mirror of
https://git.proxmox.com/git/efi-boot-shim
synced 2025-11-04 02:26:53 +00:00
80 lines
2.7 KiB
Diff
80 lines
2.7 KiB
Diff
commit 7c7642530fab73facaf3eac233cfbce29e10b0ef
|
|
Author: Peter Jones <pjones@redhat.com>
|
|
Date: Thu Nov 17 12:31:31 2022 -0500
|
|
|
|
Enable the NX compatibility flag by default.
|
|
|
|
Currently by default, when we build shim we do not set the PE
|
|
NX-compatibility DLL Characteristic flag. This signifies to the
|
|
firmware that shim (including the components it loads) is not prepared
|
|
for several related firmware changes:
|
|
|
|
- non-executable stack
|
|
- non-executable pages from AllocatePages()/AllocatePool()/etc.
|
|
- non-writable 0 page (not strictly related but some firmware will be
|
|
transitioning at the same time)
|
|
- the need to use the UEFI 2.10 Memory Attribute Protocol to set page
|
|
permissions.
|
|
|
|
This patch changes that default to be enabled by default. Distributors
|
|
of shim will need to ensure that either their builds disable this bit
|
|
(using "post-process-pe -N"), or that the bootloaders and kernels you
|
|
support loading are all compliant with this change. A new make
|
|
variable, POST_PROCESS_PE_FLAGS, has been added to simplify doing so.
|
|
|
|
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
|
diff --git a/BUILDING b/BUILDING
|
|
index 3b2e85d3..17cd98d3 100644
|
|
--- a/BUILDING
|
|
+++ b/BUILDING
|
|
@@ -78,6 +78,9 @@ Variables you could set to customize the build:
|
|
- OSLABEL
|
|
This is the label that will be put in BOOT$(EFI_ARCH).CSV for your OS.
|
|
By default this is the same value as EFIDIR .
|
|
+- POST_PROCESS_PE_FLAGS
|
|
+ This allows you to add flags to the invocation of "post-process-pe", for
|
|
+ example to disable the NX compatibility flag.
|
|
|
|
Vendor SBAT data:
|
|
It will sometimes be requested by reviewers that a build includes extra
|
|
diff --git a/Make.defaults b/Make.defaults
|
|
index c46164a3..9af89f4e 100644
|
|
--- a/Make.defaults
|
|
+++ b/Make.defaults
|
|
@@ -139,6 +139,8 @@ CFLAGS = $(FEATUREFLAGS) \
|
|
$(INCLUDES) \
|
|
$(DEFINES)
|
|
|
|
+POST_PROCESS_PE_FLAGS =
|
|
+
|
|
ifneq ($(origin OVERRIDE_SECURITY_POLICY), undefined)
|
|
DEFINES += -DOVERRIDE_SECURITY_POLICY
|
|
endif
|
|
diff --git a/Makefile b/Makefile
|
|
index a9202f46..f0f53f8f 100644
|
|
--- a/Makefile
|
|
+++ b/Makefile
|
|
@@ -255,7 +255,7 @@ endif
|
|
-j .rela* -j .dyn -j .reloc -j .eh_frame \
|
|
-j .vendor_cert -j .sbat -j .sbatlevel \
|
|
$(FORMAT) $< $@
|
|
- ./post-process-pe -vv $@
|
|
+ ./post-process-pe -vv $(POST_PROCESS_PE_FLAGS) $@
|
|
|
|
ifneq ($(origin ENABLE_SHIM_HASH),undefined)
|
|
%.hash : %.efi
|
|
diff --git a/post-process-pe.c b/post-process-pe.c
|
|
index de8f4a38..f39fdddf 100644
|
|
--- a/post-process-pe.c
|
|
+++ b/post-process-pe.c
|
|
@@ -42,7 +42,7 @@ static int verbosity;
|
|
0; \
|
|
})
|
|
|
|
-static bool set_nx_compat = false;
|
|
+static bool set_nx_compat = true;
|
|
|
|
typedef uint8_t UINT8;
|
|
typedef uint16_t UINT16;
|