diff options
| author | Peter Jones <pjones@redhat.com> | 2021-12-02 15:51:00 -0500 |
|---|---|---|
| committer | Peter Jones <pjones@redhat.com> | 2022-05-17 19:01:03 -0400 |
| commit | b104fc480aae94eaa8d79717d0b7cf6dcc2253d3 (patch) | |
| tree | 3976d11a6e02fe28d0f2a25498cd20ff99b8d47a /include | |
| parent | df96f48f28fa94b62d06f39a3b014133dd38def5 (diff) | |
| download | efi-boot-shim-b104fc480aae94eaa8d79717d0b7cf6dcc2253d3.tar.gz efi-boot-shim-b104fc480aae94eaa8d79717d0b7cf6dcc2253d3.zip | |
post-process-pe: set EFI_IMAGE_DLLCHARACTERISTICS_NX_COMPAT
Currently, system firmware has no means to discover that an EFI
Application is compatible with the security feature variously known as
NX or w^x.
Since at least Revision 8.1, the PE spec supports setting a flag the
Optional Header's DllCharacteristics field to inform loaders that an
application supports being loaded with NX enabled.
In the case of UEFI, there are several things that should be enabled if
this flag is set:
- EFI_BOOT_SERVICES.AllocatePages() with MemoryType = EfiLoaderCode,
EfiBootServicesCode, EfiRuntimeServicesCode, etc, currently must set
memory as rwx. This flag set implies that rw- is appropriate, and
that the application knows how to use the EFI_MEMORY_ATTRIBUTE
protocol to change that to r-x.
- EFI_BOOT_SERVICES.AllocatePool() - same as AllocatePages()
- EFI_BOOT_SERVICES.LoadImage()
- currently must set the stack as rwx. This flag states that it is
allowed to be rw-
- currently a binary can probably have writable PLTs? This flag
allows the loader to not set them writable
- I have heard that some firmwares have the 0 page mapped rwx.
Obviously this should not be done.
Signed-off-by: Peter Jones <pjones@redhat.com>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions