Accepting request 1037005 from home:joeyli:branches:devel:openSUSE:Factory
Add shim-Enable-the-NX-compatibility-flag-by-default.patch to enable the NX compatibility flag by default. (jsc#PED-127) OBS-URL: https://build.opensuse.org/request/show/1037005 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=197
This commit is contained in:
parent
958db7043d
commit
ccd71ae517
84
shim-Enable-the-NX-compatibility-flag-by-default.patch
Normal file
84
shim-Enable-the-NX-compatibility-flag-by-default.patch
Normal file
@ -0,0 +1,84 @@
|
||||
From a53b9f7ceec1dfa1487f4d675573449c5b2a16fb Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 17 Nov 2022 12:31:31 -0500
|
||||
Subject: [PATCH] Enable the NX compatibility flag by default.
|
||||
|
||||
Currently by default, when we build shim we do not set the PE
|
||||
NX-compatibility DLL Characteristic flag. This signifies to the
|
||||
firmware that shim (including the components it loads) is not prepared
|
||||
for several related firmware changes:
|
||||
|
||||
- non-executable stack
|
||||
- non-executable pages from AllocatePages()/AllocatePool()/etc.
|
||||
- non-writable 0 page (not strictly related but some firmware will be
|
||||
transitioning at the same time)
|
||||
- the need to use the UEFI 2.10 Memory Attribute Protocol to set page
|
||||
permissions.
|
||||
|
||||
This patch changes that default to be enabled by default. Distributors
|
||||
of shim will need to ensure that either their builds disable this bit
|
||||
(using "post-process-pe -N"), or that the bootloaders and kernels you
|
||||
support loading are all compliant with this change. A new make
|
||||
variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
---
|
||||
BUILDING | 3 +++
|
||||
Make.defaults | 2 ++
|
||||
Makefile | 2 +-
|
||||
post-process-pe.c | 2 +-
|
||||
4 files changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/BUILDING b/BUILDING
|
||||
index 3b2e85d3..17cd98d3 100644
|
||||
--- a/BUILDING
|
||||
+++ b/BUILDING
|
||||
@@ -78,6 +78,9 @@ Variables you could set to customize the build:
|
||||
- OSLABEL
|
||||
This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
|
||||
By default this is the same value as EFIDIR .
|
||||
+- POST_PROCESS_PE_FLAGS
|
||||
+ This allows you to add flags to the invocation of "post-process-pe", for
|
||||
+ example to disable the NX compatibility flag.
|
||||
|
||||
Vendor SBAT data:
|
||||
It will sometimes be requested by reviewers that a build includes extra
|
||||
diff --git a/Make.defaults b/Make.defaults
|
||||
index c46164a3..9af89f4e 100644
|
||||
--- a/Make.defaults
|
||||
+++ b/Make.defaults
|
||||
@@ -139,6 +139,8 @@ CFLAGS = $(FEATUREFLAGS) \
|
||||
$(INCLUDES) \
|
||||
$(DEFINES)
|
||||
|
||||
+POST_PROCESS_PE_FLAGS =
|
||||
+
|
||||
ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
|
||||
DEFINES += -DOVERRIDE_SECURITY_POLICY
|
||||
endif
|
||||
diff --git a/Makefile b/Makefile
|
||||
index a9202f46..f0f53f8f 100644
|
||||
--- a/Makefile
|
||||
+++ b/Makefile
|
||||
@@ -255,7 +255,7 @@ endif
|
||||
-j .rela* -j .dyn -j .reloc -j .eh_frame \
|
||||
-j .vendor_cert -j .sbat -j .sbatlevel \
|
||||
$(FORMAT) $< $@
|
||||
- ./post-process-pe -vv $@
|
||||
+ ./post-process-pe -vv $(POST_PROCESS_PE_FLAGS) $@
|
||||
|
||||
ifneq ($(origin ENABLE_SHIM_HASH),undefined)
|
||||
%.hash : %.efi
|
||||
diff --git a/post-process-pe.c b/post-process-pe.c
|
||||
index de8f4a38..f39fdddf 100644
|
||||
--- a/post-process-pe.c
|
||||
+++ b/post-process-pe.c
|
||||
@@ -42,7 +42,7 @@ static int verbosity;
|
||||
0; \
|
||||
})
|
||||
|
||||
-static bool set_nx_compat = false;
|
||||
+static bool set_nx_compat = true;
|
||||
|
||||
typedef uint8_t UINT8;
|
||||
typedef uint16_t UINT16;
|
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 18 04:52:49 UTC 2022 - Joey Lee <jlee@suse.com>
|
||||
|
||||
- Add shim-Enable-the-NX-compatibility-flag-by-default.patch to
|
||||
enable the NX compatibility flag by default. (jsc#PED-127)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 18 03:17:46 UTC 2022 - Joey Lee <jlee@suse.com>
|
||||
|
||||
|
@ -75,6 +75,8 @@ Patch3: shim-bsc1177315-verify-eku-codesign.patch
|
||||
Patch4: remove_build_id.patch
|
||||
# PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 glin@suse.com -- Disable exporting vendor-dbx to MokListXRT
|
||||
Patch5: shim-disable-export-vendor-dbx.patch
|
||||
# PATCH-FIX-UPSTREAM shim-Enable-the-NX-compatibility-flag-by-default.patch jlee@suse.com -- Enable the NX compatibility flag by default
|
||||
Patch6: shim-Enable-the-NX-compatibility-flag-by-default.patch
|
||||
# PATCH-FIX-OPENSUSE shim-bsc1198101-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
|
||||
Patch100: shim-bsc1198101-opensuse-cert-prompt.patch
|
||||
BuildRequires: dos2unix
|
||||
@ -121,6 +123,7 @@ The source code of UEFI shim loader
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0
|
||||
%patch100 -p1
|
||||
%endif
|
||||
|
Loading…
Reference in New Issue
Block a user