Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp4858279rdb; Fri, 15 Sep 2023 14:48:32 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEw0hWVUFOjTRUd43iTGLMZ3uCLNLo+a6PUavjQbvIFjywIj/s5RQQRg9mtqy1QEs5yNSOH X-Received: by 2002:a05:6a00:1ac8:b0:68a:59c6:c09d with SMTP id f8-20020a056a001ac800b0068a59c6c09dmr3260711pfv.14.1694814512511; Fri, 15 Sep 2023 14:48:32 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694814512; cv=none; d=google.com; s=arc-20160816; b=U0IdzM75ULpUf/dB8RLelmjy8icLN0GWPnf3qNYAeZh3K0PJDpdVcVKOWFC6VRgRJr 1qqOCsJKCllMboLyf88CiEdBTYEscV7loOISmVSIZUpmh5QVH27e0FakSPhrurhWJkEt KpJTToZX45O84rjBarYkc/xbzoMa4TaNn3/GpSDtPWFpHZqdXlU8Anieu3CaLpnTC4mG WQCHchgiEusZMJHRL6J3VLsTC6/zUC46hrLAEgfFwdgtSBc9FJhq/8mOSeCo9Zyzg0x8 Qlgxt9hVvVogIZExbOdl4UtHPjB60SlZcgTdockhmFut47zFS87KnS3PjnvUhch3lWrm MQKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:sender:dkim-signature; bh=V+R4xG30s2x016nX2JuEZD/dAKGo/2m5y0j0kuBiC4Q=; fh=vJ6fmEisYJR88BhSueLHhxgFsRRI6GvWeExonBLHOlQ=; b=AAMgr2EFc7pxkB9sXcU/wT+CmzhTtq8SL4xv864lmopA9OpcuEQwFHuweSl+yA+FPO 1jIwb2axanaSIgJVR3FmMVbUuyUACW0KnXdqtXIuK82AnlPZ60T0Hu/OoLXqHYnK1YRK 9HooxHIowm4yjOHKpuQesNbvi1hXbj+TAxJWqyLFILqFk5jVvJyOl+bvNT+h71AHo7Mz fTSPmqZ6H1FPsTe1GPh4ohfuv2l4ufO1NfaikZm8vASNvNjUWzbofZiO3fKMNZaOeOls rNZMbDIROky+bjOidZUglIfa3WlowUB0BUkUzcvHWRS3nlgIBF1L+zHo40K7C15H45dr JJNg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=NQid+HjN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id dw8-20020a056a00368800b0068fbb75adedsi3908715pfb.127.2023.09.15.14.48.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Sep 2023 14:48:32 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=NQid+HjN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id BAD7D832DA70; Fri, 15 Sep 2023 02:23:36 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233586AbjIOJX3 (ORCPT + 99 others); Fri, 15 Sep 2023 05:23:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38802 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233440AbjIOJX3 (ORCPT ); Fri, 15 Sep 2023 05:23:29 -0400 Received: from mail-wm1-x32c.google.com (mail-wm1-x32c.google.com [IPv6:2a00:1450:4864:20::32c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 462923A99; Fri, 15 Sep 2023 02:22:32 -0700 (PDT) Received: by mail-wm1-x32c.google.com with SMTP id 5b1f17b1804b1-402d499580dso20623725e9.1; Fri, 15 Sep 2023 02:22:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1694769750; x=1695374550; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:sender:from:to:cc:subject:date:message-id :reply-to; bh=V+R4xG30s2x016nX2JuEZD/dAKGo/2m5y0j0kuBiC4Q=; b=NQid+HjNTimoetByM0uewi+HvZ3IccN6CyUt/fXWDtMjfu2v5XCDOBUBfESG6opaqD W2sc8DojgSdM6gtwVrDHRiMzxnthJuDVltAQVB3/CCw5JFmrT8DrqKoNuhzAe1F1zVpH st5TJsBU30H0OG/J+aNEfYqFXoEZvZ2d41cuztlq59mrCG3k71cYG8FneWYKA6v4Q3fr 1mXYMwHmGtfKf2/IC/NKVfxY15Bfdyttd+lf7AcFabw06Je4JT8YKASFq5vTPX84zlz3 DdxuCsSDwA0JYbxb/185rTmV+wJqTbZL8gGRHQuTgFMCU2fVybsc3EtFYHnSR9oBcwtb S6lA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694769750; x=1695374550; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:sender:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=V+R4xG30s2x016nX2JuEZD/dAKGo/2m5y0j0kuBiC4Q=; b=N4PkZ+vpXgbO2ikALNZQap00scVFOFYBx9XkZr9XBWLLJRXBeejzLAcdkgf3QoeJyX Xcg0yf0ifO/qSNwzdmXyUKwsfqdcD8zqG3SP0L36r0lZtpn0kCXH+9V+DwO/qvE8JFIS aOSeIL6nsNRctLPjAbZejWOkWGun9OXL99WGR3V7u+gMUp76RldVJUhWDGH5x9dB250m b0MiS/LXMeNzRWNL7EZKyaY/9tHKCHHOaBkU8irlPJzGfvpOBuDKLthQt6hmdDfaajW/ GKB6txJ89XUk4HTOInmeEmBoOFQm1gewgtD6Ib9yocY/GsqYvqzoYazxzihxNtP24kOU b+lQ== X-Gm-Message-State: AOJu0Yx58tWGfnizsy6LPi3b5irLKRVpQKsCryqvOcfVt7n0bMrUjV2t JLXcbE2YkdyaEt3IjwmJYvV7IyTx/eU= X-Received: by 2002:a1c:790d:0:b0:404:7670:90b8 with SMTP id l13-20020a1c790d000000b00404767090b8mr1067795wme.27.1694769750379; Fri, 15 Sep 2023 02:22:30 -0700 (PDT) Received: from gmail.com (1F2EF265.nat.pool.telekom.hu. [31.46.242.101]) by smtp.gmail.com with ESMTPSA id r10-20020a05600c458a00b00403c8dde953sm6435275wmo.22.2023.09.15.02.22.