|
|
bf0270 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
bf0270 |
From: Peter Jones <pjones@redhat.com>
|
|
|
bf0270 |
Date: Tue, 22 Mar 2022 10:57:07 -0400
|
|
|
bf0270 |
Subject: [PATCH] nx: set attrs in our kernel loaders
|
|
|
bf0270 |
|
|
|
bf0270 |
For NX, our kernel loaders need to set write and execute page
|
|
|
bf0270 |
permissions on allocated pages and the stack.
|
|
|
bf0270 |
|
|
|
bf0270 |
This patch adds those calls.
|
|
|
bf0270 |
|
|
|
bf0270 |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
bf0270 |
[rharwood: fix aarch64 callsites]
|
|
|
bf0270 |
(cherry-picked from commit a9f79a997f01a83b36cdfa89ef2e72ac2a17c06c)
|
|
|
bf0270 |
[rharwood: double verification]
|
|
|
bf0270 |
(cherry picked from commit daba852bd3e4d7b7784b19cf7acf107dc3c0dce4)
|
|
|
bf0270 |
[rharwood: stack_attrs initialization, no risc-v, arm renames, arm age]
|
|
|
bf0270 |
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
bf0270 |
---
|
|
|
bf0270 |
grub-core/kern/efi/mm.c | 78 ++++++++++++++++++
|
|
|
bf0270 |
grub-core/loader/arm64/linux.c | 16 +++-
|
|
|
bf0270 |
grub-core/loader/arm64/xen_boot.c | 4 +-
|
|
|
bf0270 |
grub-core/loader/efi/chainloader.c | 11 +++
|
|
|
bf0270 |
grub-core/loader/efi/linux.c | 162 ++++++++++++++++++++++++++++++++++++-
|
|
|
bf0270 |
grub-core/loader/i386/efi/linux.c | 26 +++++-
|
|
|
bf0270 |
grub-core/loader/i386/linux.c | 5 ++
|
|
|
bf0270 |
include/grub/efi/efi.h | 6 +-
|
|
|
bf0270 |
include/grub/efi/linux.h | 17 +++-
|
|
|
bf0270 |
include/grub/efi/pe32.h | 2 +
|
|
|
bf0270 |
10 files changed, 312 insertions(+), 15 deletions(-)
|
|
|
bf0270 |
|
|
|
bf0270 |
diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
|
|
|
bf0270 |
index 2cf4a4883a..8a896144df 100644
|
|
|
bf0270 |
--- a/grub-core/kern/efi/mm.c
|
|
|
bf0270 |
+++ b/grub-core/kern/efi/mm.c
|
|
|
bf0270 |
@@ -602,6 +602,82 @@ print_memory_map (grub_efi_memory_descriptor_t *memory_map,
|
|
|
bf0270 |
}
|
|
|
bf0270 |
#endif
|
|
|
bf0270 |
|
|
|
bf0270 |
+grub_addr_t grub_stack_addr = (grub_addr_t)-1ll;
|
|
|
bf0270 |
+grub_size_t grub_stack_size = 0;
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+static void
|
|
|
bf0270 |
+grub_nx_init (void)
|
|
|
bf0270 |
+{
|
|
|
bf0270 |
+ grub_uint64_t attrs, stack_attrs;
|
|
|
bf0270 |
+ grub_err_t err;
|
|
|
bf0270 |
+ grub_addr_t stack_current, stack_end;
|
|
|
bf0270 |
+ const grub_uint64_t page_size = 4096;
|
|
|
bf0270 |
+ const grub_uint64_t page_mask = ~(page_size - 1);
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ /*
|
|
|
bf0270 |
+ * These are to confirm that the flags are working as expected when
|
|
|
bf0270 |
+ * debugging.
