diff options
Diffstat (limited to 'debian/patches')
| -rw-r--r-- | debian/patches/Enable-NX.patch | 70 |
1 files changed, 68 insertions, 2 deletions
diff --git a/debian/patches/Enable-NX.patch b/debian/patches/Enable-NX.patch index d75c1089..bb7e7666 100644 --- a/debian/patches/Enable-NX.patch +++ b/debian/patches/Enable-NX.patch @@ -1,5 +1,58 @@ +commit 7c7642530fab73facaf3eac233cfbce29e10b0ef +Author: Peter Jones <pjones@redhat.com> +Date: Thu Nov 17 12:31:31 2022 -0500 + + Enable the NX compatibility flag by default. + + Currently by default, when we build shim we do not set the PE + NX-compatibility DLL Characteristic flag. This signifies to the + firmware that shim (including the components it loads) is not prepared + for several related firmware changes: + + - non-executable stack + - non-executable pages from AllocatePages()/AllocatePool()/etc. + - non-writable 0 page (not strictly related but some firmware will be + transitioning at the same time) + - the need to use the UEFI 2.10 Memory Attribute Protocol to set page + permissions. + + This patch changes that default to be enabled by default. Distributors + of shim will need to ensure that either their builds disable this bit + (using "post-process-pe -N"), or that the bootloaders and kernels you + support loading are all compliant with this change. A new make + variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so. + + Signed-off-by: Peter Jones <pjones@redhat.com> + +diff --git a/BUILDING b/BUILDING +index 3b2e85d3..17cd98d3 100644 +--- a/BUILDING ++++ b/BUILDING +@@ -78,6 +78,9 @@ Variables you could set to customize the build: + - OSLABEL + This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS. + By default this is the same value as EFIDIR . ++- POST_PROCESS_PE_FLAGS ++ This allows you to add flags to the invocation of "post-process-pe", for ++ example to disable the NX compatibility flag. + + Vendor SBAT data: + It will sometimes be requested by reviewers that a build includes extra +diff --git a/Make.defaults b/Make.defaults +index c46164a3..9af89f4e 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -139,6 +139,8 @@ CFLAGS = $(FEATUREFLAGS) \ + $(INCLUDES) \ + $(DEFINES) + ++POST_PROCESS_PE_FLAGS = ++ + ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) + DEFINES += -DOVERRIDE_SECURITY_POLICY + endif diff --git a/Makefile b/Makefile -index a9202f46..4f29fe12 100644 +index a9202f46..f0f53f8f 100644 --- a/Makefile +++ b/Makefile @@ -255,7 +255,7 @@ endif @@ -7,7 +60,20 @@ index a9202f46..4f29fe12 100644 -j .vendor_cert -j .sbat -j .sbatlevel \ $(FORMAT) $< $@ - ./post-process-pe -vv $@ -+ ./post-process-pe -n -vv $@ ++ ./post-process-pe -vv $(POST_PROCESS_PE_FLAGS) $@ ifneq ($(origin ENABLE_SHIM_HASH),undefined) %.hash : %.efi +diff --git a/post-process-pe.c b/post-process-pe.c +index de8f4a38..f39fdddf 100644 +--- a/post-process-pe.c ++++ b/post-process-pe.c +@@ -42,7 +42,7 @@ static int verbosity; + 0; \ + }) + +-static bool set_nx_compat = false; ++static bool set_nx_compat = true; + + typedef uint8_t UINT8; + typedef uint16_t UINT16; |