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Sep 2023 02:22:29 -0700 (PDT) Sender: Ingo Molnar Date: Fri, 15 Sep 2023 11:22:27 +0200 From: Ingo Molnar To: Ard Biesheuvel Cc: linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, Ard Biesheuvel , Evgeniy Baskov , Borislav Petkov , Dave Hansen , Ingo Molnar , Thomas Gleixner , Peter Jones , Matthew Garrett , Gerd Hoffmann , Kees Cook , "H. Peter Anvin" Subject: Re: [PATCH v2 00/15] x86/boot: Rework PE header generation Message-ID: References: <20230912090051.4014114-17-ardb@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230912090051.4014114-17-ardb@google.com> X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Fri, 15 Sep 2023 02:23:37 -0700 (PDT) * Ard Biesheuvel wrote: > From: Ard Biesheuvel > > Now that the EFI stub boot flow no longer relies on memory that is > executable and writable at the same time, we can reorganize the PE/COFF > view of the kernel image and expose the decompressor binary's code and > r/o data as a .text section and data/bss as a .data section, using 4k > alignment and limited permissions. > > Doing so is necessary for compatibility with hardening measures that are > being rolled out on x86 PCs built to run Windows (i.e., the majority of > them). The EFI boot environment that the Linux EFI stub executes in is > especially sensitive to safety issues, given that a vulnerability in the > loader of one OS can be abused to attack another. > > In true x86 fashion, this is a lot more complicated than on other > architectures, which have implemented this code/data split with 4k > alignment from the beginning. The complicating factor here is that the > boot image consists of two different parts, which are stitched together > and fixed up using a special build tool. > > After this series is applied, the only remaining task performed by the > build tool is generating the CRC-32. Even though this checksum is > usually wrong (given that distro kernels are signed for secure boot in a > way that corrupts the CRC), this feature is retained as we cannot be > sure that nobody is relying on this. > > This supersedes the work proposed by Evgeniy last year, which did a > major rewrite of the build tool in order to clean it up, before updating > it to generate the new 4k aligned image layout. As this series proves, > the build tool is mostly unnecessary, and we have too many of those > already. > > Changes since v1: > - drop patch that removed the CRC and the build tool > - do not use fixed setup_size but derive it in the setup.ld linker > script > - reorganize the PE header so the .compat section only covers its > payload and the padding that follows it > - add hpa's ack to patch #4 > > Cc: Evgeniy Baskov > Cc: Borislav Petkov > Cc: Dave Hansen > Cc: Ingo Molnar > Cc: Thomas Gleixner > Cc: Peter Jones > Cc: Matthew Garrett > Cc: Gerd Hoffmann > Cc: Kees Cook > Cc: "H. Peter Anvin" > > Ard Biesheuvel (15): > x86/efi: Drop EFI stub .bss from .data section > x86/efi: Disregard setup header of loaded image > x86/efi: Drop alignment flags from PE section headers > x86/boot: Remove the 'bugger off' message > x86/boot: Omit compression buffer from PE/COFF image memory footprint > x86/boot: Drop redundant code setting the root device > x86/boot: Grab kernel_info offset from zoffset header directly > x86/boot: Drop references to startup_64 I've applied these first 8 patches to tip:x86/boot with minor edits. (Please preserve existing comment capitalization conventions ...) > x86/boot: Set EFI handover offset directly in header asm > x86/boot: Define setup size in linker script > x86/boot: Derive file size from _edata symbol > x86/boot: Construct PE/COFF .text section from assembler > x86/boot: Drop PE/COFF .reloc section > x86/boot: Split off PE/COFF .data section > x86/boot: Increase section and file alignment to 4k/512 The rest conflicted with recent upstream changes, and I suppose it's prudent to test these changes bit by bit anyway. Thanks, Ingo