Xen project Mailing List

Re: [PATCH v3 4/4] x86: Split .init section to satisfy UEFI CA memory mitigation

To: Frediano Ziglio <freddy77@xxxxxxxxx>

From: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

Date: Tue, 16 Jun 2026 13:20:42 +0200

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=fm1 header.d=invisiblethingslab.com header.i="@invisiblethingslab.com" header.h="Cc:Content-Type:Date:From:In-Reply-To:Message-ID:MIME-Version:References:Subject:To"; dkim=pass header.s=fm1 header.d=messagingengine.com header.i="@messagingengine.com" header.h="Cc:Content-Type:Date:Feedback-ID:From:In-Reply-To:Message-ID:MIME-Version:References:Subject:To:X-ME-Proxy:X-ME-Sender"

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, Frediano Ziglio <frediano.ziglio@xxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Teddy Astie <teddy.astie@xxxxxxxxxx>, Frediano Ziglio <frediano.ziglio@xxxxxxxxxx>

Delivery-date: Tue, 16 Jun 2026 11:20:55 +0000

Feedback-id: i1568416f:Fastmail

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Tue, Jun 16, 2026 at 11:13:36AM +0100, Frediano Ziglio wrote: > From: Frediano Ziglio <frediano.ziglio@xxxxxxxxx> > > Currently .init section is both writeable and executable, split data and code > to have 2 sections satisfying W^X rule. > > It is a requirement for NX_COMPAT so the PE can be loaded with W^X perms > in the pagetables. > > NX_COMPAT is a requirement from shim-review, > https://github.com/rhboot/shim-review#do-you-have-the-nx-bit-set-in-your-shim-if-so-is-your-entire-boot-stack-nx-compatible-and-what-testing-have-you-done-to-ensure-such-compatibility > > Signed-off-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxxx> Acked-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> Is that the last piece necessary to satisfy the NX_COMPAT requirement? If so, I suppose a subsequent patch should actually set the IMAGE_DLLCHARACTERISTICS_NX_COMPAT bit (IIUC ld --nxcompat option), right? > -- > Change since v1: > - update comment style. > --- > xen/arch/x86/xen.lds.S | 12 ++++-------- > 1 file changed, 4 insertions(+), 8 deletions(-) > > diff --git a/xen/arch/x86/xen.lds.S b/xen/arch/x86/xen.lds.S > index 749d9719cc..8fefda1816 100644 > --- a/xen/arch/x86/xen.lds.S > +++ b/xen/arch/x86/xen.lds.S > @@ -193,11 +193,7 @@ SECTIONS > __2M_init_start = .; /* Start of 2M superpages, mapped RWX (boot > only). */ > . = ALIGN(PAGE_SIZE); /* Init code and data */ > __init_begin = .; > -#ifdef EFI /* EFI wants to merge all of .init.* ELF doesn't. */ > - DECL_SECTION(.init) { > -#else > DECL_SECTION(.init.text) { > -#endif > _sinittext = .; > *(.init.multiboot) > *(.init.text) > @@ -210,12 +206,12 @@ SECTIONS > */ > *(.altinstr_replacement) > > -#ifdef EFI /* EFI wants to merge all of .init.* ELF doesn't. */ > - . = ALIGN(SMP_CACHE_BYTES); > -#else > } PHDR(text) > - DECL_SECTION(.init.data) { > +#ifdef EFI > + /* Align to satisfy UEFI CA memory mitigation. */ > + . = ALIGN(SECTION_ALIGN); > #endif > + DECL_SECTION(.init.data) { > *(.init.bss.stack_aligned) > *(.init.data.page_aligned) > > -- > 2.43.0 > -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.