Swith to using the upstream "enable NX" patch

2 files changed, 72 insertions, 6 deletions

diff --git a/debian/changelog b/debian/changelog
index 290bfe4c..c9a27b4b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,15 +1,15 @@
 shim (15.7-1) UNRELEASED; urgency=medium
 
   * New upstream release fixing more bugs
-  * Add a further patch from upstream:
+  * Add further patches from upstream:
     + Make sbat_var.S parse right with buggy gcc/binutils
+    + Enable NX support at build time, as required by policy for signing
+      new shim binaries.
   * Switch to using gcc-12. Closes: #1022180
   * Update to Standards-Version 4.6.2 (no changes needed)
-  * Enable NX support at build time, as required by policy for signing
-    new shim binaries.
   * Block Debian grub binaries with sbat < 4 (see #1024617)
 
- -- Steve McIntyre <93sam@debian.org>  Sun, 29 Jan 2023 23:34:40 +0000
+ -- Steve McIntyre <93sam@debian.org>  Mon, 30 Jan 2023 18:11:23 +0000
 
 shim (15.6-1) unstable; urgency=medium
 
diff --git a/debian/patches/Enable-NX.patch b/debian/patches/Enable-NX.patch
index d75c1089..bb7e7666 100644
--- a/debian/patches/Enable-NX.patch
+++ b/debian/patches/Enable-NX.patch
@@ -1,5 +1,58 @@
+commit 7c7642530fab73facaf3eac233cfbce29e10b0ef
+Author: Peter Jones <pjones@redhat.com>
+Date:   Thu Nov 17 12:31:31 2022 -0500
+
+    Enable the NX compatibility flag by default.
+    
+    Currently by default, when we build shim we do not set the PE
+    NX-compatibility DLL Characteristic flag.  This signifies to the
+    firmware that shim (including the components it loads) is not prepared
+    for several related firmware changes:
+    
+    - non-executable stack
+    - non-executable pages from AllocatePages()/AllocatePool()/etc.
+    - non-writable 0 page (not strictly related but some firmware will be
+      transitioning at the same time)
+    - the need to use the UEFI 2.10 Memory Attribute Protocol to set page
+      permissions.
+    
+    This patch changes that default to be enabled by default.  Distributors
+    of shim will need to ensure that either their builds disable this bit
+    (using "post-process-pe -N"), or that the bootloaders and kernels you
+    support loading are all compliant with this change.  A new make
+    variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so.
+    
+    Signed-off-by: Peter Jones <pjones@redhat.com>
+
+diff --git a/BUILDING b/BUILDING
+index 3b2e85d3..17cd98d3 100644
+--- a/BUILDING
++++ b/BUILDING
+@@ -78,6 +78,9 @@ Variables you could set to customize the build:
+ - OSLABEL
+   This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
+   By default this is the same value as EFIDIR .
++- POST_PROCESS_PE_FLAGS
++  This allows you to add flags to the invocation of "post-process-pe", for
++  example to disable the NX compatibility flag.
+ 
+ Vendor SBAT data:
+ It will sometimes be requested by reviewers that a build includes extra
+diff --git a/Make.defaults b/Make.defaults
+index c46164a3..9af89f4e 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -139,6 +139,8 @@ CFLAGS		= $(FEATUREFLAGS) \
+ 		  $(INCLUDES) \
+ 		  $(DEFINES)
+ 
++POST_PROCESS_PE_FLAGS =
++
+ ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
+ 	DEFINES	+= -DOVERRIDE_SECURITY_POLICY
+ endif
 diff --git a/Makefile b/Makefile
-index a9202f46..4f29fe12 100644
+index a9202f46..f0f53f8f 100644
 --- a/Makefile
 +++ b/Makefile
 @@ -255,7 +255,7 @@ endif
@@ -7,7 +60,20 @@ index a9202f46..4f29fe12 100644
  		-j .vendor_cert -j .sbat -j .sbatlevel \
  		$(FORMAT) $< $@
 -	./post-process-pe -vv $@
-+	./post-process-pe -n -vv $@
++	./post-process-pe -vv $(POST_PROCESS_PE_FLAGS) $@
  
  ifneq ($(origin ENABLE_SHIM_HASH),undefined)
  %.hash : %.efi
+diff --git a/post-process-pe.c b/post-process-pe.c
+index de8f4a38..f39fdddf 100644
+--- a/post-process-pe.c
++++ b/post-process-pe.c
+@@ -42,7 +42,7 @@ static int verbosity;
+ 		0;                                               \
+ 	})
+ 
+-static bool set_nx_compat = false;
++static bool set_nx_compat = true;
+ 
+ typedef uint8_t UINT8;
+ typedef uint16_t UINT16;