Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp5758273rdb; Sun, 17 Sep 2023 10:51:55 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHANSH17QaGbTbCyBDjt7yD3vwGBhxwApvFuOnCUZcfT2G09lMpHOPsNS9/Mf5L3e98SXQs X-Received: by 2002:a05:6a20:938a:b0:153:8754:8a7e with SMTP id x10-20020a056a20938a00b0015387548a7emr9476717pzh.3.1694973114608; Sun, 17 Sep 2023 10:51:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694973114; cv=none; d=google.com; s=arc-20160816; b=eiuayLhfIawzdT4v9y7fnky4AffvOjln3I1IemAEGRxx/HqAo0FtxIk3neBbhD96PL PsGDNPLj8Wl8/vxPXULjHA+fe5DSumgXp/9kX5Dw9vglPkom3hkjT6HZ78eXXDG1er+F 2y4szVrA57uRK1S8HbrSp+4XuL4EHYAY03fHBxVtZU+3vdWrFTNd2mw7c4gALmIkTTSI DSngGUrAPtvLsc+NDK8HjVLX0DtCwnKmjgp5yF31KdeEbE9iuwq6YCyK9bFEkUKLig74 qcv3ZpYxNJwCX2coRbiJoIxZVqxO1fa1bqflcNzD2KLe4nTfZ9nPbFk+pKpni4+0Ho4V 34Ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:sender:dkim-signature; bh=RsA+hRq8jXdzx3chUO9nLgZ4Kj4gCRlN/+BYBBGrajM=; fh=vJ6fmEisYJR88BhSueLHhxgFsRRI6GvWeExonBLHOlQ=; b=TD75nqz5gaagIAxyaLt/tz+aH6J6Lf5on3xflu1QCY4idoPBawXNL+aDbkVfk9O0ut Pi6VbdbHwH4Tz5LYhIpXuMI/Zzz2sZkIKqAusG62vce0lGzehWHfyoVmoFv1rDvrC75S MRi9813WjpiVIUa7NLvVFAbcWnUY1gUvt6N+9mkwb5guRmQmVmAxNvyO+oSx9y748t5r JubKT7+SoMMVFKPgGrfc35g1CtXiStEiBRN7cs22SrY1HVzo7dor9rrPikkJGBBpRLK5 UAsPwE0YiweE+QoUzesPrXBBGRUmkpQz4VJDELhGiS9bbR7pOX7L0eVsEGCxiQQhmC6X 4FHw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dzkJtJ8Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3]) by mx.google.com with ESMTPS id k189-20020a6384c6000000b0057767f224d8si6641053pgd.700.2023.09.17.10.51.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 17 Sep 2023 10:51:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) client-ip=2620:137:e000::3:3; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=dzkJtJ8Y; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:3 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 023B182155F4; Sun, 17 Sep 2023 10:51:50 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237499AbjIQRvT (ORCPT + 99 others); Sun, 17 Sep 2023 13:51:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54440 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237691AbjIQRu7 (ORCPT ); Sun, 17 Sep 2023 13:50:59 -0400 Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1378F4; Sun, 17 Sep 2023 10:50:53 -0700 (PDT) Received: by mail-wr1-x435.google.com with SMTP id ffacd0b85a97d-31ff2ce9d4cso2308051f8f.0; Sun, 17 Sep 2023 10:50:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1694973052; x=1695577852; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:sender:from:to:cc:subject:date:message-id :reply-to; bh=RsA+hRq8jXdzx3chUO9nLgZ4Kj4gCRlN/+BYBBGrajM=; b=dzkJtJ8YFFTyiUHdrB+um+g7JLJbGrIWzAsIQGyfkGU1QHGM/vXDABpWj5p8taVUkQ 96zrioFsfZJefl13b2gZpxIS2LUBLL3avfCxmOYjoM0exEnTcBQb78Lh719v8Qu6+QRd m66wWR42OCd1FlA1MtU4aJeI0cVfoH0LRsim7YW7i5i+/fmaEZ5OkCI5GiZoylyVNqxx aborTdJFcOGNKAqCkRTWcT7Pm8YfuoozH9N11jgfoe836tGQUF0vROY6VHOEuQJF1iCK 13N9zXGbSdKfLR6nQhtQkbvxyRqGwJnsLE7Cwp1vVP6FUqKAUYoeUvwSeP9Y4A66ECfI 2svg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694973052; x=1695577852; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:sender:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RsA+hRq8jXdzx3chUO9nLgZ4Kj4gCRlN/+BYBBGrajM=; b=EyQGGNWoPOhm7f7IKZjVbGRwc8nWYvMfc1zy0+PFcsnhmeBDXnSp6O7ptxv7QUlo9s uexD6gEH2TlN2iG/tm6eZ6/h9rlNWvV+01GBxOoC/152D9h6ncjUb2TtTC5gIpZtBv9E W7/FRhKA4d+HcaOMSHNSeRZKERRwsyyPdMNsNM+oS863J0RUrQBIFjgvQB1Yn3dM2h34 QPEWF0AtuyJ4IYTMWgpJeuG8gPbaLHVDz9uHYTMTwp9qQMi6wgbMDODmovcP0VvhHkgK FotOfv0M/g2EeFfBLTvxJVgcA9NaUL7QQA2R/Uq87ddT4HwviH4Dfxs1nMLdPeGYJvlQ l0DA== X-Gm-Message-State: AOJu0YxGoxx6QPFaSe3JoDK8hc89VwgxRx7j1hRmaYxzt7vmIaxsh9mB YGe5VG0YZ5te2OIBM1721f0= X-Received: by 2002:adf:dcc1:0:b0:317:5168:c21f with SMTP id x1-20020adfdcc1000000b003175168c21fmr5157340wrm.31.1694973052095; Sun, 17 Sep 2023 10:50:52 -0700 (PDT) Received: from gmail.com (1F2EF265.nat.pool.telekom.hu. [31.46.242.101]) by smtp.gmail.com with ESMTPSA id r6-20020a5d4e46000000b003198a9d758dsm10271331wrt.78.2023.09.17.10.50.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 17 Sep 2023 10:50:51 -0700 (PDT) Sender: Ingo Molnar Date: Sun, 17 Sep 2023 19:50:49 +0200 From: Ingo Molnar To: Ard Biesheuvel Cc: linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, Ard Biesheuvel , Evgeniy Baskov , Borislav Petkov , Dave Hansen , Ingo Molnar , Thomas Gleixner , Peter Jones , Matthew Garrett , Gerd Hoffmann , Kees Cook , "H. Peter Anvin" Subject: Re: [PATCH v3 0/8] x86/boot: Rework PE header generation Message-ID: References: <20230915171623.655440-10-ardb@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230915171623.655440-10-ardb@google.com> X-Spam-Status: No, score=-1.0 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Sun, 17 Sep 2023 10:51:51 -0700 (PDT) * Ard Biesheuvel wrote: > From: Ard Biesheuvel > > Now that the EFI stub boot flow no longer relies on memory that is > executable and writable at the same time, we can reorganize the PE/COFF > view of the kernel image and expose the decompressor binary's code and > r/o data as a .text section and data/bss as a .data section, using 4k > alignment and limited permissions. > > Doing so is necessary for compatibility with hardening measures that are > being rolled out on x86 PCs built to run Windows (i.e., the majority of > them). The EFI boot environment that the Linux EFI stub executes in is > especially sensitive to safety issues, given that a vulnerability in the > loader of one OS can be abused to attack another. > > In true x86 fashion, this is a lot more complicated than on other > architectures, which have implemented this code/data split with 4k > alignment from the beginning. The complicating factor here is that the > boot image consists of two different parts, which are stitched together > and fixed up using a special build tool. > > After this series is applied, the only remaining task performed by the > build tool is generating the CRC-32. Even though this checksum is > usually wrong (given that distro kernels are signed for secure boot in a > way that corrupts the CRC), this feature is retained as we cannot be > sure that nobody is relying on this. > > This supersedes the work proposed by Evgeniy last year, which did a > major rewrite of the build tool in order to clean it up, before updating > it to generate the new 4k aligned image layout. As this series proves, > the build tool is mostly unnecessary, and we have too many of those > already. > > Changes since v2: > - rebase onto tip/master > - drop patches that have been picked up already > - fix issue in the linker script that resulted in a bogus setup_size in > some cases when using ld.bfd > - fix comment capitalization > > Changes since v1: > - drop patch that removed the CRC and the build tool > - do not use fixed setup_size but derive it in the setup.ld linker > script > - reorganize the PE header so the .compat section only covers its > payload and the padding that follows it > - add hpa's ack to patch #4 > > Cc: Evgeniy Baskov > Cc: Borislav Petkov > Cc: Dave Hansen > Cc: Ingo Molnar > Cc: Thomas Gleixner > Cc: Peter Jones > Cc: Matthew Garrett > Cc: Gerd Hoffmann > Cc: Kees Cook > Cc: "H. Peter Anvin" > > > Ard Biesheuvel (8): > x86/boot: Grab kernel_info offset from zoffset header directly > x86/boot: Set EFI handover offset directly in header asm > x86/boot: Define setup size in linker script > x86/boot: Derive file size from _edata symbol > x86/boot: Construct PE/COFF .text section from assembler > x86/boot: Drop PE/COFF .reloc section > x86/boot: Split off PE/COFF .data section > x86/boot: Increase section and file alignment to 4k/512 > > arch/x86/boot/Makefile | 2 +- > arch/x86/boot/compressed/vmlinux.lds.S | 5 +- > arch/x86/boot/header.S | 146 +++++++------ > arch/x86/boot/setup.ld | 7 +- > arch/x86/boot/tools/build.c | 223 +------------------- > 5 files changed, 97 insertions(+), 286 deletions(-) Applied to tip:x86/boot, thanks! Ingo