]> git.dujemihanovic.xyz Git - u-boot.git/commit
projects / u-boot.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d49fa3d) | patch
efi_loader: set IMAGE_DLLCHARACTERISTICS_NX_COMPAT
authorHeinrich Schuchardt <heinrich.schuchardt@canonical.com>
Wed, 14 Feb 2024 20:43:21 +0000 (21:43 +0100)
committerHeinrich Schuchardt <heinrich.schuchardt@canonical.com>
Wed, 28 Feb 2024 13:37:46 +0000 (14:37 +0100)
commitc9f368b597a02f9919cb0c1c03e6b231129e9262
treedecb64beeaa7b3ffe7e2bb399d916f5bfa4e3767tree | snapshot
parentd49fa3defa50c6d3f04acbb52fd486c13c14ab6acommit | diff
efi_loader: set IMAGE_DLLCHARACTERISTICS_NX_COMPAT

The IMAGE_DLLCHARACTERISTICS_NX_COMPAT flag marks an EFI binary where
the following conditions are met [1]:

* Executable and writable sections are separated.
* The application does not run self-modifying code.
* The application uses the EFI_MEMORY_ATTRIBUTE_PROTOCOL when loading
  executable code.
* The application does not assume that all memory ranges are usable.
* The stack is not expected to be executable.

The only EFI binaries U-Boot provides that do not fulfill these
requirements are the EFI app and the EFI payload.

Once we have implemented separation of writable and executable memory in
U-Boot we can use the IMAGE_DLLCHARACTERISTICS_NX_COMPAT flag to decide
if we will load an EFI binary.

[1] New UEFI CA memory mitigation requirements for signing
    https://techcommunity.microsoft.com/t5/hardware-dev-center/new-uefi-ca-memory-mitigation-requirements-for-signing/ba-p/3608714

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
arch/arm/lib/crt0_aarch64_efi.S diff | blob | history
arch/arm/lib/crt0_arm_efi.S diff | blob | history
arch/riscv/lib/crt0_riscv_efi.S diff | blob | history
include/asm-generic/pe.h diff | blob | history
My U-Boot fork