|
|
|
bf0270 |
+ */
|
|
|
bf0270 |
+ attrs = 0;
|
|
|
bf0270 |
+ stack_current = (grub_addr_t)grub_nx_init & page_mask;
|
|
|
bf0270 |
+ err = grub_get_mem_attrs (stack_current, page_size, &attrs);
|
|
|
bf0270 |
+ if (err)
|
|
|
bf0270 |
+ {
|
|
|
bf0270 |
+ grub_dprintf ("nx",
|
|
|
bf0270 |
+ "grub_get_mem_attrs(0x%"PRIxGRUB_UINT64_T", ...) -> 0x%x\n",
|
|
|
bf0270 |
+ stack_current, err);
|
|
|
bf0270 |
+ grub_error_pop ();
|
|
|
bf0270 |
+ }
|
|
|
bf0270 |
+ else
|
|
|
bf0270 |
+ grub_dprintf ("nx", "page attrs for grub_nx_init (%p) are %c%c%c\n",
|
|
|
bf0270 |
+ grub_dl_load_core,
|
|
|
bf0270 |
+ (attrs & GRUB_MEM_ATTR_R) ? 'r' : '-',
|
|
|
bf0270 |
+ (attrs & GRUB_MEM_ATTR_R) ? 'w' : '-',
|
|
|
bf0270 |
+ (attrs & GRUB_MEM_ATTR_R) ? 'x' : '-');
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ stack_current = (grub_addr_t)&stack_current & page_mask;
|
|
|
bf0270 |
+ err = grub_get_mem_attrs (stack_current, page_size, &stack_attrs);
|
|
|
bf0270 |
+ if (err)
|
|
|
bf0270 |
+ {
|
|
|
bf0270 |
+ grub_dprintf ("nx",
|
|
|
bf0270 |
+ "grub_get_mem_attrs(0x%"PRIxGRUB_UINT64_T", ...) -> 0x%x\n",
|
|
|
bf0270 |
+ stack_current, err);
|
|
|
bf0270 |
+ grub_error_pop ();
|
|
|
bf0270 |
+ }
|
|
|
bf0270 |
+ else
|
|
|
bf0270 |
+ {
|
|
|
bf0270 |
+ attrs = stack_attrs;
|
|
|
bf0270 |
+ grub_dprintf ("nx", "page attrs for stack (%p) are %c%c%c\n",
|
|
|
bf0270 |
+ &attrs,
|
|
|
bf0270 |
+ (attrs & GRUB_MEM_ATTR_R) ? 'r' : '-',
|
|
|
bf0270 |
+ (attrs & GRUB_MEM_ATTR_R) ? 'w' : '-',
|
|
|
bf0270 |
+ (attrs & GRUB_MEM_ATTR_R) ? 'x' : '-');
|
|
|
bf0270 |
+ }
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ for (stack_end = stack_current + page_size ;
|
|
|
bf0270 |
+ !(attrs & GRUB_MEM_ATTR_R);
|
|
|
bf0270 |
+ stack_end += page_size)
|
|
|
bf0270 |
+ {
|
|
|
bf0270 |
+ err = grub_get_mem_attrs (stack_current, page_size, &attrs);
|
|
|
bf0270 |
+ if (err)
|
|
|
bf0270 |
+ {
|
|
|
bf0270 |
+ grub_dprintf ("nx",
|
|
|
bf0270 |
+ "grub_get_mem_attrs(0x%"PRIxGRUB_UINT64_T", ...) -> 0x%x\n",
|
|
|
bf0270 |
+ stack_current, err);
|
|
|
bf0270 |
+ grub_error_pop ();
|
|
|
bf0270 |
+ break;
|
|
|
bf0270 |
+ }
|
|
|
bf0270 |
+ }
|
|
|
bf0270 |
+ if (stack_end > stack_current)
|
|
|
bf0270 |
+ {
|
|
|
bf0270 |
+ grub_stack_addr = stack_current;
|
|
|
bf0270 |
+ grub_stack_size = stack_end - stack_current;
|
|
|
bf0270 |
+ grub_dprintf ("nx",
|
|
|
bf0270 |
+ "detected stack from 0x%"PRIxGRUB_ADDR" to 0x%"PRIxGRUB_ADDR"\n",
|
|
|
bf0270 |
+ grub_stack_addr, grub_stack_addr + grub_stack_size - 1);
|
|
|
bf0270 |
+ }
|
|
|
bf0270 |
+}
|
|
|
bf0270 |
+
|
|
|
bf0270 |
void
|
|
|
bf0270 |
grub_efi_mm_init (void)
|
|
|
bf0270 |
{
|
|
|
bf0270 |
@@ -615,6 +691,8 @@ grub_efi_mm_init (void)
|
|
|
bf0270 |
grub_efi_uint64_t required_pages;
|
|
|
bf0270 |
int mm_status;
|
|
|
bf0270 |
|
|
|
bf0270 |
+ grub_nx_init ();
|
|
|
bf0270 |
+
|
|
|
bf0270 |
/* Prepare a memory region to store two memory maps. */
|
|
|
bf0270 |
memory_map = grub_efi_allocate_any_pages (2 * BYTES_TO_PAGES (MEMORY_MAP_SIZE));
|
|
|
bf0270 |
if (! memory_map)
|
|
|
bf0270 |
diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
|
|
|
bf0270 |
index 24ab0f0074..37f5d0c7eb 100644
|
|
|
bf0270 |
--- a/grub-core/loader/arm64/linux.c
|
|
|
bf0270 |
+++ b/grub-core/loader/arm64/linux.c
|
|
|
bf0270 |
@@ -191,7 +191,8 @@ free_params (void)
|
|
|
bf0270 |
}
|
|
|
bf0270 |
|
|
|
bf0270 |
grub_err_t
|
|
|
bf0270 |
