|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [PATCH v3 4/4] x86: Split .init section to satisfy UEFI CA memory mitigation
On Tue, Jun 16, 2026 at 03:58:27PM +0100, Andrew Cooper wrote: > On 16/06/2026 12:20 pm, Marek Marczykowski-Górecki wrote: > > On Tue, Jun 16, 2026 at 11:13:36AM +0100, Frediano Ziglio wrote: > >> From: Frediano Ziglio <frediano.ziglio@xxxxxxxxx> > >> > >> Currently .init section is both writeable and executable, split data and > >> code > >> to have 2 sections satisfying W^X rule. > >> > >> It is a requirement for NX_COMPAT so the PE can be loaded with W^X perms > >> in the pagetables. > >> > >> NX_COMPAT is a requirement from shim-review, > >> https://github.com/rhboot/shim-review#do-you-have-the-nx-bit-set-in-your-shim-if-so-is-your-entire-boot-stack-nx-compatible-and-what-testing-have-you-done-to-ensure-such-compatibility > >> > >> Signed-off-by: Frediano Ziglio <frediano.ziglio@xxxxxxxxxx> > > Acked-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> > > > > Is that the last piece necessary to satisfy the NX_COMPAT requirement? If > > so, I suppose a subsequent patch should actually set the > > IMAGE_DLLCHARACTERISTICS_NX_COMPAT bit (IIUC ld --nxcompat option), right? > > The manpage says: > > --nxcompat > --disable-nxcompat > The image is compatible with the Data Execution Prevention. > This feature was introduced with MS Windows XP SP2 for i386 PE targets. > The option is enabled by default. > > It turns out that Xen is being marked NX_COMPAT even prior to this > series, which is deeply suspicious as it has an RWX init section. My reading of binutils sources says it's enabled by default only for mingw target. And indeed, inspection of xen.efi says only DYNAMIC_BASE is set. -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab Attachment:
signature.asc
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |