diff mbox series

[v5,07/27] x86/build: Check W^X of vmlinux during build

Message ID	79fbb728535596eea7b429fc3ed39adc3c775c8a.1678785672.git.baskov@ispras.ru
State	New
Headers	show Return-Path: <linux-efi-owner@vger.kernel.org> From: Evgeniy Baskov <baskov@ispras.ru> To: Ard Biesheuvel <ardb@kernel.org> Cc: Evgeniy Baskov <baskov@ispras.ru>, Borislav Petkov <bp@alien8.de>, Andy Lutomirski <luto@kernel.org>, Dave Hansen <dave.hansen@linux.intel.com>, Ingo Molnar <mingo@redhat.com>, Peter Zijlstra <peterz@infradead.org>, Thomas Gleixner <tglx@linutronix.de>, Alexey Khoroshilov <khoroshilov@ispras.ru>, Peter Jones <pjones@redhat.com>, Gerd Hoffmann <kraxel@redhat.com>, "Limonciello, Mario" <mario.limonciello@amd.com>, joeyli <jlee@suse.com>, lvc-project@linuxtesting.org, x86@kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v5 07/27] x86/build: Check W^X of vmlinux during build Date: Tue, 14 Mar 2023 13:13:34 +0300 Message-Id: <79fbb728535596eea7b429fc3ed39adc3c775c8a.1678785672.git.baskov@ispras.ru> In-Reply-To: <cover.1678785672.git.baskov@ispras.ru> References: <cover.1678785672.git.baskov@ispras.ru> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	x86_64: Improvements at compressed kernel stage \| expand [v5,00/27] x86_64: Improvements at compressed kernel stage [v5,01/27] x86/boot: Align vmlinuz sections on page size [v5,02/27] x86/build: Remove RWX sections and align on 4KB [v5,03/27] x86/boot: Set cr0 to known state in trampoline [v5,04/27] x86/boot: Increase boot page table size [v5,05/27] x86/boot: Support 4KB pages for identity mapping [v5,06/27] x86/boot: Setup memory protection for bzImage code [v5,07/27] x86/build: Check W^X of vmlinux during build [v5,08/27] x86/boot: Map memory explicitly [v5,09/27] x86/boot: Remove mapping from page fault handler [v5,10/27] efi/libstub: Move helper function to related file [v5,11/27] x86/boot: Make console interface more abstract [v5,12/27] x86/boot: Make kernel_add_identity_map() a pointer [v5,13/27] x86/boot: Split trampoline and pt init code [v5,14/27] x86/boot: Add EFI kernel extraction interface [v5,15/27] efi/x86: Support extracting kernel from libstub [v5,16/27] x86/boot: Reduce lower limit of physical KASLR [v5,17/27] x86: decompressor: Remove the 'bugger off' message [v5,18/27] tools/include: Add simplified version of pe.h [v5,19/27] x86/build: Cleanup tools/build.c [v5,20/27] efi: x86: Use private copy of struct setup_header [v5,21/27] x86/build: Add SETUP_HEADER_OFFSET constant [v5,22/27] x86/build: set type_of_loader for EFISTUB [v5,23/27] efi/libstub: Don't set ramdisk_image/ramdisk_size [v5,24/27] x86/build: Make generated PE more spec compliant [v5,25/27] efi/libstub: Use memory attribute protocol [v5,26/27] efi/libstub: make memory protection warnings include newlines. [v5,27/27] efi/x86: don't try to set page attributes on 0-sized regions.

Commit Message

Evgeniy Baskov March 14, 2023, 10:13 a.m. UTC

Check if there are simultaneously writable and executable
program segments in vmlinux ELF image and fail build if there are any.

This would prevent accidental introduction of RWX segments.

Tested-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Evgeniy Baskov <baskov@ispras.ru>
---
 arch/x86/boot/compressed/Makefile | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff mbox series

Patch

diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
index 6b6cfe607bdb..0c6e25279ec1 100644
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -112,12 +112,17 @@  vmlinux-objs-$(CONFIG_EFI) += $(obj)/efi.o
 vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_mixed.o
 vmlinux-objs-$(CONFIG_EFI_STUB) += $(objtree)/drivers/firmware/efi/libstub/lib.a
 
+quiet_cmd_objcopy_and_wx_check = $(quiet_cmd_objcopy)
+cmd_objcopy_and_wx_check = if $(OBJDUMP) -p $< | grep "flags .wx" > /dev/null; then \
+				   (echo >&2 "$<: Simultaneously writable and executable sections are prohibited"; \
+				    /bin/false); else $(cmd_objcopy); fi
+
 $(obj)/vmlinux: $(vmlinux-objs-y) FORCE
 	$(call if_changed,ld)
 
 OBJCOPYFLAGS_vmlinux.bin :=  -R .comment -S
 $(obj)/vmlinux.bin: vmlinux FORCE
-	$(call if_changed,objcopy)
+	$(call if_changed,objcopy_and_wx_check)
 
 targets += $(patsubst $(obj)/%,%,$(vmlinux-objs-y)) vmlinux.bin.all vmlinux.relocs