efi/zboot: Set forward edge CFI compat header flag if supported

Add some plumbing to the zboot EFI header generation to set the newly
introduced DllCharacteristicsEx flag associated with forward edge CFI
enforcement instructions (BTI on arm64, IBT on x86)

x86 does not currently uses the zboot infrastructure, so let's wire it
up only for arm64.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>

diff --git a/arch/arm64/boot/Makefile b/arch/arm64/boot/Makefile
index c65aee0884103c6f7d5904d0f3680afc19b55303..ae645fda90bca5745d447b175929526f50a77367 100644 (file)
--- a/arch/arm64/boot/Makefile
+++ b/arch/arm64/boot/Makefile
@@ -42,5 +42,6 @@ $(obj)/Image.zst: $(obj)/Image FORCE
 EFI_ZBOOT_PAYLOAD      := Image
 EFI_ZBOOT_BFD_TARGET   := elf64-littleaarch64
 EFI_ZBOOT_MACH_TYPE    := ARM64
+EFI_ZBOOT_FORWARD_CFI  := $(CONFIG_ARM64_BTI_KERNEL)
 
 include $(srctree)/drivers/firmware/efi/libstub/Makefile.zboot

diff --git a/drivers/firmware/efi/libstub/Makefile.zboot b/drivers/firmware/efi/libstub/Makefile.zboot
index 2d78770236049b217a2859894439855dafe31c42..0a9dcc2b13736519eb01522093d6872b827d4cd8 100644 (file)
--- a/drivers/firmware/efi/libstub/Makefile.zboot
+++ b/drivers/firmware/efi/libstub/Makefile.zboot
@@ -1,7 +1,8 @@
 # SPDX-License-Identifier: GPL-2.0
 
 # to be include'd by arch/$(ARCH)/boot/Makefile after setting
-# EFI_ZBOOT_PAYLOAD, EFI_ZBOOT_BFD_TARGET and EFI_ZBOOT_MACH_TYPE
+# EFI_ZBOOT_PAYLOAD, EFI_ZBOOT_BFD_TARGET, EFI_ZBOOT_MACH_TYPE and
+# EFI_ZBOOT_FORWARD_CFI
 
 quiet_cmd_copy_and_pad = PAD     $@
       cmd_copy_and_pad = cp $< $@ && \
@@ -44,10 +45,14 @@ OBJCOPYFLAGS_vmlinuz.o := -I binary -O $(EFI_ZBOOT_BFD_TARGET) \
 $(obj)/vmlinuz.o: $(obj)/vmlinuz FORCE
        $(call if_changed,objcopy)
 
+aflags-zboot-header-$(EFI_ZBOOT_FORWARD_CFI) := \
+               -DPE_DLL_CHAR_EX=IMAGE_DLLCHARACTERISTICS_EX_FORWARD_CFI_COMPAT
+
 AFLAGS_zboot-header.o += -DMACHINE_TYPE=IMAGE_FILE_MACHINE_$(EFI_ZBOOT_MACH_TYPE) \
                         -DZBOOT_EFI_PATH="\"$(realpath $(obj)/vmlinuz.efi.elf)\"" \
                         -DZBOOT_SIZE_LEN=$(zboot-size-len-y) \
-                        -DCOMP_TYPE="\"$(comp-type-y)\""
+                        -DCOMP_TYPE="\"$(comp-type-y)\"" \
+                        $(aflags-zboot-header-y)
 
 $(obj)/zboot-header.o: $(srctree)/drivers/firmware/efi/libstub/zboot-header.S FORCE
        $(call if_changed_rule,as_o_S)

diff --git a/drivers/firmware/efi/libstub/zboot-header.S b/drivers/firmware/efi/libstub/zboot-header.S
index 053aba073594936bff861c4298d6ef36037c6d5c..fb676ded47fa43413240f8d78349cd5538b98fd6 100644 (file)
--- a/drivers/firmware/efi/libstub/zboot-header.S
+++ b/drivers/firmware/efi/libstub/zboot-header.S
@@ -78,9 +78,36 @@ __efistub_efi_zboot_header:
        .quad           0                               // ExceptionTable
        .quad           0                               // CertificationTable
        .quad           0                               // BaseRelocationTable
-#ifdef CONFIG_DEBUG_EFI
+#if defined(PE_DLL_CHAR_EX) || defined(CONFIG_DEBUG_EFI)
        .long           .Lefi_debug_table - .Ldoshdr    // DebugTable
        .long           .Lefi_debug_table_size
+
+       .section        ".rodata", "a"
+       .p2align        2
+.Lefi_debug_table:
+       // EFI_IMAGE_DEBUG_DIRECTORY_ENTRY[]
+#ifdef PE_DLL_CHAR_EX
+       .long           0                                       // Characteristics
+       .long           0                                       // TimeDateStamp
+       .short          0                                       // MajorVersion
+       .short          0                                       // MinorVersion
+       .long           IMAGE_DEBUG_TYPE_EX_DLLCHARACTERISTICS  // Type
+       .long           4                                       // SizeOfData
+       .long           0                                       // RVA
+       .long           .Lefi_dll_characteristics_ex - .Ldoshdr // FileOffset
+#endif
+#ifdef CONFIG_DEBUG_EFI
+       .long           0                                       // Characteristics
+       .long           0                                       // TimeDateStamp
+       .short          0                                       // MajorVersion
+       .short          0                                       // MinorVersion
+       .long           IMAGE_DEBUG_TYPE_CODEVIEW               // Type
+       .long           .Lefi_debug_entry_size                  // SizeOfData
+       .long           0                                       // RVA
+       .long           .Lefi_debug_entry - .Ldoshdr            // FileOffset
+#endif
+       .set            .Lefi_debug_table_size, . - .Lefi_debug_table
+       .previous
 #endif
 
 .Lsection_table:
@@ -110,23 +137,11 @@ __efistub_efi_zboot_header:
 
        .set            .Lsection_count, (. - .Lsection_table) / 40
 
+#ifdef PE_DLL_CHAR_EX
+.Lefi_dll_characteristics_ex:
+       .long           PE_DLL_CHAR_EX
+#endif
 #ifdef CONFIG_DEBUG_EFI
-       .section        ".rodata", "a"
-       .align          2
-.Lefi_debug_table:
-       // EFI_IMAGE_DEBUG_DIRECTORY_ENTRY
-       .long           0                               // Characteristics
-       .long           0                               // TimeDateStamp
-       .short          0                               // MajorVersion
-       .short          0                               // MinorVersion
-       .long           IMAGE_DEBUG_TYPE_CODEVIEW       // Type
-       .long           .Lefi_debug_entry_size          // SizeOfData
-       .long           0                               // RVA
-       .long           .Lefi_debug_entry - .Ldoshdr    // FileOffset
-
-       .set            .Lefi_debug_table_size, . - .Lefi_debug_table
-       .previous
-
 .Lefi_debug_entry:
        // EFI_IMAGE_DEBUG_CODEVIEW_NB10_ENTRY
        .ascii          "NB10"                          // Signature