diff mbox series

[1/1] riscv: efi: Set NX compat flag in PE/COFF header

Message ID 20240929140233.211800-1-heinrich.schuchardt@canonical.com (mailing list archive)
State Accepted
Commit 22a159b2d2a18b2e63855679c6f689b4a2637375
Headers show
Series [1/1] riscv: efi: Set NX compat flag in PE/COFF header | expand

Checks

Context Check Description
conchuod/vmtest-for-next-PR success PR summary
conchuod/patch-1-test-1 success .github/scripts/patches/tests/build_rv32_defconfig.sh took 129.23s
conchuod/patch-1-test-2 success .github/scripts/patches/tests/build_rv64_clang_allmodconfig.sh took 1281.45s
conchuod/patch-1-test-3 success .github/scripts/patches/tests/build_rv64_gcc_allmodconfig.sh took 1541.75s
conchuod/patch-1-test-4 success .github/scripts/patches/tests/build_rv64_nommu_k210_defconfig.sh took 20.30s
conchuod/patch-1-test-5 success .github/scripts/patches/tests/build_rv64_nommu_virt_defconfig.sh took 22.66s
conchuod/patch-1-test-6 warning .github/scripts/patches/tests/checkpatch.sh took 0.42s
conchuod/patch-1-test-7 success .github/scripts/patches/tests/dtb_warn_rv64.sh took 41.86s
conchuod/patch-1-test-8 success .github/scripts/patches/tests/header_inline.sh took 0.00s
conchuod/patch-1-test-9 success .github/scripts/patches/tests/kdoc.sh took 0.56s
conchuod/patch-1-test-10 success .github/scripts/patches/tests/module_param.sh took 0.01s
conchuod/patch-1-test-11 success .github/scripts/patches/tests/verify_fixes.sh took 0.00s
conchuod/patch-1-test-12 success .github/scripts/patches/tests/verify_signedoff.sh took 0.03s

Commit Message

Heinrich Schuchardt Sept. 29, 2024, 2:02 p.m. UTC 
The IMAGE_DLLCHARACTERISTICS_NX_COMPAT informs the firmware that the
EFI binary does not rely on pages that are both executable and
writable.

The flag is used by some distro versions of GRUB to decide if the EFI
binary may be executed.

As the Linux kernel neither has RWX sections nor needs RWX pages for
relocation we should set the flag.

Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
---
 arch/riscv/kernel/efi-header.S | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Emil Renner Berthing Oct. 1, 2024, 10:56 a.m. UTC | #1 
Heinrich Schuchardt wrote:
> The IMAGE_DLLCHARACTERISTICS_NX_COMPAT informs the firmware that the
> EFI binary does not rely on pages that are both executable and
> writable.
>
> The flag is used by some distro versions of GRUB to decide if the EFI
> binary may be executed.
>
> As the Linux kernel neither has RWX sections nor needs RWX pages for
> relocation we should set the flag.
>
> Cc: Ard Biesheuvel <ardb@kernel.org>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>

Makes sense to me. This was applied a year ago on arm64:

  3c66bb1918c2 ("arm64: efi: Set NX compat flag in PE/COFF header")

..and before that on x86

  24b72bb12e84 ("efi: x86: Set the NX-compatibility flag in the PE header")

Reviewed-by: Emil Renner Berthing <emil.renner.berthing@canonical.com>

> ---
>  arch/riscv/kernel/efi-header.S | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/riscv/kernel/efi-header.S b/arch/riscv/kernel/efi-header.S
> index 515b2dfbca75..c5f17c2710b5 100644
> --- a/arch/riscv/kernel/efi-header.S
> +++ b/arch/riscv/kernel/efi-header.S
> @@ -64,7 +64,7 @@ extra_header_fields:
>  	.long	efi_header_end - _start			// SizeOfHeaders
>  	.long	0					// CheckSum
>  	.short	IMAGE_SUBSYSTEM_EFI_APPLICATION		// Subsystem
> -	.short	0					// DllCharacteristics
> +	.short	IMAGE_DLL_CHARACTERISTICS_NX_COMPAT	// DllCharacteristics
>  	.quad	0					// SizeOfStackReserve
>  	.quad	0					// SizeOfStackCommit
>  	.quad	0					// SizeOfHeapReserve
> --
> 2.45.2
>
>
> _______________________________________________
> linux-riscv mailing list
> linux-riscv@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
Alexandre Ghiti Oct. 1, 2024, 1:51 p.m. UTC | #2 
Hi Heinrich,

