From patchwork Fri Mar 10 12:50:23 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ardb@kernel.org>
X-Patchwork-Id: 13169244
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 9BE37C6FA99
	for <linux-arm-kernel@archiver.kernel.org>;
 Fri, 10 Mar 2023 12:51:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc
	:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From:
	Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:
	List-Owner; bh=aEhI/AM8p4ldVY+p+EvQCCv2R+0K+ua/HNOcDNZA61M=; b=iHqwE/N8Zg05Ms
	bnwQZdlOOxeseVebKyZwxJtF63LJdB8zYCajguMl+/QbOQc/ljyxMumxY3TPSLX6Gs0VwYAHFv7Wg
	urnimzLOZfxtq6sKbmDPGH3lABkkUj4m+ps+2vcj9tJtMFFChz0IXZafFA/jUwCTS4RhBUCLZKKfp
	u1boLHYiPdpc9V8vJ2pb+q+1JxP+m66IO+dOmNoWHYG9Md/lkiM5mAtplkji5RUGYVu8/m/cpN+Av
	IpnNSJDaMNAp4Xfggon9rRR4Gtiqa1CP68O9aj0HFpZ4DRaVfgv0fnUmjAJJvwgQF+aO1kun7WRx/
	EyyVXGRCVTZn6wmBTNtA==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1pacCi-00EXvx-CY; Fri, 10 Mar 2023 12:50:36 +0000
Received: from ams.source.kernel.org ([2604:1380:4601:e00::1])
	by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
	id 1pacCg-00EXvM-9p
	for linux-arm-kernel@lists.infradead.org; Fri, 10 Mar 2023 12:50:35 +0000
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ams.source.kernel.org (Postfix) with ESMTPS id BFF71B82288;
	Fri, 10 Mar 2023 12:50:32 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 10BF2C433EF;
	Fri, 10 Mar 2023 12:50:29 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
	s=k20201202; t=1678452631;
	bh=cws60jdrbP6JEKchdJ3V3jCxLQZtztVV+SBGg08CbNA=;
	h=From:To:Cc:Subject:Date:From;
	b=WbfcS6imM12B0dlIAU0aJEu817vX10H7dzJklM3P2G6uIQ40g8Nj+01naiAdlXSmy
	 R/szxZwlVplFG9R1VU5OaaBiimEx+ZgBgCIGXhCigb2SPzAIINmCpPmZtquwiK/9lg
	 ede7daChkoxIWb8RfCDNuZi4kLP+KQVy13q6Fj0XgI8clsYezeU7ar8fUmTXguaPJ5
	 N4xi6ZD7d1TChWcsJKYYcyBhslPleaUXjDFaijU+AM7nsSsgPfJtGfOgM08BJ0K9Ne
	 78K0MIV/xroKJr9O8quNtI9IExJj95PqPxcaJDJ4J52QCmcy1xoSNHE8j+86fxcv8R
	 JFAYUTJlyeGHw==
From: Ard Biesheuvel <ardb@kernel.org>
To: linux-efi@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org,
	Ard Biesheuvel <ardb@kernel.org>,
	Peter Jones <pjones@redhat.com>,
	Gerd Hoffmann <kraxel@redhat.com>,
	Ilias Apalodimas <ilias.apalodimas@linaro.org>,
	Kees Cook <keescook@chromium.org>
Subject: [PATCH 0/3] efi: arm64: Set NX compat flag where appropriate
Date: Fri, 10 Mar 2023 13:50:23 +0100
Message-Id: <20230310125026.3390928-1-ardb@kernel.org>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=1311; i=ardb@kernel.org;
 h=from:subject; bh=cws60jdrbP6JEKchdJ3V3jCxLQZtztVV+SBGg08CbNA=;
 b=owGbwMvMwCFmkMcZplerG8N4Wi2JIYVbvae/rta4Y3LS73/8akG3CxgsuVf/3ae0wSt3jfvPJ
 dZbb1zqKGVhEONgkBVTZBGY/ffdztMTpWqdZ8nCzGFlAhnCwMUpABOZOIORocvTP12ucNGzOxv7
 3/hUGuXsbFh5iHnup9oVKxc6sXfpVzP8lWG9EG3wsU5JP+Ni7mbeeSoP/bq2a316ptjisXX2b31
 XDgA=
X-Developer-Key: i=ardb@kernel.org; a=openpgp;
 fpr=F43D03328115A198C90016883D200E9CA6329909
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20230310_045034_503237_A290AADE 
X-CRM114-Status: GOOD (  11.31  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

PE/COFF images that can tolerate running under a strict W^X policy when
it comes to firmware provided allocations should indicate so, by setting
the associated bit in the PE/COFF header.

Today, this makes little difference, but going forward, restricted
policies regarding secure boot and measured boot (e.g., MS Secured-core)
may refuse to run such images altogether.

Given that the zboot and arm64 EFI stub implementations do not rely on
firmware provided mappings being writable and executable at the same
time, let's set this bit.

Note that a change landed in v6.3 where we no longer tolerate this
unless we remap the relocated kernel code read-only/executable
explicitly (patch #2)

Cc: Peter Jones <pjones@redhat.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Cc: Kees Cook <keescook@chromium.org>

Ard Biesheuvel (3):
  efi/libstub: zboot: Mark zboot EFI application as NX compatible
  efi/libstub: arm64: Remap relocated image with strict permissions
  arm64: efi: Set NX compat flag in PE/COFF header

 arch/arm64/kernel/efi-header.S              | 2 +-
 drivers/firmware/efi/libstub/arm64-stub.c   | 1 +
 drivers/firmware/efi/libstub/zboot-header.S | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)