-grub_armxx_efi_linux_boot_image (grub_addr_t addr, char *args)
|
|
|
bf0270 |
+grub_armxx_efi_linux_boot_image (grub_addr_t addr, grub_size_t size, char *args,
|
|
|
bf0270 |
+ int nx_supported)
|
|
|
bf0270 |
{
|
|
|
bf0270 |
grub_err_t retval;
|
|
|
bf0270 |
|
|
|
bf0270 |
@@ -201,7 +202,8 @@ grub_armxx_efi_linux_boot_image (grub_addr_t addr, char *args)
|
|
|
bf0270 |
|
|
|
bf0270 |
grub_dprintf ("linux", "linux command line: '%s'\n", args);
|
|
|
bf0270 |
|
|
|
bf0270 |
- retval = grub_efi_linux_boot ((char *)addr, handover_offset, (void *)addr);
|
|
|
bf0270 |
+ retval = grub_efi_linux_boot (addr, size, handover_offset,
|
|
|
bf0270 |
+ (void *)addr, nx_supported);
|
|
|
bf0270 |
|
|
|
bf0270 |
/* Never reached... */
|
|
|
bf0270 |
free_params();
|
|
|
bf0270 |
@@ -211,7 +213,10 @@ grub_armxx_efi_linux_boot_image (grub_addr_t addr, char *args)
|
|
|
bf0270 |
static grub_err_t
|
|
|
bf0270 |
grub_linux_boot (void)
|
|
|
bf0270 |
{
|
|
|
bf0270 |
- return grub_armxx_efi_linux_boot_image((grub_addr_t)kernel_addr, linux_args);
|
|
|
bf0270 |
+ return grub_armxx_efi_linux_boot_image((grub_addr_t)kernel_addr,
|
|
|
bf0270 |
+ (grub_size_t)kernel_size,
|
|
|
bf0270 |
+ linux_args,
|
|
|
bf0270 |
+ 0);
|
|
|
bf0270 |
}
|
|
|
bf0270 |
|
|
|
bf0270 |
static grub_err_t
|
|
|
bf0270 |
@@ -340,6 +345,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
|
|
bf0270 |
struct grub_armxx_linux_pe_header *pe;
|
|
|
bf0270 |
int rc;
|
|
|
bf0270 |
grub_err_t err;
|
|
|
bf0270 |
+ int nx_supported = 1;
|
|
|
bf0270 |
|
|
|
bf0270 |
grub_dl_ref (my_mod);
|
|
|
bf0270 |
|
|
|
bf0270 |
@@ -395,6 +401,10 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
|
|
bf0270 |
}
|
|
|
bf0270 |
}
|
|
|
bf0270 |
|
|
|
bf0270 |
+ err = grub_efi_check_nx_image_support((grub_addr_t) kernel_addr, kernel_size, &nx_supported);
|
|
|
bf0270 |
+ if (err != GRUB_ERR_NONE)
|
|
|
bf0270 |
+ goto fail;
|
|
|
bf0270 |
+
|
|
|
bf0270 |
pe = (void *)((unsigned long)kernel_addr + lh.hdr_offset);
|
|
|
bf0270 |
handover_offset = pe->opt.entry_addr;
|
|
|
bf0270 |
|
|
|
bf0270 |
diff --git a/grub-core/loader/arm64/xen_boot.c b/grub-core/loader/arm64/xen_boot.c
|
|
|
bf0270 |
index 1a337866f0..1fd1bbb4bd 100644
|
|
|
bf0270 |
--- a/grub-core/loader/arm64/xen_boot.c
|
|
|
bf0270 |
+++ b/grub-core/loader/arm64/xen_boot.c
|
|
|
bf0270 |
@@ -266,7 +266,9 @@ xen_boot (void)
|
|
|
bf0270 |
return err;
|
|
|
bf0270 |
|
|
|
bf0270 |
return grub_armxx_efi_linux_boot_image (xen_hypervisor->start,
|
|
|
bf0270 |
- xen_hypervisor->cmdline);
|
|
|
bf0270 |
+ xen_hypervisor->size,
|
|
|
bf0270 |
+ xen_hypervisor->cmdline,
|
|
|
bf0270 |
+ 0);
|
|
|
bf0270 |
}
|
|
|
bf0270 |
|
|
|
bf0270 |
static void
|
|
|
bf0270 |
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
|
|
bf0270 |
index 8e658f713e..b72e6bd5e3 100644
|
|
|
bf0270 |
--- a/grub-core/loader/efi/chainloader.c
|
|
|
bf0270 |
+++ b/grub-core/loader/efi/chainloader.c
|
|
|
bf0270 |
@@ -1055,6 +1055,17 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
|
|
bf0270 |
goto fail;
|
|
|
bf0270 |
}
|
|
|
bf0270 |
|
|
|
bf0270 |
+ /*
|
|
|
bf0270 |
+ * The OS kernel is going to set its own permissions when it takes over
|
|
|
bf0270 |
+ * paging a few million instructions from now, and load_image() will set up
|
|
|
bf0270 |
+ * anything that's needed based on the section headers, so there's no point
|
|
|
bf0270 |
+ * in doing anything but clearing the protection bits here.
