Skip to content

Commit

Permalink
Enable the NX compatibility flag by default.
Browse files Browse the repository at this point in the history 
Currently by default, when we build shim we do not set the PE
NX-compatibility DLL Characteristic flag.  This signifies to the
firmware that shim (including the components it loads) is not prepared
for several related firmware changes:

- non-executable stack
- non-executable pages from AllocatePages()/AllocatePool()/etc.
- non-writable 0 page (not strictly related but some firmware will be
  transitioning at the same time)
- the need to use the UEFI 2.10 Memory Attribute Protocol to set page
  permissions.

This patch changes that default to be enabled by default.  Distributors
of shim will need to ensure that either their builds disable this bit
(using "post-process-pe -N"), or that the bootloaders and kernels you
support loading are all compliant with this change.  A new make
variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so.

Signed-off-by: Peter Jones <pjones@redhat.com>
  • Loading branch information
@vathpela @jsetje
vathpela authored and jsetje committed Jan 27, 2023
1 parent 657b248 commit 7c76425
Show file tree
Hide file tree
Showing 4 changed files with 7 additions and 2 deletions.
3 changes: 3 additions & 0 deletions BUILDING
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,9 @@ Variables you could set to customize the build:
- OSLABEL
This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
By default this is the same value as EFIDIR .
- POST_PROCESS_PE_FLAGS
This allows you to add flags to the invocation of "post-process-pe", for
example to disable the NX compatibility flag.

Vendor SBAT data:
It will sometimes be requested by reviewers that a build includes extra
Expand Down
2 changes: 2 additions & 0 deletions Make.defaults
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,8 @@ CFLAGS = $(FEATUREFLAGS) \
$(INCLUDES) \
$(DEFINES)
POST_PROCESS_PE_FLAGS =
ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
DEFINES += -DOVERRIDE_SECURITY_POLICY
endif
Expand Down
2 changes: 1 addition & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -255,7 +255,7 @@ endif
-j .rela* -j .dyn -j .reloc -j .eh_frame \
-j .vendor_cert -j .sbat -j .sbatlevel \
$(FORMAT) $< $@
./post-process-pe -vv $@
./post-process-pe -vv $(POST_PROCESS_PE_FLAGS) $@

ifneq ($(origin ENABLE_SHIM_HASH),undefined)
%.hash : %.efi
Expand Down
2 changes: 1 addition & 1 deletion post-process-pe.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ static int verbosity;
0; \
})

static bool set_nx_compat = false;
static bool set_nx_compat = true;

typedef uint8_t UINT8;
typedef uint16_t UINT16;
Expand Down

0 comments on commit 7c76425

Please sign in to comment.