On 29/09/2024 16:02, Heinrich Schuchardt wrote:
> The IMAGE_DLLCHARACTERISTICS_NX_COMPAT informs the firmware that the
> EFI binary does not rely on pages that are both executable and
> writable.
>
> The flag is used by some distro versions of GRUB to decide if the EFI
> binary may be executed.
>
> As the Linux kernel neither has RWX sections nor needs RWX pages for
> relocation we should set the flag.
>
> Cc: Ard Biesheuvel <ardb@kernel.org>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
> ---
>   arch/riscv/kernel/efi-header.S | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/riscv/kernel/efi-header.S b/arch/riscv/kernel/efi-header.S
> index 515b2dfbca75..c5f17c2710b5 100644
> --- a/arch/riscv/kernel/efi-header.S
> +++ b/arch/riscv/kernel/efi-header.S
> @@ -64,7 +64,7 @@ extra_header_fields:
>   	.long	efi_header_end - _start			// SizeOfHeaders
>   	.long	0					// CheckSum
>   	.short	IMAGE_SUBSYSTEM_EFI_APPLICATION		// Subsystem
> -	.short	0					// DllCharacteristics
> +	.short	IMAGE_DLL_CHARACTERISTICS_NX_COMPAT	// DllCharacteristics
>   	.quad	0					// SizeOfStackReserve
>   	.quad	0					// SizeOfStackCommit
>   	.quad	0					// SizeOfHeapReserve


I don't understand if this fixes something or not: what could go wrong 
if we don't do this?

Thanks,

Alex
Heinrich Schuchardt Oct. 1, 2024, 3:24 p.m. UTC | #3 
On 01.10.24 15:51, Alexandre Ghiti wrote:
> Hi Heinrich,
> 
> On 29/09/2024 16:02, Heinrich Schuchardt wrote:
>> The IMAGE_DLLCHARACTERISTICS_NX_COMPAT informs the firmware that the
>> EFI binary does not rely on pages that are both executable and
>> writable.
>>
>> The flag is used by some distro versions of GRUB to decide if the EFI
>> binary may be executed.
>>
>> As the Linux kernel neither has RWX sections nor needs RWX pages for
>> relocation we should set the flag.
>>
>> Cc: Ard Biesheuvel <ardb@kernel.org>
>> Cc: <stable@vger.kernel.org>
>> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
>> ---
>>   arch/riscv/kernel/efi-header.S | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/arch/riscv/kernel/efi-header.S b/arch/riscv/kernel/efi- 
>> header.S
>> index 515b2dfbca75..c5f17c2710b5 100644
>> --- a/arch/riscv/kernel/efi-header.S
>> +++ b/arch/riscv/kernel/efi-header.S
>> @@ -64,7 +64,7 @@ extra_header_fields:
>>       .long    efi_header_end - _start            // SizeOfHeaders
>>       .long    0                    // CheckSum
>>       .short    IMAGE_SUBSYSTEM_EFI_APPLICATION        // Subsystem
>> -    .short    0                    // DllCharacteristics
>> +    .short    IMAGE_DLL_CHARACTERISTICS_NX_COMPAT    // 
>> DllCharacteristics
>>       .quad    0                    // SizeOfStackReserve
>>       .quad    0                    // SizeOfStackCommit
>>       .quad    0                    // SizeOfHeapReserve
> 
> 
> I don't understand if this fixes something or not: what could go wrong 
> if we don't do this?
> 
> Thanks,
> 
> Alex
> 


Hello Alexandre,

https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/uefi-ca-memory-mitigation-requirements
describes Microsoft's effort to improve security by avoiding memory 
pages that are both executable and writable.

IMAGE_DLL_CHARACTERISTICS_NX_COMPAT is an assertion by the EFI binary 
that it does not use RWX pages. It may use the 
EFI_MEMORY_ATTRIBUTE_PROTOCOL to set whether a page is writable or 
executable (but not both).

When using secure boot, compliant firmware will not allow loading a 
binary if the flag is not set.