|
|
|
bf0270 |
+ */
|
|
|
bf0270 |
+ grub_dprintf("nx", "setting attributes for %p (%lu bytes) to %llx\n",
|
|
|
bf0270 |
+ (void *)(grub_addr_t)address, fsize, 0llu);
|
|
|
bf0270 |
+ grub_update_mem_attrs (address, fsize,
|
|
|
bf0270 |
+ GRUB_MEM_ATTR_R|GRUB_MEM_ATTR_W|GRUB_MEM_ATTR_X, 0);
|
|
|
bf0270 |
+
|
|
|
bf0270 |
#if defined (__i386__) || defined (__x86_64__)
|
|
|
bf0270 |
if (fsize >= (grub_ssize_t) sizeof (struct grub_macho_fat_header))
|
|
|
bf0270 |
{
|
|
|
bf0270 |
diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
|
|
|
bf0270 |
index 927d89a90d..421502bd25 100644
|
|
|
bf0270 |
--- a/grub-core/loader/efi/linux.c
|
|
|
bf0270 |
+++ b/grub-core/loader/efi/linux.c
|
|
|
bf0270 |
@@ -66,16 +66,125 @@ grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
|
|
|
bf0270 |
|
|
|
bf0270 |
#pragma GCC diagnostic push
|
|
|
bf0270 |
#pragma GCC diagnostic ignored "-Wcast-align"
|
|
|
bf0270 |
+#pragma GCC diagnostic ignored "-Wint-to-pointer-cast"
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+grub_err_t
|
|
|
bf0270 |
+grub_efi_check_nx_image_support (grub_addr_t kernel_addr,
|
|
|
bf0270 |
+ grub_size_t kernel_size,
|
|
|
bf0270 |
+ int *nx_supported)
|
|
|
bf0270 |
+{
|
|
|
bf0270 |
+ struct grub_dos_header *doshdr;
|
|
|
bf0270 |
+ grub_size_t sz = sizeof (*doshdr);
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ struct grub_pe32_header_32 *pe32;
|
|
|
bf0270 |
+ struct grub_pe32_header_64 *pe64;
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ int image_is_compatible = 0;
|
|
|
bf0270 |
+ int is_64_bit;
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ if (kernel_size < sz)
|
|
|
bf0270 |
+ return grub_error (GRUB_ERR_BAD_OS, N_("kernel is too small"));
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ doshdr = (void *)kernel_addr;
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ if ((doshdr->magic & 0xffff) != GRUB_DOS_MAGIC)
|
|
|
bf0270 |
+ return grub_error (GRUB_ERR_BAD_OS, N_("kernel DOS magic is invalid"));
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ sz = doshdr->lfanew + sizeof (*pe32);
|
|
|
bf0270 |
+ if (kernel_size < sz)
|
|
|
bf0270 |
+ return grub_error (GRUB_ERR_BAD_OS, N_("kernel is too small"));
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ pe32 = (struct grub_pe32_header_32 *)(kernel_addr + doshdr->lfanew);
|
|
|
bf0270 |
+ pe64 = (struct grub_pe32_header_64 *)pe32;
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ if (grub_memcmp (pe32->signature, GRUB_PE32_SIGNATURE,
|
|
|
bf0270 |
+ GRUB_PE32_SIGNATURE_SIZE) != 0)
|
|
|
bf0270 |
+ return grub_error (GRUB_ERR_BAD_OS, N_("kernel PE magic is invalid"));
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ switch (pe32->coff_header.machine)
|
|
|
bf0270 |
+ {
|
|
|
bf0270 |
+ case GRUB_PE32_MACHINE_ARMTHUMB_MIXED:
|
|
|
bf0270 |
+ case GRUB_PE32_MACHINE_I386:
|
|
|
bf0270 |
+ is_64_bit = 0;
|
|
|
bf0270 |
+ break;
|
|
|
bf0270 |
+ case GRUB_PE32_MACHINE_ARM64:
|
|
|
bf0270 |
+ case GRUB_PE32_MACHINE_IA64:
|
|
|
bf0270 |
+ case GRUB_PE32_MACHINE_X86_64:
|
|
|
bf0270 |
+ is_64_bit = 1;
|
|
|
bf0270 |
+ break;
|
|
|
bf0270 |
+ default:
|
|
|
bf0270 |
+ return grub_error (GRUB_ERR_BAD_OS, N_("PE machine type 0x%04hx unknown"),
|
|
|
bf0270 |
+ pe32->coff_header.machine);
|
|
|
bf0270 |
+ }
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ if (is_64_bit)
|
|
|
bf0270 |
+ {
|
|
|
bf0270 |
+ sz = doshdr->lfanew + sizeof (*pe64);
|
|
|
bf0270 |
+ if (kernel_size < sz)
|
|
|
bf0270 |
