Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp945920rwb;
        Thu, 15 Dec 2022 04:42:37 -0800 (PST)
X-Google-Smtp-Source: AA0mqf5nW1sxddaRUunQcQ2HqhpoIYKN4JiOQ5QsUI8AInHdmt2j1IgOc9aVb6pjBKwDQOTW2K9y
X-Received: by 2002:a17:906:f9d9:b0:7c1:2e19:ba3f with SMTP id lj25-20020a170906f9d900b007c12e19ba3fmr23647391ejb.57.1671108157703;
        Thu, 15 Dec 2022 04:42:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1671108157; cv=none;
        d=google.com; s=arc-20160816;
        b=ivX6ebkfeXnXb2ELJrN2W4CoGf848ABhmAOs+X9Oj11I0v/rwYGTAiPl6ZPNXvzn7F
         25ZZQFX65NbnFHN0Whw1kT90fPavVXMadOpjgoQC/WDfuJY1Mskg1Nk1Lm904Jy8Zfcp
         xqxMLTSqntYcfUsmWh7e8bjJvUEzGS9FZ8mW5oGvDTkbsbNCqT7SnR8tC62NyaHzm2vV
         TBq1wOQankaDv7tQN1sd7DJ6U5IE1E8BlPiXn3NQQuxgfvTJ9W48aw6YBHrESFgBXsXo
         fwYM12Wt5fzSpdI36clxTXMcCG4yoaFDNHWID1EudOucFdVyCrWtUd3mgmZTHmYVRDRx
         PP/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature:dkim-filter;
        bh=aytHXLPe5WFTxHpmffbYFL3H8M/KUu6PP4gNt7AoPJg=;
        b=Q8DE8wwe+El6nSuHg5FN24TaOOOMNPiLZgwW5epvOcjVZNi2XSU5MFWlg1dyaN6uPv
         IaS97sGFvjsg0e/D81F3XjMpzeVi9+d5fBnZQJApkSuViGyQINzyX9oJ+KlZMLnVWeM3
         kwjGyaOH6/NgJWjlhc9SRTyflqQ2XhSempAM+stq/6WHHwZCRmDKg8vc70IBQCZ/9J27
         gZfvMv1WpPUQrqQ4WM+fuzst5OVsIeOmacu3CYML1iDMq+CZNH202nL/tdwT8MzdPlYY
         dDJjyUdSQVaD1f7dqVgVzNoYRLhbdMLpj1w7GqRMmKW6z9XXy5/XhNVDDT+kGHmDkIxy
         20TA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=cDcOgTU8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id rv25-20020a17090710d900b007b5dd3e6995si10699000ejb.917.2022.12.15.04.42.18;
        Thu, 15 Dec 2022 04:42:37 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=cDcOgTU8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230011AbiLOMjQ (ORCPT <rfc822;2bno13@gmail.com> + 70 others);
        Thu, 15 Dec 2022 07:39:16 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53460 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229863AbiLOMiq (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 15 Dec 2022 07:38:46 -0500
Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 332362F007;
        Thu, 15 Dec 2022 04:38:29 -0800 (PST)
Received: from localhost.localdomain (unknown [83.149.199.65])
        by mail.ispras.ru (Postfix) with ESMTPSA id BDB8F40737AF;
        Thu, 15 Dec 2022 12:38:22 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru BDB8F40737AF
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru;
        s=default; t=1671107902;
        bh=aytHXLPe5WFTxHpmffbYFL3H8M/KUu6PP4gNt7AoPJg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=cDcOgTU86qfkkn+GkGXQbTgcmNdsXr3SsKorZvfOGrPtndS75vMdtsk/bvB1QJW0Y
         T2KXVmJJay7h8hUyXr7tTDtj1syOzP6X9Yp+MDvxEUr+/sY+5PUSO/g0hKwV0XM17g
         BeYkQvie4yzPmMvIeTjfXjikHG6Ry6iRRfX/3bxw=
From:   Evgeniy Baskov <baskov@ispras.ru>
To:     Ard Biesheuvel <ardb@kernel.org>
Cc:     Evgeniy Baskov <baskov@ispras.ru>, Borislav Petkov <bp@alien8.de>,
        Andy Lutomirski <luto@kernel.org>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Ingo Molnar <mingo@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Alexey Khoroshilov <khoroshilov@ispras.ru>,
        Peter Jones <pjones@redhat.com>,
        "Limonciello, Mario" <mario.limonciello@amd.com>,
        joeyli <jlee@suse.com>, lvc-project@linuxtesting.org,
        x86@kernel.org, linux-efi@vger.kernel.org,
        linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: [PATCH v4 07/26] x86/build: Check W^X of vmlinux during build
Date:   Thu, 15 Dec 2022 15:37:58 +0300
Message-Id: <3ca525852ce14a8e04949ff115cb6ec28c8f120b.1671098103.git.baskov@ispras.ru>
X-Mailer: git-send-email 2.37.4
In-Reply-To: <cover.1671098103.git.baskov@ispras.ru>
References: <cover.1671098103.git.baskov@ispras.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Check if there are simultaneously writable and executable
program segments in vmlinux ELF image and fail build if there are any.

This would prevent accidental introduction of RWX segments.

Tested-by: Mario Limonciello <mario.limonciello@amd.com>
Tested-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Evgeniy Baskov <baskov@ispras.ru>
---
 arch/x86/boot/compressed/Makefile | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
index 1acff356d97a..4dcab38f5a38 100644
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -112,11 +112,17 @@ vmlinux-objs-$(CONFIG_EFI) += $(obj)/efi.o
 vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_mixed.o
 vmlinux-objs-$(CONFIG_EFI_STUB) += $(objtree)/drivers/firmware/efi/libstub/lib.a
 
+quiet_cmd_wx_check = WXCHK   $<
+cmd_wx_check = if $(OBJDUMP) -p $< | grep "flags .wx" > /dev/null; \
+	       then (echo >&2 "$<: Simultaneously writable and executable sections are prohibited"; \
+		     /bin/false); fi
+
 $(obj)/vmlinux: $(vmlinux-objs-y) FORCE
 	$(call if_changed,ld)
 
 OBJCOPYFLAGS_vmlinux.bin :=  -R .comment -S
 $(obj)/vmlinux.bin: vmlinux FORCE
+	$(call cmd,wx_check)
 	$(call if_changed,objcopy)
 
 targets += $(patsubst $(obj)/%,%,$(vmlinux-objs-y)) vmlinux.bin.all vmlinux.relocs
-- 
2.37.4