Best regards

Heinrich
Alexandre Ghiti Oct. 9, 2024, 7:34 a.m. UTC | #4 
Hi Heinrich,

On 01/10/2024 17:24, Heinrich Schuchardt wrote:
> On 01.10.24 15:51, Alexandre Ghiti wrote:
>> Hi Heinrich,
>>
>> On 29/09/2024 16:02, Heinrich Schuchardt wrote:
>>> The IMAGE_DLLCHARACTERISTICS_NX_COMPAT informs the firmware that the
>>> EFI binary does not rely on pages that are both executable and
>>> writable.
>>>
>>> The flag is used by some distro versions of GRUB to decide if the EFI
>>> binary may be executed.
>>>
>>> As the Linux kernel neither has RWX sections nor needs RWX pages for
>>> relocation we should set the flag.
>>>
>>> Cc: Ard Biesheuvel <ardb@kernel.org>
>>> Cc: <stable@vger.kernel.org>
>>> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
>>> ---
>>>   arch/riscv/kernel/efi-header.S | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/arch/riscv/kernel/efi-header.S b/arch/riscv/kernel/efi- 
>>> header.S
>>> index 515b2dfbca75..c5f17c2710b5 100644
>>> --- a/arch/riscv/kernel/efi-header.S
>>> +++ b/arch/riscv/kernel/efi-header.S
>>> @@ -64,7 +64,7 @@ extra_header_fields:
>>>       .long    efi_header_end - _start            // SizeOfHeaders
>>>       .long    0                    // CheckSum
>>>       .short    IMAGE_SUBSYSTEM_EFI_APPLICATION        // Subsystem
>>> -    .short    0                    // DllCharacteristics
>>> +    .short    IMAGE_DLL_CHARACTERISTICS_NX_COMPAT    // 
>>> DllCharacteristics
>>>       .quad    0                    // SizeOfStackReserve
>>>       .quad    0                    // SizeOfStackCommit
>>>       .quad    0                    // SizeOfHeapReserve
>>
>>
>> I don't understand if this fixes something or not: what could go 
>> wrong if we don't do this?
>>
>> Thanks,
>>
>> Alex
>>
>
>
> Hello Alexandre,
>
> https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/uefi-ca-memory-mitigation-requirements 
>
> describes Microsoft's effort to improve security by avoiding memory 
> pages that are both executable and writable.
>
> IMAGE_DLL_CHARACTERISTICS_NX_COMPAT is an assertion by the EFI binary 
> that it does not use RWX pages. It may use the 
> EFI_MEMORY_ATTRIBUTE_PROTOCOL to set whether a page is writable or 
> executable (but not both).
>
> When using secure boot, compliant firmware will not allow loading a 
> binary if the flag is not set.


Great, so that's a necessary fix, it will get merged in the next rc or so:

Fixes: cb7d2dd5612a ("RISC-V: Add PE/COFF header for EFI stub")

Thanks,

Alex


>
> Best regards
>
> Heinrich
>
> _______________________________________________
> linux-riscv mailing list
> linux-riscv@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/linux-riscv
Ard Biesheuvel Oct. 9, 2024, 7:38 a.m. UTC | #5 
On Sun, 29 Sept 2024 at 16:02, Heinrich Schuchardt
<heinrich.schuchardt@canonical.com> wrote:
>
> The IMAGE_DLLCHARACTERISTICS_NX_COMPAT informs the firmware that the
> EFI binary does not rely on pages that are both executable and
> writable.
>
> The flag is used by some distro versions of GRUB to decide if the EFI
> binary may be executed.
>
> As the Linux kernel neither has RWX sections nor needs RWX pages for
> relocation we should set the flag.
>
> Cc: Ard Biesheuvel <ardb@kernel.org>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>