+ return grub_error (GRUB_ERR_BAD_OS, N_("kernel is too small"));
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ if (pe64->optional_header.dll_characteristics & GRUB_PE32_NX_COMPAT)
|
|
|
bf0270 |
+ image_is_compatible = 1;
|
|
|
bf0270 |
+ }
|
|
|
bf0270 |
+ else
|
|
|
bf0270 |
+ {
|
|
|
bf0270 |
+ if (pe32->optional_header.dll_characteristics & GRUB_PE32_NX_COMPAT)
|
|
|
bf0270 |
+ image_is_compatible = 1;
|
|
|
bf0270 |
+ }
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ *nx_supported = image_is_compatible;
|
|
|
bf0270 |
+ return GRUB_ERR_NONE;
|
|
|
bf0270 |
+}
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+grub_err_t
|
|
|
bf0270 |
+grub_efi_check_nx_required (int *nx_required)
|
|
|
bf0270 |
+{
|
|
|
bf0270 |
+ grub_efi_status_t status;
|
|
|
bf0270 |
+ grub_efi_guid_t guid = GRUB_EFI_SHIM_LOCK_GUID;
|
|
|
bf0270 |
+ grub_size_t mok_policy_sz = 0;
|
|
|
bf0270 |
+ char *mok_policy = NULL;
|
|
|
bf0270 |
+ grub_uint32_t mok_policy_attrs = 0;
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ status = grub_efi_get_variable_with_attributes ("MokPolicy", &guid,
|
|
|
bf0270 |
+ &mok_policy_sz,
|
|
|
bf0270 |
+ (void **)&mok_policy,
|
|
|
bf0270 |
+ &mok_policy_attrs);
|
|
|
bf0270 |
+ if (status == GRUB_EFI_NOT_FOUND ||
|
|
|
bf0270 |
+ mok_policy_sz == 0 ||
|
|
|
bf0270 |
+ mok_policy == NULL)
|
|
|
bf0270 |
+ {
|
|
|
bf0270 |
+ *nx_required = 0;
|
|
|
bf0270 |
+ return GRUB_ERR_NONE;
|
|
|
bf0270 |
+ }
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ *nx_required = 0;
|
|
|
bf0270 |
+ if (mok_policy_sz < 1 ||
|
|
|
bf0270 |
+ mok_policy_attrs != (GRUB_EFI_VARIABLE_BOOTSERVICE_ACCESS |
|
|
|
bf0270 |
+ GRUB_EFI_VARIABLE_RUNTIME_ACCESS) ||
|
|
|
bf0270 |
+ (mok_policy[mok_policy_sz-1] & GRUB_MOK_POLICY_NX_REQUIRED))
|
|
|
bf0270 |
+ *nx_required = 1;
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ return GRUB_ERR_NONE;
|
|
|
bf0270 |
+}
|
|
|
bf0270 |
|
|
|
bf0270 |
typedef void (*handover_func) (void *, grub_efi_system_table_t *, void *);
|
|
|
bf0270 |
|
|
|
bf0270 |
grub_err_t
|
|
|
bf0270 |
-grub_efi_linux_boot (void *kernel_addr, grub_off_t handover_offset,
|
|
|
bf0270 |
- void *kernel_params)
|
|
|
bf0270 |
+grub_efi_linux_boot (grub_addr_t kernel_addr, grub_size_t kernel_size,
|
|
|
bf0270 |
+ grub_off_t handover_offset, void *kernel_params,
|
|
|
bf0270 |
+ int nx_supported)
|
|
|
bf0270 |
{
|
|
|
bf0270 |
grub_efi_loaded_image_t *loaded_image = NULL;
|
|
|
bf0270 |
handover_func hf;
|
|
|
bf0270 |
int offset = 0;
|
|
|
bf0270 |
+ grub_uint64_t stack_set_attrs = GRUB_MEM_ATTR_R |
|
|
|
bf0270 |
+ GRUB_MEM_ATTR_W |
|
|
|
bf0270 |
+ GRUB_MEM_ATTR_X;
|
|
|
bf0270 |
+ grub_uint64_t stack_clear_attrs = 0;
|
|
|
bf0270 |
+ grub_uint64_t kernel_set_attrs = stack_set_attrs;
|
|
|
bf0270 |
+ grub_uint64_t kernel_clear_attrs = stack_clear_attrs;
|
|
|
bf0270 |
+ grub_uint64_t attrs;
|
|
|
bf0270 |
+ int nx_required = 0;
|
|
|
bf0270 |
|
|
|
bf0270 |
#ifdef __x86_64__
|
|
|
bf0270 |
offset = 512;
|
|
|
bf0270 |
@@ -88,12 +197,57 @@ grub_efi_linux_boot (void *kernel_addr, grub_off_t handover_offset,
|
|
|
bf0270 |
*/
|
|
|
bf0270 |
loaded_image = grub_efi_get_loaded_image (grub_efi_image_handle);
|
|
|
bf0270 |
if (loaded_image)
|
|
|
bf0270 |
- loaded_image->image_base = kernel_addr;
|
|
|
bf0270 |
+ loaded_image->image_base = (void *)kernel_addr;
|
|
|
bf0270 |
else
|
|
|
bf0270 |
grub_dprintf ("linux", "Loaded Image base address could not be set\n");
|
|
|
bf0270 |
|
|
|
