[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [XEN PATCH v3] sbat: Add SBAT section to the Xen EFI binary

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
From: Frediano Ziglio <frediano.ziglio@xxxxxxxxx>
Date: Thu, 8 May 2025 11:46:32 +0100
Cc: Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, dpsmith@xxxxxxxxxxxxxxxxxxxx, marmarek@xxxxxxxxxxxxxxxxxxxxxx, Jan Beulich <jbeulich@xxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>
Delivery-date: Thu, 08 May 2025 10:46:49 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, May 8, 2025 at 9:52 AM Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote:
>
> On 07/05/2025 2:54 pm, Gerald Elder-Vass wrote:
> > diff --git a/xen/arch/x86/efi/Makefile b/xen/arch/x86/efi/Makefile
> > index 24dfecfad184..75aa35870a9a 100644
> > --- a/xen/arch/x86/efi/Makefile
> > +++ b/xen/arch/x86/efi/Makefile
> > @@ -6,11 +6,17 @@ cmd_objcopy_o_ihex = $(OBJCOPY) -I ihex -O binary $< $@
> >  $(obj)/%.o: $(src)/%.ihex FORCE
> >       $(call if_changed,objcopy_o_ihex)
> >
> > +$(obj)/sbat.o: OBJCOPYFLAGS := -I binary -O elf64-x86-64 --rename-section 
> > .data=.sbat,readonly,data,contents
> > +$(obj)/sbat.o: $(src)/sbat.sbat FORCE
> > +     $(call if_changed,objcopy)
> > +
>
> Doing a build locally with this, I've found two issues.  One is:
>
> > ld: warning: arch/x86/efi/sbat.o: missing .note.GNU-stack section implies 
> > executable stack
> > ld: NOTE: This behaviour is deprecated and will be removed in a future 
> > version of the linker
> > ld: warning: arch/x86/efi/built_in.o: requires executable stack (because 
> > the .note.GNU-stack section is executable)
> > ld: warning: arch/x86/built_in.o: requires executable stack (because the 
> > .note.GNU-stack section is executable)
> > ld: warning: prelink.o: requires executable stack (because the 
> > .note.GNU-stack section is executable)
> > ld: warning: prelink.o: requires executable stack (because the 
> > .note.GNU-stack section is executable)
> > ld: warning: prelink.o: requires executable stack (because the 
> > .note.GNU-stack section is executable)
>
> which isn't a terribly good look on a "higher security" feature.  The
> easiest way to fix this is:
>
> $(obj)/sbat.o: OBJCOPYFLAGS := -I binary -O elf64-x86-64 \
>         --rename-section .data=.sbat,readonly,data,contents \
>         --add-section .note.GNU-stack=/dev/null
>
> to add the required section.
>
>
>
> >  $(obj)/boot.init.o: $(obj)/buildid.o
> >
> >  $(call cc-option-add,cflags-stack-boundary,CC,-mpreferred-stack-boundary=4)
> >  $(addprefix $(obj)/,$(EFIOBJ-y)): CFLAGS_stack_boundary := 
> > $(cflags-stack-boundary)
> >
> > +EFIOBJ-y += sbat.o
>
> Also,
>
> > ld: warning: orphan section `.sbat' from `prelink.o' being placed in 
> > section `.sbat'
>
> This is because sbat.o is getting linked into the non-EFI build of Xen too.
>
> I'm less sure how to go about fixing this.  There's no nice way I can
> see of of getting sbat.o only in the EFI build.  The other option is to
> discard it for the ELF build.
>

I don't see the point of having this section in the ELF file, it's
used only when in PE by secure boot.
It should not be hard to add it to the disard list. Specifically in
xen/include/xen/xen.lds.h file look at DISCARD_SECTIONS and
DISCARD_EFI_SECTIONS definitions (I think just add .sbat to the
DISCARD_EFI_SECTIONS list if EFI is not defined).

Frediano

References:
- [XEN PATCH v3] sbat: Add SBAT section to the Xen EFI binary
  - From: Gerald Elder-Vass
- Re: [XEN PATCH v3] sbat: Add SBAT section to the Xen EFI binary
  - From: Andrew Cooper

Prev by Date: [PATCH v21 2/2] vpci: translate virtual PCI bus topology for guests
Next by Date: Re: [XEN PATCH v3] sbat: Add SBAT section to the Xen EFI binary
Previous by thread: Re: [XEN PATCH v3] sbat: Add SBAT section to the Xen EFI binary
Next by thread: Re: [PATCH] x86/pmstat: Check size of PMSTAT_get_pxstat buffers
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.