uefi: use genpeimg to mark ASLR and DP/NX on EFI binary

If the tool is available at build time use it to this.
2025-08-15 02:54:47 +00:00 · 2019-10-25 10:51:12 -05:00 · 2019-10-25 10:51:12 -05:00 · e7b2ea02b9
commit e7b2ea02b9
parent 7474976481
5 changed files with 42 additions and 12 deletions
--- a/contrib/ci/dependencies.xml
+++ b/contrib/ci/dependencies.xml
@ -893,6 +893,20 @@
      <package variant="x86_64" />
    </distro>
  </dependency>
  <dependency type="build" id="mingw-w64-tools">
    <distro id="fedora">
      <package />
    </distro>
    <distro id="debian">
      <control />
      <package variant="x86_64" />
      <package variant="i386" />
    </distro>
    <distro id="ubuntu">
      <control />
      <package variant="x86_64" />
    </distro>
  </dependency>
  <dependency type="build" id="gir1.2-pango-1.0">
    <distro id="centos">
      <package>pango-devel</package>
--- a/contrib/debian/lintian/fwupd
+++ b/contrib/debian/lintian/fwupd
@ -6,5 +6,5 @@ fwupd binary: systemd-service-file-missing-install-key lib/systemd/system/system
 fwupd: library-not-linked-against-libc usr/lib/*/fwupd-plugins-3/libfu_plugin_upower.so
 #EFI applications are PE executables
 fwupd: executable-not-elf-or-script usr/lib/fwupd/efi/*.efi
-fwupd: portable-executable-missing-security-features usr/lib/fwupd/efi/*.efi ASLR DEP/NX
+fwupd: portable-executable-missing-security-features usr/lib/fwupd/efi/*.efi SafeSEH
 fwupd: library-not-linked-against-libc usr/lib/*/fwupd-plugins-3/libfu_plugin_modem_manager.so
--- a/meson.build
+++ b/meson.build
@ -235,6 +235,7 @@ if build_standalone and get_option('plugin_uefi')
  objcopy = find_program ('objcopy')
  readelf = find_program ('readelf')
  tpm2tss = dependency('tss2-esys', version : '>= 2.0')
  genpeimg = find_program ('genpeimg', required: false)
  efi_app_location = join_paths(libexecdir, 'fwupd', 'efi')
  conf.set_quoted ('EFI_APP_LOCATION', efi_app_location)
--- a/plugins/uefi/efi/generate_binary.sh
+++ b/plugins/uefi/efi/generate_binary.sh
@ -0,0 +1,24 @@
 #!/bin/sh
 output=$2
 objcopy_cmd=$(which objcopy)
 genpeimg_cmd=$(which genpeimg)
 $objcopy_cmd  -j .text \
              -j .sdata \
              -j .data \
              -j .dynamic \
              -j .dynsym \
              -j .rel \
              -j .rela \
              -j .reloc \
              $*
 if [ -n "${genpeimg_cmd}" ]; then
        $genpeimg_cmd -d \
                      +d \
                      -d \
                      +n \
                      -d \
                      +s \
                      $output
 fi
--- a/plugins/uefi/efi/meson.build
+++ b/plugins/uefi/efi/meson.build
@ -135,20 +135,11 @@ so = custom_target('fwup.so',
                             efi_ldflags + ['@INPUT@'] +
                             ['-lefi', '-lgnuefi', libgcc_file_name])
 build_tool = join_paths(meson.source_root(), 'plugins', 'uefi', 'efi', 'generate_binary.sh')
 app = custom_target(efi_name,
                    input : so,
                    output : efi_name,
-                    command : [objcopy,
+                    command : [build_tool, '@INPUT@', '@OUTPUT@', efi_format],
                               '-j', '.text',
                               '-j', '.sdata',
                               '-j', '.data',
                               '-j', '.dynamic',
                               '-j', '.dynsym',
                               '-j', '.rel',
                               '-j', '.rela',
                               '-j', '.reloc']
                               + efi_format +
                               ['@INPUT@', '@OUTPUT@'],
                    install : true,
                    install_dir : efi_app_location)