bf0270 |
grub_dprintf ("linux", "kernel_addr: %p handover_offset: %p params: %p\n",
|
|
|
bf0270 |
- kernel_addr, (void *)(grub_efi_uintn_t)handover_offset, kernel_params);
|
|
|
bf0270 |
+ (void *)kernel_addr, (void *)handover_offset, kernel_params);
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ if (nx_required && !nx_supported)
|
|
|
bf0270 |
+ return grub_error (GRUB_ERR_BAD_OS, N_("kernel does not support NX loading required by policy"));
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ if (nx_supported)
|
|
|
bf0270 |
+ {
|
|
|
bf0270 |
+ kernel_set_attrs &= ~GRUB_MEM_ATTR_W;
|
|
|
bf0270 |
+ kernel_clear_attrs |= GRUB_MEM_ATTR_W;
|
|
|
bf0270 |
+ stack_set_attrs &= ~GRUB_MEM_ATTR_X;
|
|
|
bf0270 |
+ stack_clear_attrs |= GRUB_MEM_ATTR_X;
|
|
|
bf0270 |
+ }
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ grub_dprintf ("nx", "Setting attributes for 0x%"PRIxGRUB_ADDR"-0x%"PRIxGRUB_ADDR" to r%cx\n",
|
|
|
bf0270 |
+ kernel_addr, kernel_addr + kernel_size - 1,
|
|
|
bf0270 |
+ (kernel_set_attrs & GRUB_MEM_ATTR_W) ? 'w' : '-');
|
|
|
bf0270 |
+ grub_update_mem_attrs (kernel_addr, kernel_size,
|
|
|
bf0270 |
+ kernel_set_attrs, kernel_clear_attrs);
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ grub_get_mem_attrs (kernel_addr, 4096, &attrs);
|
|
|
bf0270 |
+ grub_dprintf ("nx", "permissions for 0x%"PRIxGRUB_ADDR" are %s%s%s\n",
|
|
|
bf0270 |
+ (grub_addr_t)kernel_addr,
|
|
|
bf0270 |
+ (attrs & GRUB_MEM_ATTR_R) ? "r" : "-",
|
|
|
bf0270 |
+ (attrs & GRUB_MEM_ATTR_W) ? "w" : "-",
|
|
|
bf0270 |
+ (attrs & GRUB_MEM_ATTR_X) ? "x" : "-");
|
|
|
bf0270 |
+ if (grub_stack_addr != (grub_addr_t)-1ll)
|
|
|
bf0270 |
+ {
|
|
|
bf0270 |
+ grub_dprintf ("nx", "Setting attributes for stack at 0x%"PRIxGRUB_ADDR"-0x%"PRIxGRUB_ADDR" to rw%c\n",
|
|
|
bf0270 |
+ grub_stack_addr, grub_stack_addr + grub_stack_size - 1,
|
|
|
bf0270 |
+ (stack_set_attrs & GRUB_MEM_ATTR_X) ? 'x' : '-');
|
|
|
bf0270 |
+ grub_update_mem_attrs (grub_stack_addr, grub_stack_size,
|
|
|
bf0270 |
+ stack_set_attrs, stack_clear_attrs);
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+ grub_get_mem_attrs (grub_stack_addr, 4096, &attrs);
|
|
|
bf0270 |
+ grub_dprintf ("nx", "permissions for 0x%"PRIxGRUB_ADDR" are %s%s%s\n",
|
|
|
bf0270 |
+ grub_stack_addr,
|
|
|
bf0270 |
+ (attrs & GRUB_MEM_ATTR_R) ? "r" : "-",
|
|
|
bf0270 |
+ (attrs & GRUB_MEM_ATTR_W) ? "w" : "-",
|
|
|
bf0270 |
+ (attrs & GRUB_MEM_ATTR_X) ? "x" : "-");
|
|
|
bf0270 |
+ }
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+#if defined(__i386__) || defined(__x86_64__)
|
|
|
bf0270 |
+ asm volatile ("cli");
|
|
|
bf0270 |
+#endif
|
|
|
bf0270 |
+
|
|
|
bf0270 |
hf = (handover_func)((char *)kernel_addr + handover_offset + offset);
|
|
|
bf0270 |
grub_dprintf ("linux", "handover_func() = %p\n", hf);
|
|
|
bf0270 |
hf (grub_efi_image_handle, grub_efi_system_table, kernel_params);
|
|
|
bf0270 |
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
|
|
|
bf0270 |
index 3d4069e4c6..d80d6ec312 100644
|
|
|
bf0270 |
--- a/grub-core/loader/i386/efi/linux.c
|
|
|
bf0270 |
+++ b/grub-core/loader/i386/efi/linux.c
|
|
|
bf0270 |
@@ -44,7 +44,7 @@ struct grub_linuxefi_context {
|
|
|
bf0270 |
grub_uint32_t handover_offset;
|
|
|
bf0270 |
struct linux_kernel_params *params;
|
|
|
bf0270 |
char *cmdline;
|
|
|
bf0270 |
-
|
|
|
bf0270 |
+ int nx_supported;
|
|
|
bf0270 |
void *initrd_mem;
|
|
|
bf0270 |
};
|
|
|
bf0270 |
|
|
|
bf0270 |
@@ -110,13 +110,19 @@ kernel_alloc(grub_efi_uintn_t size,
