x86/boot: Split off PE/COFF .data section

Describe the code and data of the decompressor binary using separate
.text and .data PE/COFF sections, so that we will be able to map them
using restricted permissions once we increase the section and file
alignment sufficiently. This avoids the need for memory mappings that
are writable and executable at the same time, which is something that
is best avoided for security reasons.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Link: https://lore.kernel.org/r/20230915171623.655440-17-ardb@google.com

diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
index cc04917b1ac6821e8789a78ab9cfef32d701850b..3cece19b74732f8565d670a6f133fba0eadc3fc9 100644 (file)
--- a/arch/x86/boot/Makefile
+++ b/arch/x86/boot/Makefile
@@ -89,7 +89,7 @@ $(obj)/vmlinux.bin: $(obj)/compressed/vmlinux FORCE
 
 SETUP_OBJS = $(addprefix $(obj)/,$(setup-y))
 
-sed-zoffset := -e 's/^\([0-9a-fA-F]*\) [a-zA-Z] \(startup_32\|efi.._stub_entry\|efi\(32\)\?_pe_entry\|input_data\|kernel_info\|_end\|_ehead\|_text\|_edata\|z_.*\)$$/\#define ZO_\2 0x\1/p'
+sed-zoffset := -e 's/^\([0-9a-fA-F]*\) [a-zA-Z] \(startup_32\|efi.._stub_entry\|efi\(32\)\?_pe_entry\|input_data\|kernel_info\|_end\|_ehead\|_text\|_e\?data\|z_.*\)$$/\#define ZO_\2 0x\1/p'
 
 quiet_cmd_zoffset = ZOFFSET $@
       cmd_zoffset = $(NM) $< | sed -n $(sed-zoffset) > $@

diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S
index 9e9641e220a73a4a32c52e7fc265df83b9896ad4..a1f986105f0023ccdfa38ca625e96c4f1c9a6d58 100644 (file)
--- a/arch/x86/boot/header.S
+++ b/arch/x86/boot/header.S
@@ -75,9 +75,9 @@ optional_header:
        .byte   0x02                            # MajorLinkerVersion
        .byte   0x14                            # MinorLinkerVersion
 
-       .long   setup_size + ZO__end - 0x200    # SizeOfCode
+       .long   ZO__data                        # SizeOfCode
 
-       .long   0                               # SizeOfInitializedData
+       .long   ZO__end - ZO__data              # SizeOfInitializedData
        .long   0                               # SizeOfUninitializedData
 
        .long   setup_size + ZO_efi_pe_entry    # AddressOfEntryPoint
@@ -178,9 +178,9 @@ section_table:
        .byte   0
        .byte   0
        .byte   0
-       .long   ZO__end
+       .long   ZO__data
        .long   setup_size
-       .long   ZO__edata                       # Size of initialized data
+       .long   ZO__data                        # Size of initialized data
                                                # on disk
        .long   setup_size
        .long   0                               # PointerToRelocations
@@ -191,6 +191,17 @@ section_table:
                IMAGE_SCN_MEM_READ              | \
                IMAGE_SCN_MEM_EXECUTE           # Characteristics
 
+       .ascii  ".data\0\0\0"
+       .long   ZO__end - ZO__data              # VirtualSize
+       .long   setup_size + ZO__data           # VirtualAddress
+       .long   ZO__edata - ZO__data            # SizeOfRawData
+       .long   setup_size + ZO__data           # PointerToRawData
+
+       .long   0, 0, 0
+       .long   IMAGE_SCN_CNT_INITIALIZED_DATA  | \
+               IMAGE_SCN_MEM_READ              | \
+               IMAGE_SCN_MEM_WRITE             # Characteristics
+
        .set    section_count, (. - section_table) / 40
 #endif /* CONFIG_EFI_STUB */