Re: [PATCH v3 1/4] Align relevant sections to 4KB

[Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>]

On Tue, Jun 16, 2026 at 03:38:53PM +0100, Frediano Ziglio wrote:
> On Tue, 16 Jun 2026 at 13:27, Jan Beulich <jbeulich@xxxxxxxx> wrote:
> >
> > On 16.06.2026 12:13, Frediano Ziglio wrote:
> > > From: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>
> > >
> > > Required by UEFI CA memory mitigation.
> > >
> > > It is a requirement for NX_COMPAT so the PE can be loaded with W^X perms
> > > in the pagetables.
> > >
> > > NX_COMPAT is a requirement from shim-review,
> > > https://github.com/rhboot/shim-review#do-you-have-the-nx-bit-set-in-your-shim-if-so-is-your-entire-boot-stack-nx-compatible-and-what-testing-have-you-done-to-ensure-such-compatibility
> > >
> > > Sections with different permissions must be in separate pages.
> > > In the case of debug sections they are contiguous and have the same
> > > permissions so it's not an issue if they are not aligned to the page.
> >
> > What if .debug_* starts in the middle of a page? Aren't you further
> > relying on .debug_* to be r/o (i.e. neither X nor W)? (Right now
> > .reloc is what comes immediately ahead of .debug_*, and that's r/o
> > as well, so not an issue in practice for now. Yet as indicated, the
> > description here wants to be usable as a reference when this later
> > needs extending / revisiting.)
> >
> > Jan
> 
> Can you suggest a better wording?
> Practically I think before the .debug section you could have the
> .reloc or the SBAT, either are permission-compatible. If in the future
> we break it for some reason we'll fix it again.

Once all of the relevant SB work is upstream, I would definitely want to
have a test in CI for that. We already have a test for booting xen.efi,
extending it to try SB-signed one should not be too hard (famous last
words...).

-- 
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab

Attachment: signature.asc
Description: PGP signature