|
|
|
bf0270 |
pages = BYTES_TO_PAGES(size);
|
|
|
bf0270 |
grub_dprintf ("linux", "Trying to allocate %lu pages from %p\n",
|
|
|
bf0270 |
pages, (void *)max);
|
|
|
bf0270 |
+ size = pages * GRUB_EFI_PAGE_SIZE;
|
|
|
bf0270 |
|
|
|
bf0270 |
prev_max = max;
|
|
|
bf0270 |
addr = grub_efi_allocate_pages_real (max, pages,
|
|
|
bf0270 |
max_addresses[i].alloc_type,
|
|
|
bf0270 |
memtype);
|
|
|
bf0270 |
if (addr)
|
|
|
bf0270 |
- grub_dprintf ("linux", "Allocated at %p\n", addr);
|
|
|
bf0270 |
+ {
|
|
|
bf0270 |
+ grub_dprintf ("linux", "Allocated at %p\n", addr);
|
|
|
bf0270 |
+ grub_update_mem_attrs ((grub_addr_t)addr, size,
|
|
|
bf0270 |
+ GRUB_MEM_ATTR_R|GRUB_MEM_ATTR_W,
|
|
|
bf0270 |
+ GRUB_MEM_ATTR_X);
|
|
|
bf0270 |
+ }
|
|
|
bf0270 |
}
|
|
|
bf0270 |
|
|
|
bf0270 |
while (grub_error_pop ())
|
|
|
bf0270 |
@@ -137,9 +143,11 @@ grub_linuxefi_boot (void *data)
|
|
|
bf0270 |
|
|
|
bf0270 |
asm volatile ("cli");
|
|
|
bf0270 |
|
|
|
bf0270 |
- return grub_efi_linux_boot ((char *)context->kernel_mem,
|
|
|
bf0270 |
+ return grub_efi_linux_boot ((grub_addr_t)context->kernel_mem,
|
|
|
bf0270 |
+ context->kernel_size,
|
|
|
bf0270 |
context->handover_offset,
|
|
|
bf0270 |
- context->params);
|
|
|
bf0270 |
+ context->params,
|
|
|
bf0270 |
+ context->nx_supported);
|
|
|
bf0270 |
}
|
|
|
bf0270 |
|
|
|
bf0270 |
static grub_err_t
|
|
|
bf0270 |
@@ -308,7 +316,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
|
|
bf0270 |
grub_uint32_t handover_offset;
|
|
|
bf0270 |
struct linux_kernel_params *params = 0;
|
|
|
bf0270 |
char *cmdline = 0;
|
|
|
bf0270 |
+ int nx_supported = 1;
|
|
|
bf0270 |
struct grub_linuxefi_context *context = 0;
|
|
|
bf0270 |
+ grub_err_t err;
|
|
|
bf0270 |
|
|
|
bf0270 |
grub_dl_ref (my_mod);
|
|
|
bf0270 |
|
|
|
bf0270 |
@@ -352,6 +362,13 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
|
|
bf0270 |
}
|
|
|
bf0270 |
}
|
|
|
bf0270 |
|
|
|
bf0270 |
+ err = grub_efi_check_nx_image_support ((grub_addr_t)kernel, filelen,
|
|
|
bf0270 |
+ &nx_supported);
|
|
|
bf0270 |
+ if (err != GRUB_ERR_NONE)
|
|
|
bf0270 |
+ return err;
|
|
|
bf0270 |
+ grub_dprintf ("linux", "nx is%s supported by this kernel\n",
|
|
|
bf0270 |
+ nx_supported ? "" : " not");
|
|
|
bf0270 |
+
|
|
|
bf0270 |
lh = (struct linux_i386_kernel_header *)kernel;
|
|
|
bf0270 |
grub_dprintf ("linux", "original lh is at %p\n", kernel);
|
|
|
bf0270 |
|
|
|
bf0270 |
@@ -515,6 +532,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
|
|
bf0270 |
context->handover_offset = handover_offset;
|
|
|
bf0270 |
context->params = params;
|
|
|
bf0270 |
context->cmdline = cmdline;
|
|
|
bf0270 |
+ context->nx_supported = nx_supported;
|
|
|
bf0270 |
|
|
|
bf0270 |
grub_loader_set_ex (grub_linuxefi_boot, grub_linuxefi_unload, context, 0);
|
|
|
bf0270 |
|
|
|
bf0270 |
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
|
|
|
bf0270 |
index ef8fcb9e1b..c160ddb0ea 100644
|
|
|
bf0270 |
--- a/grub-core/loader/i386/linux.c
|
|
|
bf0270 |
+++ b/grub-core/loader/i386/linux.c
|
|
|
bf0270 |
@@ -831,6 +831,11 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
|
|
bf0270 |
grub_memset (&linux_params, 0, sizeof (linux_params));
|
|
|
bf0270 |
grub_memcpy (&linux_params.setup_sects, &lh.setup_sects, sizeof (lh) - 0x1F1);
|
|
|
bf0270 |
|
|
|
bf0270 |
+ grub_dprintf("efi", "setting attributes for %p (%zu bytes) to +rw-x\n",
|
|
|
bf0270 |
+ &linux_params, sizeof (lh) + len);
|
|
|
bf0270 |
