On 07.08.2024 15:48, Alejandro Vallejo wrote: > This change allows to put the trampoline in a separate, not executable > section. The trampoline contains a mix of code and data (data which > is modified from C code during early start so must be writable). > This is in preparation for W^X patch in order to satisfy UEFI CA > memory mitigation requirements.
Which, aiui, has the downside of disassembly of the section no longer happening by default, when using objdump or similar tools, which go from section attributes. Why is it being in .init.text (and hence RX) not appropriate? It should - in principle at least - be possible to avoid all in-place writing to it, but instead only ever write to its relocated copy. Quite a bit more code churn of course. I wonder if we shouldn't put the trampoline in its own section, RWX in the object file, and switched to whatever appropriate in the binary (which really may be RX, not RW). > --- a/xen/arch/x86/boot/head.S > +++ b/xen/arch/x86/boot/head.S > @@ -870,6 +870,8 @@ cmdline_parse_early: > reloc: > .incbin "reloc.bin" > > + .section .init.data, "aw", @progbits > + .align 4 Is the .align really needed here? I think ... > ENTRY(trampoline_start) ... ENTRY() covers this properly? And actually in a better way, using CODE_FILL (which ultimately we will want to switch from 0x90 to 0xcc, I suppose) rather than whatever the assembler puts in by default for data sections. Jan > #include "trampoline.S" > ENTRY(trampoline_end)
