From e7b2ea02b96fe3b60aa41453ec37c2d01ea6bc4f Mon Sep 17 00:00:00 2001 From: Mario Limonciello Date: Fri, 25 Oct 2019 10:51:12 -0500 Subject: [PATCH] uefi: use `genpeimg` to mark ASLR and DP/NX on EFI binary If the tool is available at build time use it to this. --- contrib/ci/dependencies.xml | 14 ++++++++++++++ contrib/debian/lintian/fwupd | 2 +- meson.build | 1 + plugins/uefi/efi/generate_binary.sh | 24 ++++++++++++++++++++++++ plugins/uefi/efi/meson.build | 13 ++----------- 5 files changed, 42 insertions(+), 12 deletions(-) create mode 100755 plugins/uefi/efi/generate_binary.sh diff --git a/contrib/ci/dependencies.xml b/contrib/ci/dependencies.xml index 8b4297750..1a13eab15 100644 --- a/contrib/ci/dependencies.xml +++ b/contrib/ci/dependencies.xml @@ -893,6 +893,20 @@ + + + + + + + + + + + + + + pango-devel diff --git a/contrib/debian/lintian/fwupd b/contrib/debian/lintian/fwupd index 769a1296a..308555896 100644 --- a/contrib/debian/lintian/fwupd +++ b/contrib/debian/lintian/fwupd @@ -6,5 +6,5 @@ fwupd binary: systemd-service-file-missing-install-key lib/systemd/system/system fwupd: library-not-linked-against-libc usr/lib/*/fwupd-plugins-3/libfu_plugin_upower.so #EFI applications are PE executables fwupd: executable-not-elf-or-script usr/lib/fwupd/efi/*.efi -fwupd: portable-executable-missing-security-features usr/lib/fwupd/efi/*.efi ASLR DEP/NX +fwupd: portable-executable-missing-security-features usr/lib/fwupd/efi/*.efi SafeSEH fwupd: library-not-linked-against-libc usr/lib/*/fwupd-plugins-3/libfu_plugin_modem_manager.so diff --git a/meson.build b/meson.build index 2a13eabde..0eae5b6bb 100644 --- a/meson.build +++ b/meson.build @@ -235,6 +235,7 @@ if build_standalone and get_option('plugin_uefi') objcopy = find_program ('objcopy') readelf = find_program ('readelf') tpm2tss = dependency('tss2-esys', version : '>= 2.0') + genpeimg = find_program ('genpeimg', required: false) efi_app_location = join_paths(libexecdir, 'fwupd', 'efi') conf.set_quoted ('EFI_APP_LOCATION', efi_app_location) diff --git a/plugins/uefi/efi/generate_binary.sh b/plugins/uefi/efi/generate_binary.sh new file mode 100755 index 000000000..f4faf5860 --- /dev/null +++ b/plugins/uefi/efi/generate_binary.sh @@ -0,0 +1,24 @@ +#!/bin/sh +output=$2 +objcopy_cmd=$(which objcopy) +genpeimg_cmd=$(which genpeimg) + +$objcopy_cmd -j .text \ + -j .sdata \ + -j .data \ + -j .dynamic \ + -j .dynsym \ + -j .rel \ + -j .rela \ + -j .reloc \ + $* + +if [ -n "${genpeimg_cmd}" ]; then + $genpeimg_cmd -d \ + +d \ + -d \ + +n \ + -d \ + +s \ + $output +fi diff --git a/plugins/uefi/efi/meson.build b/plugins/uefi/efi/meson.build index 5be2ffea1..382001c61 100644 --- a/plugins/uefi/efi/meson.build +++ b/plugins/uefi/efi/meson.build @@ -135,20 +135,11 @@ so = custom_target('fwup.so', efi_ldflags + ['@INPUT@'] + ['-lefi', '-lgnuefi', libgcc_file_name]) +build_tool = join_paths(meson.source_root(), 'plugins', 'uefi', 'efi', 'generate_binary.sh') app = custom_target(efi_name, input : so, output : efi_name, - command : [objcopy, - '-j', '.text', - '-j', '.sdata', - '-j', '.data', - '-j', '.dynamic', - '-j', '.dynsym', - '-j', '.rel', - '-j', '.rela', - '-j', '.reloc'] - + efi_format + - ['@INPUT@', '@OUTPUT@'], + command : [build_tool, '@INPUT@', '@OUTPUT@', efi_format], install : true, install_dir : efi_app_location)