+ grub_update_mem_attrs ((grub_addr_t)&linux_params, sizeof (lh) + len,
|
|
|
bf0270 |
+ GRUB_MEM_ATTR_R|GRUB_MEM_ATTR_W, GRUB_MEM_ATTR_X);
|
|
|
bf0270 |
+
|
|
|
bf0270 |
linux_params.code32_start = prot_mode_target + lh.code32_start - GRUB_LINUX_BZIMAGE_ADDR;
|
|
|
bf0270 |
linux_params.kernel_alignment = (1 << align);
|
|
|
bf0270 |
linux_params.ps_mouse = linux_params.padding10 = 0;
|
|
|
bf0270 |
diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
|
|
|
bf0270 |
index a635bcb0a9..8ca8c38f9a 100644
|
|
|
bf0270 |
--- a/include/grub/efi/efi.h
|
|
|
bf0270 |
+++ b/include/grub/efi/efi.h
|
|
|
bf0270 |
@@ -135,12 +135,16 @@ extern void (*EXPORT_VAR(grub_efi_net_config)) (grub_efi_handle_t hnd,
|
|
|
bf0270 |
char **device,
|
|
|
bf0270 |
char **path);
|
|
|
bf0270 |
|
|
|
bf0270 |
+extern grub_addr_t EXPORT_VAR(grub_stack_addr);
|
|
|
bf0270 |
+extern grub_size_t EXPORT_VAR(grub_stack_size);
|
|
|
bf0270 |
+
|
|
|
bf0270 |
#if defined(__arm__) || defined(__aarch64__)
|
|
|
bf0270 |
void *EXPORT_FUNC(grub_efi_get_firmware_fdt)(void);
|
|
|
bf0270 |
grub_err_t EXPORT_FUNC(grub_efi_get_ram_base)(grub_addr_t *);
|
|
|
bf0270 |
#include <grub/cpu/linux.h>
|
|
|
bf0270 |
grub_err_t grub_armxx_efi_linux_check_image(struct linux_armxx_kernel_header *lh);
|
|
|
bf0270 |
-grub_err_t grub_armxx_efi_linux_boot_image(grub_addr_t addr, char *args);
|
|
|
bf0270 |
+grub_err_t grub_armxx_efi_linux_boot_image(grub_addr_t addr, grub_size_t size,
|
|
|
bf0270 |
+ char *args, int nx_enabled);
|
|
|
bf0270 |
#endif
|
|
|
bf0270 |
|
|
|
bf0270 |
grub_addr_t grub_efi_section_addr (const char *section);
|
|
|
bf0270 |
diff --git a/include/grub/efi/linux.h b/include/grub/efi/linux.h
|
|
|
bf0270 |
index 0033d9305a..8130b19590 100644
|
|
|
bf0270 |
--- a/include/grub/efi/linux.h
|
|
|
bf0270 |
+++ b/include/grub/efi/linux.h
|
|
|
bf0270 |
@@ -22,10 +22,23 @@
|
|
|
bf0270 |
#include <grub/err.h>
|
|
|
bf0270 |
#include <grub/symbol.h>
|
|
|
bf0270 |
|
|
|
bf0270 |
+#define GRUB_MOK_POLICY_NX_REQUIRED 0x1
|
|
|
bf0270 |
+
|
|
|
bf0270 |
int
|
|
|
bf0270 |
EXPORT_FUNC(grub_linuxefi_secure_validate) (void *data, grub_uint32_t size);
|
|
|
bf0270 |
+
|
|
|
bf0270 |
grub_err_t
|
|
|
bf0270 |
-EXPORT_FUNC(grub_efi_linux_boot) (void *kernel_address, grub_off_t offset,
|
|
|
bf0270 |
- void *kernel_param);
|
|
|
bf0270 |
+EXPORT_FUNC(grub_efi_linux_boot) (grub_addr_t kernel_address,
|
|
|
bf0270 |
+ grub_size_t kernel_size,
|
|
|
bf0270 |
+ grub_off_t handover_offset,
|
|
|
bf0270 |
+ void *kernel_param, int nx_enabled);
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+grub_err_t
|
|
|
bf0270 |
+EXPORT_FUNC(grub_efi_check_nx_image_support) (grub_addr_t kernel_addr,
|
|
|
bf0270 |
+ grub_size_t kernel_size,
|
|
|
bf0270 |
+ int *nx_supported);
|
|
|
bf0270 |
+
|
|
|
bf0270 |
+grub_err_t
|
|
|
bf0270 |
+EXPORT_FUNC(grub_efi_check_nx_required) (int *nx_required);
|
|
|
bf0270 |
|
|
|
bf0270 |
#endif /* ! GRUB_EFI_LINUX_HEADER */
|
|
|
bf0270 |
diff --git a/include/grub/efi/pe32.h b/include/grub/efi/pe32.h
|
|
|
bf0270 |
index 2241f6317b..45c9f8b756 100644
|
|
|
bf0270 |
--- a/include/grub/efi/pe32.h
|
|
|
bf0270 |
+++ b/include/grub/efi/pe32.h
|
|
|
bf0270 |
@@ -172,6 +172,8 @@ struct grub_pe32_optional_header
|
|
|
bf0270 |
struct grub_pe32_data_directory reserved_entry;
|
|
|
bf0270 |
};
|
|
|
bf0270 |
|
|
|
bf0270 |
+#define GRUB_PE32_NX_COMPAT 0x0100
|
|
|
bf0270 |
+
|
|
|
bf0270 |
struct grub_pe64_optional_header
|
|
|
bf0270 |
{
|
|
|
bf0270 |
grub_uint16_t magic;
|