diff options
Diffstat (limited to 'debian/patches/Enable-NX.patch')
| -rw-r--r-- | debian/patches/Enable-NX.patch | 79 |
1 files changed, 0 insertions, 79 deletions
diff --git a/debian/patches/Enable-NX.patch b/debian/patches/Enable-NX.patch deleted file mode 100644 index bb7e7666..00000000 --- a/debian/patches/Enable-NX.patch +++ /dev/null @@ -1,79 +0,0 @@ -commit 7c7642530fab73facaf3eac233cfbce29e10b0ef -Author: Peter Jones <pjones@redhat.com> -Date: Thu Nov 17 12:31:31 2022 -0500 - - Enable the NX compatibility flag by default. - - Currently by default, when we build shim we do not set the PE - NX-compatibility DLL Characteristic flag. This signifies to the - firmware that shim (including the components it loads) is not prepared - for several related firmware changes: - - - non-executable stack - - non-executable pages from AllocatePages()/AllocatePool()/etc. - - non-writable 0 page (not strictly related but some firmware will be - transitioning at the same time) - - the need to use the UEFI 2.10 Memory Attribute Protocol to set page - permissions. - - This patch changes that default to be enabled by default. Distributors - of shim will need to ensure that either their builds disable this bit - (using "post-process-pe -N"), or that the bootloaders and kernels you - support loading are all compliant with this change. A new make - variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so. - - Signed-off-by: Peter Jones <pjones@redhat.com> - -diff --git a/BUILDING b/BUILDING -index 3b2e85d3..17cd98d3 100644 ---- a/BUILDING -+++ b/BUILDING -@@ -78,6 +78,9 @@ Variables you could set to customize the build: - - OSLABEL - This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS. - By default this is the same value as EFIDIR . -+- POST_PROCESS_PE_FLAGS -+ This allows you to add flags to the invocation of "post-process-pe", for -+ example to disable the NX compatibility flag. - - Vendor SBAT data: - It will sometimes be requested by reviewers that a build includes extra -diff --git a/Make.defaults b/Make.defaults -index c46164a3..9af89f4e 100644 ---- a/Make.defaults -+++ b/Make.defaults -@@ -139,6 +139,8 @@ CFLAGS = $(FEATUREFLAGS) \ - $(INCLUDES) \ - $(DEFINES) - -+POST_PROCESS_PE_FLAGS = -+ - ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) - DEFINES += -DOVERRIDE_SECURITY_POLICY - endif -diff --git a/Makefile b/Makefile -index a9202f46..f0f53f8f 100644 ---- a/Makefile -+++ b/Makefile -@@ -255,7 +255,7 @@ endif - -j .rela* -j .dyn -j .reloc -j .eh_frame \ - -j .vendor_cert -j .sbat -j .sbatlevel \ - $(FORMAT) $< $@ -- ./post-process-pe -vv $@ -+ ./post-process-pe -vv $(POST_PROCESS_PE_FLAGS) $@ - - ifneq ($(origin ENABLE_SHIM_HASH),undefined) - %.hash : %.efi -diff --git a/post-process-pe.c b/post-process-pe.c -index de8f4a38..f39fdddf 100644 ---- a/post-process-pe.c -+++ b/post-process-pe.c -@@ -42,7 +42,7 @@ static int verbosity; - 0; \ - }) - --static bool set_nx_compat = false; -+static bool set_nx_compat = true; - - typedef uint8_t UINT8; - typedef uint16_t UINT16; |