux during build
Date:   Tue, 22 Nov 2022 14:12:16 +0300
Message-Id: <686f40eb9c83f9b5e4deba7bfb6cc9c0626d310c.1668958803.git.baskov@ispras.ru>
X-Mailer: git-send-email 2.37.4
In-Reply-To: <cover.1668958803.git.baskov@ispras.ru>
References: <cover.1668958803.git.baskov@ispras.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Check if there are simultaneously writable and executable
program segments in vmlinux ELF image and fail build if there are any.

This would prevent accidental introduction of RWX segments.

Tested-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Evgeniy Baskov <baskov@ispras.ru>
---
 arch/x86/boot/compressed/Makefile | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
index 3a261abb6d15..64de6c2b1740 100644
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -112,11 +112,17 @@ vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_thunk_$(BITS).o
 vmlinux-objs-$(CONFIG_EFI) += $(obj)/efi.o
 efi-obj-$(CONFIG_EFI_STUB) = $(objtree)/drivers/firmware/efi/libstub/lib.a
 
+quiet_cmd_wx_check = WXCHK   $<
+cmd_wx_check = if $(OBJDUMP) -p $< | grep "flags .wx" > /dev/null; \
+	       then (echo >&2 "$<: Simultaneously writable and executable sections are prohibited"; \
+		     /bin/false); fi
+
 $(obj)/vmlinux: $(vmlinux-objs-y) $(efi-obj-y) FORCE
 	$(call if_changed,ld)
 
 OBJCOPYFLAGS_vmlinux.bin :=  -R .comment -S
 $(obj)/vmlinux.bin: vmlinux FORCE
+	$(call cmd,wx_check)
 	$(call if_changed,objcopy)
 
 targets += $(patsubst $(obj)/%,%,$(vmlinux-objs-y)) vmlinux.bin.all vmlinux.relocs
-- 
2.37.4