Commit e7b88bc0 authored Aug 28, 2025 by Ard Biesheuvel Committed by Borislav Petkov (AMD) Sep 03, 2025

efistub/x86: Remap inittext read-execute when needed

Recent EFI x86 systems are more strict when it comes to mapping boot
images, and require that mappings are either read-write or read-execute.

Now that the boot code is being cleaned up and refactored, most of it is
being moved into .init.text [where it arguably belongs] but that implies
that when booting on such strict EFI firmware, we need to take care to
map .init.text (and the .altinstr_aux section that follows it)
read-execute as well.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Link: https://lore.kernel.org/20250828102202.1849035-44-ardb+git@google.com

parent 7b38dec3

arch/x86/boot/compressed/Makefile

+1 −1

Original line number	Diff line number	Diff line
		@@ -73,7 +73,7 @@ LDFLAGS_vmlinux += -T
		hostprogs := mkpiggy
		HOST_EXTRACFLAGS += -I$(srctree)/tools/include

		sed-voffset := -e 's/^\([0-9a-fA-F]*\) [ABbCDGRSTtVW] \(_text\\|__start_rodata\\|__bss_start\\|_end\)$$/\#define VO_\2 _AC(0x\1,UL)/p'
		sed-voffset := -e 's/^\([0-9a-fA-F]*\) [ABbCDGRSTtVW] \(_text\\|__start_rodata\\|_sinittext\\|__inittext_end\\|__bss_start\\|_end\)$$/\#define VO_\2 _AC(0x\1,UL)/p'

		quiet_cmd_voffset = VOFFSET $@
		cmd_voffset = $(NM) $< \| sed -n $(sed-voffset) > $@

arch/x86/boot/compressed/misc.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -332,6 +332,8 @@ static size_t parse_elf(void *output)
		}

		const unsigned long kernel_text_size = VO___start_rodata - VO__text;
		const unsigned long kernel_inittext_offset = VO__sinittext - VO__text;
		const unsigned long kernel_inittext_size = VO___inittext_end - VO__sinittext;
		const unsigned long kernel_total_size = VO__end - VO__text;

		static u8 boot_heap[BOOT_HEAP_SIZE] __aligned(4);

arch/x86/include/asm/boot.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -82,6 +82,8 @@
		#ifndef __ASSEMBLER__
		extern unsigned int output_len;
		extern const unsigned long kernel_text_size;
		extern const unsigned long kernel_inittext_offset;
		extern const unsigned long kernel_inittext_size;
		extern const unsigned long kernel_total_size;

		unsigned long decompress_kernel(unsigned char *outbuf, unsigned long virt_addr,

arch/x86/kernel/vmlinux.lds.S

+2 −0

Original line number	Diff line number	Diff line
		@@ -227,6 +227,8 @@ SECTIONS
		*/
		.altinstr_aux : AT(ADDR(.altinstr_aux) - LOAD_OFFSET) {
		*(.altinstr_aux)
		. = ALIGN(PAGE_SIZE);
		__inittext_end = .;
		}

		INIT_DATA_SECTION(16)

drivers/firmware/efi/libstub/x86-stub.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -788,7 +788,9 @@ static efi_status_t efi_decompress_kernel(unsigned long *kernel_entry,

		*kernel_entry = addr + entry;

		return efi_adjust_memory_range_protection(addr, kernel_text_size);
		return efi_adjust_memory_range_protection(addr, kernel_text_size) ?:
		efi_adjust_memory_range_protection(addr + kernel_inittext_offset,
		kernel_inittext_size);
		}

		static void __noreturn enter_kernel(unsigned long kernel_addr,