Acked-by: Ard Biesheuvel <ardb@kernel.org>


> ---
>  arch/riscv/kernel/efi-header.S | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/arch/riscv/kernel/efi-header.S b/arch/riscv/kernel/efi-header.S
> index 515b2dfbca75..c5f17c2710b5 100644
> --- a/arch/riscv/kernel/efi-header.S
> +++ b/arch/riscv/kernel/efi-header.S
> @@ -64,7 +64,7 @@ extra_header_fields:
>         .long   efi_header_end - _start                 // SizeOfHeaders
>         .long   0                                       // CheckSum
>         .short  IMAGE_SUBSYSTEM_EFI_APPLICATION         // Subsystem
> -       .short  0                                       // DllCharacteristics
> +       .short  IMAGE_DLL_CHARACTERISTICS_NX_COMPAT     // DllCharacteristics
>         .quad   0                                       // SizeOfStackReserve
>         .quad   0                                       // SizeOfStackCommit
>         .quad   0                                       // SizeOfHeapReserve
> --
> 2.45.2
>
Heinrich Schuchardt Oct. 9, 2024, 7:47 a.m. UTC | #6 
On 09.10.24 09:34, Alexandre Ghiti wrote:
> Hi Heinrich,
> 
> On 01/10/2024 17:24, Heinrich Schuchardt wrote:
>> On 01.10.24 15:51, Alexandre Ghiti wrote:
>>> Hi Heinrich,
>>>
>>> On 29/09/2024 16:02, Heinrich Schuchardt wrote:
>>>> The IMAGE_DLLCHARACTERISTICS_NX_COMPAT informs the firmware that the
>>>> EFI binary does not rely on pages that are both executable and
>>>> writable.
>>>>
>>>> The flag is used by some distro versions of GRUB to decide if the EFI
>>>> binary may be executed.
>>>>
>>>> As the Linux kernel neither has RWX sections nor needs RWX pages for
>>>> relocation we should set the flag.
>>>>
>>>> Cc: Ard Biesheuvel <ardb@kernel.org>
>>>> Cc: <stable@vger.kernel.org>
>>>> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
>>>> ---
>>>>   arch/riscv/kernel/efi-header.S | 2 +-
>>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/arch/riscv/kernel/efi-header.S b/arch/riscv/kernel/efi- 
>>>> header.S
>>>> index 515b2dfbca75..c5f17c2710b5 100644
>>>> --- a/arch/riscv/kernel/efi-header.S
>>>> +++ b/arch/riscv/kernel/efi-header.S
>>>> @@ -64,7 +64,7 @@ extra_header_fields:
>>>>       .long    efi_header_end - _start            // SizeOfHeaders
>>>>       .long    0                    // CheckSum
>>>>       .short    IMAGE_SUBSYSTEM_EFI_APPLICATION        // Subsystem
>>>> -    .short    0                    // DllCharacteristics
>>>> +    .short    IMAGE_DLL_CHARACTERISTICS_NX_COMPAT    // 
>>>> DllCharacteristics
>>>>       .quad    0                    // SizeOfStackReserve
>>>>       .quad    0                    // SizeOfStackCommit
>>>>       .quad    0                    // SizeOfHeapReserve
>>>
>>>
>>> I don't understand if this fixes something or not: what could go 
>>> wrong if we don't do this?
>>>
>>> Thanks,
>>>
>>> Alex
>>>
>>
>>
>> Hello Alexandre,
>>
>> https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/ 
>> uefi-ca-memory-mitigation-requirements
>> describes Microsoft's effort to improve security by avoiding memory 
>> pages that are both executable and writable.
>>
>> IMAGE_DLL_CHARACTERISTICS_NX_COMPAT is an assertion by the EFI binary 
>> that it does not use RWX pages. It may use the 
>> EFI_MEMORY_ATTRIBUTE_PROTOCOL to set whether a page is writable or 
>> executable (but not both).
>>
>> When using secure boot, compliant firmware will not allow loading a 
>> binary if the flag is not set.
> 
> 
> Great, so that's a necessary fix, it will get merged in the next rc or so:
> 
> Fixes: cb7d2dd5612a ("RISC-V: Add PE/COFF header for EFI stub")

Thanks for reviewing.

At the time of commit cb7d2dd5612a (2020-10-02) the requirement did not 
exist. I guess a Fixes: tag is not applicable under these circumstances.

