Re: [PATCH v7 06/10] nx: set page permissions for loaded modules.

Tue, 08 Oct 2024 08:31:54 -0700 

On Fri, Oct 04, 2024 at 03:41:28PM +0100, Mate Kukri wrote:
> For NX, we need to set write and executable permissions on the sections
> of GRUB modules when we load them.
>
> All allocatable sections are marked readable. In addition,
> - SHF_WRITE sections are marked as writable,
> - and SHF_EXECINSTR sections are marked as executable.
>
> Where relevant for the plaform, the tramp and GOT areas are marked
> non-writable.
>
> Signed-off-by: Peter Jones <pjo...@redhat.com>
> Signed-off-by: Robbie Harwood <rharw...@redhat.com>
> Signed-off-by: Laszlo Ersek <ler...@redhat.com>
> Signed-off-by: Jan Setje-Eilers <jan.setjeeil...@oracle.com>
> Signed-off-by: Mate Kukri <mate.ku...@canonical.com>

Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>

... but...

> ---
>  grub-core/kern/dl.c | 89 ++++++++++++++++++++++++++++++++++++++++++++-
>  1 file changed, 88 insertions(+), 1 deletion(-)
>
> diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
> index 5dc15f070..840714e27 100644
> --- a/grub-core/kern/dl.c
> +++ b/grub-core/kern/dl.c
> @@ -627,6 +627,92 @@ grub_dl_relocate_symbols (grub_dl_t mod, void *ehdr)
>    return GRUB_ERR_NONE;
>  }
>
> +/* Only define this on EFI to save space in core */
> +#ifdef GRUB_MACHINE_EFI
> +static grub_err_t
> +grub_dl_set_mem_attrs (grub_dl_t mod, void *ehdr)
> +{
> +  unsigned i;
> +  const Elf_Shdr *s;
> +  const Elf_Ehdr *e = ehdr;
> +  grub_err_t err;
> +#if !defined (__i386__) && !defined (__x86_64__) && !defined(__riscv) && \
> +  !defined (__loongarch__)
> +  grub_size_t arch_addralign = GRUB_DL_ALIGN;
> +  grub_addr_t tgaddr;
> +  grub_size_t tgsz;
> +#endif
> +
> +  for (i = 0, s = (const Elf_Shdr *) ((const char *) e + e->e_shoff);
> +       i < e->e_shnum;
> +       i++, s = (const Elf_Shdr *) ((const char *) s + e->e_shentsize))
> +    {
> +      grub_dl_segment_t seg;
> +      grub_uint64_t set_attrs = GRUB_MEM_ATTR_R;
> +      grub_uint64_t clear_attrs = GRUB_MEM_ATTR_W | GRUB_MEM_ATTR_X;
> +
> +      for (seg = mod->segment; seg; seg = seg->next)
> +     if (seg->section == s->sh_info)
> +       break;

This...

> +
> +      if (!seg)
> +     continue;

... and this condition beg for comments. May I ask you to add them?

Daniel

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to