Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id D97EFC7618D for ; Tue, 14 Mar 2023 10:16:59 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230510AbjCNKQ6 (ORCPT ); Tue, 14 Mar 2023 06:16:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40096 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230422AbjCNKQa (ORCPT ); Tue, 14 Mar 2023 06:16:30 -0400 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8C36A62B50; Tue, 14 Mar 2023 03:16:03 -0700 (PDT) Received: from localhost.localdomain (unknown [83.149.199.65]) by mail.ispras.ru (Postfix) with ESMTPSA id 030A94076B4A; Tue, 14 Mar 2023 10:16:02 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 030A94076B4A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1678788962; bh=2TBk4UGNyfMdd8W/1cZbwwWp3e8vekyx8UYv/A/vm5c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=n7Aqkk4PHxxjuE63bO4ZIRC9Y0AVo/LT7B+S7ULrj9n9YXFKMslgpX/pqQKSCFWBA P/v4Um3LkciXoZZoy02NoCHPn62b/8Zj/4Pv/QsB5vENyGQ0e5TuBIYu2Uy0JeR+ov 2giwLsVCTjAUow1JZXXnhYFJ1SZyjHVmz4HIsd0I= From: Evgeniy Baskov To: Ard Biesheuvel Cc: Evgeniy Baskov , Borislav Petkov , Andy Lutomirski , Dave Hansen , Ingo Molnar , Peter Zijlstra , Thomas Gleixner , Alexey Khoroshilov , Peter Jones , Gerd Hoffmann , "Limonciello, Mario" , joeyli , lvc-project@linuxtesting.org, x86@kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v5 07/27] x86/build: Check W^X of vmlinux during build Date: Tue, 14 Mar 2023 13:13:34 +0300 Message-Id: <79fbb728535596eea7b429fc3ed39adc3c775c8a.1678785672.git.baskov@ispras.ru> X-Mailer: git-send-email 2.39.2 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Check if there are simultaneously writable and executable program segments in vmlinux ELF image and fail build if there are any. This would prevent accidental introduction of RWX segments. Tested-by: Mario Limonciello Signed-off-by: Evgeniy Baskov --- arch/x86/boot/compressed/Makefile | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile index 6b6cfe607bdb..0c6e25279ec1 100644 --- a/arch/x86/boot/compressed/Makefile +++ b/arch/x86/boot/compressed/Makefile @@ -112,12 +112,17 @@ vmlinux-objs-$(CONFIG_EFI) += $(obj)/efi.o vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_mixed.o vmlinux-objs-$(CONFIG_EFI_STUB) += $(objtree)/drivers/firmware/efi/libstub/lib.a +quiet_cmd_objcopy_and_wx_check = $(quiet_cmd_objcopy) +cmd_objcopy_and_wx_check = if $(OBJDUMP) -p $< | grep "flags .wx" > /dev/null; then \ + (echo >&2 "$<: Simultaneously writable and executable sections are prohibited"; \ + /bin/false); else $(cmd_objcopy); fi + $(obj)/vmlinux: $(vmlinux-objs-y) FORCE $(call if_changed,ld) OBJCOPYFLAGS_vmlinux.bin := -R .comment -S $(obj)/vmlinux.bin: vmlinux FORCE - $(call if_changed,objcopy) + $(call if_changed,objcopy_and_wx_check) targets += $(patsubst $(obj)/%,%,$(vmlinux-objs-y)) vmlinux.bin.all vmlinux.relocs -- 2.39.2