From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: Laszlo Ersek <lersek@redhat.com>
Cc: "Yao, Jiewen" <jiewen.yao@intel.com>,
"edk2-devel@lists.01.org" <edk2-devel@ml01.01.org>,
"Gao, Liming" <liming.gao@intel.com>
Subject: Re: [PATCH] MdeModulePkg/DxeCore: base code protection on permission attributes
Date: Fri, 17 Mar 2017 12:11:10 +0000 [thread overview]
Message-ID: <CAKv+Gu8iP+86iAxke1vYKL0-4VocmAftMjOBUH5jfvAW8-FUxA@mail.gmail.com> (raw)
In-Reply-To: <262ebc4d-629c-3437-2146-f4c0e5723f1a@redhat.com>
On 17 March 2017 at 12:07, Laszlo Ersek <lersek@redhat.com> wrote:
> On 02/26/17 15:00, Ard Biesheuvel wrote:
>> On 25 February 2017 at 04:04, Yao, Jiewen <jiewen.yao@intel.com> wrote:
>>> Hi Ard
>>> I agree with you on this enhancement.
>>>
>>> I prefer to adding the description as comment in the code, so that people
>>> can get clear picture when he/she reads the code.
>>>
>>> //
>>> // Instead of assuming that a PE/COFF section of type EFI_IMAGE_SCN_CNT_CODE
>>> // can always be mapped read-only, classify a section as a code section only
>>> // if it has the executable attribute set and the writable attribute
>>> cleared.
>>> //
>>> // This adheres more closely to the PE/COFF spec, and avoids issues with
>>> // Linux OS loaders that consists of a single read/write/execute section.
>>> //
>>> if ((Section[Index].Characteristics & (EFI_IMAGE_SCN_MEM_WRITE |
>>> EFI_IMAGE_SCN_MEM_EXECUTE)) == EFI_IMAGE_SCN_MEM_EXECUTE) {
>>>
>>> With comment update, reviewed-by: Jiewen.yao@intel.com
>>>
>>
>> Thanks Jiewen
>>
>> Pushed as a2ed40c02bf2
>
> Is it possible that (recent?) Linux EFI stubs (aarch64) don't pass the
> above check? I got a report from a colleague:
>
> !!!!!!!! ProtectUefiImageCommon - CodeSegmentCount is 0 !!!!!!!!
> EFI stub: Booting Linux Kernel...
> EFI stub: Using DTB from configuration table
> EFI stub: Exiting boot services and installing virtual address map...
>
> I tried to reproduce it with "4.5.0-15.el7.aarch64", and with
> "4.8.7-300.fc25.aarch64", and I'm not seeing the message with either.
>
> I asked him about the exact kernel version (no answer yet, his workday
> hasn't started yet).
>
Well, the warning may be a bit loud, but this is expected behavior. I
expect to be able to queue the linux/arm64 changes that split the
PE/COFF sections and align them to 4 KB for v4.12, and so current
kernels all consists of a single rwx section, which does not qualify
as a code section.
> Any idea how I could validate the section headers of a (decompressed)
> kernel image? I tried "aarch64-linux-gnu-objdump --section-headers", but
> it doesn't recognize the image.
>
It's a PE/COFF image not an ELF image.
next prev parent reply other threads:[~2017-03-17 12:11 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-24 17:51 [PATCH] MdeModulePkg/DxeCore: base code protection on permission attributes Ard Biesheuvel
2017-02-25 4:04 ` Yao, Jiewen
2017-02-26 14:00 ` Ard Biesheuvel
2017-03-17 12:07 ` Laszlo Ersek
2017-03-17 12:11 ` Ard Biesheuvel [this message]
2017-03-17 12:35 ` Laszlo Ersek
2017-03-17 13:23 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKv+Gu8iP+86iAxke1vYKL0-4VocmAftMjOBUH5jfvAW8-FUxA@mail.gmail.com \
--to=devel@edk2.groups.io \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox