diff --git a/shim-Enable-the-NX-compatibility-flag-by-default.patch b/shim-Enable-the-NX-compatibility-flag-by-default.patch new file mode 100644 index 0000000..85061ec --- /dev/null +++ b/shim-Enable-the-NX-compatibility-flag-by-default.patch @@ -0,0 +1,84 @@ +From a53b9f7ceec1dfa1487f4d675573449c5b2a16fb Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 17 Nov 2022 12:31:31 -0500 +Subject: [PATCH] Enable the NX compatibility flag by default. + +Currently by default, when we build shim we do not set the PE +NX-compatibility DLL Characteristic flag. This signifies to the +firmware that shim (including the components it loads) is not prepared +for several related firmware changes: + +- non-executable stack +- non-executable pages from AllocatePages()/AllocatePool()/etc. +- non-writable 0 page (not strictly related but some firmware will be + transitioning at the same time) +- the need to use the UEFI 2.10 Memory Attribute Protocol to set page + permissions. + +This patch changes that default to be enabled by default. Distributors +of shim will need to ensure that either their builds disable this bit +(using "post-process-pe -N"), or that the bootloaders and kernels you +support loading are all compliant with this change. A new make +variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so. + +Signed-off-by: Peter Jones +--- + BUILDING | 3 +++ + Make.defaults | 2 ++ + Makefile | 2 +- + post-process-pe.c | 2 +- + 4 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/BUILDING b/BUILDING +index 3b2e85d3..17cd98d3 100644 +--- a/BUILDING ++++ b/BUILDING +@@ -78,6 +78,9 @@ Variables you could set to customize the build: + - OSLABEL + This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS. + By default this is the same value as EFIDIR . ++- POST_PROCESS_PE_FLAGS ++ This allows you to add flags to the invocation of "post-process-pe", for ++ example to disable the NX compatibility flag. + + Vendor SBAT data: + It will sometimes be requested by reviewers that a build includes extra +diff --git a/Make.defaults b/Make.defaults +index c46164a3..9af89f4e 100644 +--- a/Make.defaults ++++ b/Make.defaults +@@ -139,6 +139,8 @@ CFLAGS = $(FEATUREFLAGS) \ + $(INCLUDES) \ + $(DEFINES) + ++POST_PROCESS_PE_FLAGS = ++ + ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined) + DEFINES += -DOVERRIDE_SECURITY_POLICY + endif +diff --git a/Makefile b/Makefile +index a9202f46..f0f53f8f 100644 +--- a/Makefile ++++ b/Makefile +@@ -255,7 +255,7 @@ endif + -j .rela* -j .dyn -j .reloc -j .eh_frame \ + -j .vendor_cert -j .sbat -j .sbatlevel \ + $(FORMAT) $< $@ +- ./post-process-pe -vv $@ ++ ./post-process-pe -vv $(POST_PROCESS_PE_FLAGS) $@ + + ifneq ($(origin ENABLE_SHIM_HASH),undefined) + %.hash : %.efi +diff --git a/post-process-pe.c b/post-process-pe.c +index de8f4a38..f39fdddf 100644 +--- a/post-process-pe.c ++++ b/post-process-pe.c +@@ -42,7 +42,7 @@ static int verbosity; + 0; \ + }) + +-static bool set_nx_compat = false; ++static bool set_nx_compat = true; + + typedef uint8_t UINT8; + typedef uint16_t UINT16; diff --git a/shim.changes b/shim.changes index a342299..469bdf0 100644 --- a/shim.changes +++ b/shim.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Fri Nov 18 04:52:49 UTC 2022 - Joey Lee + +- Add shim-Enable-the-NX-compatibility-flag-by-default.patch to + enable the NX compatibility flag by default. (jsc#PED-127) + ------------------------------------------------------------------- Fri Nov 18 03:17:46 UTC 2022 - Joey Lee diff --git a/shim.spec b/shim.spec index 2bc374c..d7472ee 100644 --- a/shim.spec +++ b/shim.spec @@ -75,6 +75,8 @@ Patch3: shim-bsc1177315-verify-eku-codesign.patch Patch4: remove_build_id.patch # PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 glin@suse.com -- Disable exporting vendor-dbx to MokListXRT Patch5: shim-disable-export-vendor-dbx.patch +# PATCH-FIX-UPSTREAM shim-Enable-the-NX-compatibility-flag-by-default.patch jlee@suse.com -- Enable the NX compatibility flag by default +Patch6: shim-Enable-the-NX-compatibility-flag-by-default.patch # PATCH-FIX-OPENSUSE shim-bsc1198101-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not Patch100: shim-bsc1198101-opensuse-cert-prompt.patch BuildRequires: dos2unix @@ -121,6 +123,7 @@ The source code of UEFI shim loader %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0 %patch100 -p1 %endif