Best regards

Heinrich
Alexandre Ghiti Oct. 9, 2024, 7:52 a.m. UTC | #7 
On 09/10/2024 09:47, Heinrich Schuchardt wrote:
> On 09.10.24 09:34, Alexandre Ghiti wrote:
>> Hi Heinrich,
>>
>> On 01/10/2024 17:24, Heinrich Schuchardt wrote:
>>> On 01.10.24 15:51, Alexandre Ghiti wrote:
>>>> Hi Heinrich,
>>>>
>>>> On 29/09/2024 16:02, Heinrich Schuchardt wrote:
>>>>> The IMAGE_DLLCHARACTERISTICS_NX_COMPAT informs the firmware that the
>>>>> EFI binary does not rely on pages that are both executable and
>>>>> writable.
>>>>>
>>>>> The flag is used by some distro versions of GRUB to decide if the EFI
>>>>> binary may be executed.
>>>>>
>>>>> As the Linux kernel neither has RWX sections nor needs RWX pages for
>>>>> relocation we should set the flag.
>>>>>
>>>>> Cc: Ard Biesheuvel <ardb@kernel.org>
>>>>> Cc: <stable@vger.kernel.org>
>>>>> Signed-off-by: Heinrich Schuchardt 
>>>>> <heinrich.schuchardt@canonical.com>
>>>>> ---
>>>>>   arch/riscv/kernel/efi-header.S | 2 +-
>>>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>>>
>>>>> diff --git a/arch/riscv/kernel/efi-header.S 
>>>>> b/arch/riscv/kernel/efi- header.S
>>>>> index 515b2dfbca75..c5f17c2710b5 100644
>>>>> --- a/arch/riscv/kernel/efi-header.S
>>>>> +++ b/arch/riscv/kernel/efi-header.S
>>>>> @@ -64,7 +64,7 @@ extra_header_fields:
>>>>>       .long    efi_header_end - _start            // SizeOfHeaders
>>>>>       .long    0                    // CheckSum
>>>>>       .short    IMAGE_SUBSYSTEM_EFI_APPLICATION        // Subsystem
>>>>> -    .short    0                    // DllCharacteristics
>>>>> +    .short    IMAGE_DLL_CHARACTERISTICS_NX_COMPAT    // 
>>>>> DllCharacteristics
>>>>>       .quad    0                    // SizeOfStackReserve
>>>>>       .quad    0                    // SizeOfStackCommit
>>>>>       .quad    0                    // SizeOfHeapReserve
>>>>
>>>>
>>>> I don't understand if this fixes something or not: what could go 
>>>> wrong if we don't do this?
>>>>
>>>> Thanks,
>>>>
>>>> Alex
>>>>
>>>
>>>
>>> Hello Alexandre,
>>>
>>> https://learn.microsoft.com/en-us/windows-hardware/drivers/bringup/ 
>>> uefi-ca-memory-mitigation-requirements
>>> describes Microsoft's effort to improve security by avoiding memory 
>>> pages that are both executable and writable.
>>>
>>> IMAGE_DLL_CHARACTERISTICS_NX_COMPAT is an assertion by the EFI 
>>> binary that it does not use RWX pages. It may use the 
>>> EFI_MEMORY_ATTRIBUTE_PROTOCOL to set whether a page is writable or 
>>> executable (but not both).
>>>
>>> When using secure boot, compliant firmware will not allow loading a 
>>> binary if the flag is not set.
>>
>>
>> Great, so that's a necessary fix, it will get merged in the next rc 
>> or so:
>>
>> Fixes: cb7d2dd5612a ("RISC-V: Add PE/COFF header for EFI stub")
>
> Thanks for reviewing.
>
> At the time of commit cb7d2dd5612a (2020-10-02) the requirement did 
> not exist. I guess a Fixes: tag is not applicable under these 
> circumstances.


Hmm ok, indeed that would be weird since it is not the culprit, I'll 
remove it and it will simply fail to apply for kernels before this 
commit, no big deal I guess.

Thanks again Heinrich!

Alex


>
> Best regards
>
> Heinrich
patchwork-bot+linux-riscv@kernel.org Oct. 17, 2024, 4:30 p.m. UTC | #8 
Hello:

This patch was applied to riscv/linux.git (fixes)
by Palmer Dabbelt <palmer@rivosinc.com>:

On Sun, 29 Sep 2024 16:02:33 +0200 you wrote:
> The IMAGE_DLLCHARACTERISTICS_NX_COMPAT informs the firmware that the
> EFI binary does not rely on pages that are both executable and
> writable.
> 
> The flag is used by some distro versions of GRUB to decide if the EFI
> binary may be executed.
> 
> [...]

Here is the summary with links:
  - [1/1] riscv: efi: Set NX compat flag in PE/COFF header
    https://git.kernel.org/riscv/c/22a159b2d2a1

You are awesome, thank you!
diff mbox series

Patch

diff --git a/arch/riscv/kernel/efi-header.S b/arch/riscv/kernel/efi-header.S
index 515b2dfbca75..c5f17c2710b5 100644
--- a/arch/riscv/kernel/efi-header.S
+++ b/arch/riscv/kernel/efi-header.S
@@ -64,7 +64,7 @@  extra_header_fields:
 	.long	efi_header_end - _start			// SizeOfHeaders
 	.long	0					// CheckSum
 	.short	IMAGE_SUBSYSTEM_EFI_APPLICATION		// Subsystem
-	.short	0					// DllCharacteristics
+	.short	IMAGE_DLL_CHARACTERISTICS_NX_COMPAT	// DllCharacteristics
 	.quad	0					// SizeOfStackReserve
 	.quad	0					// SizeOfStackCommit
 	.quad	0					// SizeOfHeapReserve