| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMj1kXHTtGP-UcJLut7OVUuULzg59npyoQhb+kuCZO5x-2NYWA@mail.gmail.com> Date: Tue, 29 Apr 2025 12:08:41 +0200 From: Ard Biesheuvel <ardb@...nel.org> To: Vitaly Kuznetsov <vkuznets@...hat.com> Cc: x86@...nel.org, linux-efi@...r.kernel.org, Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Dave Hansen <dave.hansen@...ux.intel.com>, "H. Peter Anvin" <hpa@...or.com>, Peter Jones <pjones@...hat.com>, Daniel Berrange <berrange@...hat.com>, Emanuele Giuseppe Esposito <eesposit@...hat.com>, Gerd Hoffmann <kraxel@...hat.com>, Greg KH <gregkh@...uxfoundation.org>, Luca Boccassi <bluca@...ian.org>, Peter Zijlstra <peterz@...radead.org>, Matthew Garrett <mjg59@...f.ucam.org>, James Bottomley <James.Bottomley@...senpartnership.com>, Eric Snowberg <eric.snowberg@...cle.com>, Paolo Bonzini <pbonzini@...hat.com>, Paul Walmsley <paul.walmsley@...ive.com>, Palmer Dabbelt <palmer@...belt.com>, Albert Ou <aou@...s.berkeley.edu>, Alexandre Ghiti <alex@...ti.fr>, linux-riscv@...ts.infradead.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 2/2] x86/efi: Implement support for embedding SBAT data for x86 On Tue, 29 Apr 2025 at 11:55, Vitaly Kuznetsov <vkuznets@...hat.com> wrote: > > Ard Biesheuvel <ardb@...nel.org> writes: > > > On Thu, 24 Apr 2025 at 10:10, Vitaly Kuznetsov <vkuznets@...hat.com> wrote: > > ... > > >> diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile > >> index fdbce022db55..b9b80eccdc02 100644 > >> --- a/arch/x86/boot/compressed/Makefile > >> +++ b/arch/x86/boot/compressed/Makefile > >> @@ -107,6 +107,8 @@ vmlinux-objs-$(CONFIG_UNACCEPTED_MEMORY) += $(obj)/mem.o > >> vmlinux-objs-$(CONFIG_EFI) += $(obj)/efi.o > >> vmlinux-libs-$(CONFIG_EFI_STUB) += $(objtree)/drivers/firmware/efi/libstub/lib.a > >> > >> +vmlinux-objs-$(CONFIG_EFI_SBAT) += $(objtree)/drivers/firmware/efi/libstub/sbat.o > >> + > > > > Please drop this, and put the .incbin directly into header.S > > > > I'm sorry I'm probably missing something important but my understanding > is that that header.S is compiled into setup.elf: > > ld -m elf_x86_64 -z noexecstack --no-warn-rwx-segments -m elf_i386 -z > noexecstack -T arch/x86/boot/setup.ld ... arch/x86/boot/header.o ... -o arch/x86/boot/setup.elf > > and then the result gets concatenated with vmlinux.bin to get bzImage: > > objcopy -O binary arch/x86/boot/setup.elf arch/x86/boot/setup.bin > cp arch/x86/boot/setup.bin arch/x86/boot/bzImage; truncate -s %4K arch/x86/boot/bzImage; cat arch/x86/boot/vmlinux.bin >>arch/x86/boot/bzImage > > so if we want to have SBAT at the very end of bzImage without dirty > tricks it must be at the very end of vmlinux.bin, not setup.bin. I can, > of course, use some existing compilation unit but to be honest I can't > find anything suitable. > Yeah, you're right. I keep forgetting the insane way the bzImage is put together. So you'll need to incorporate $(CONFIG_EFI_SBAT_FILE) into arch/x86/boot/vmlinux. But that does not mean it needs to be constructed under drivers/firmware/efi/libstub, and it also doesn't mean you need filechk and a separate .o file, right?
Powered by blists - more mailing lists