On Tue, Apr 01, 2025 at 03:13:52PM +0200, Jan Beulich wrote: > On 01.04.2025 15:08, Roger Pau Monne wrote: > > Hello, > > > > The following series aim to remove the presence of any write and execute > > section in the PE Xen image. This is required to support the NX > > compatible flag in the PE header. By the end of the series the > > resulting PE image has no relocations that apply to text sections, as > > text sections are strictly mapped read-execute only. Xen itself > > attempting to apply relocations to text would result in page-faults. > > > > A smoke test is added to Gitlab to ensure the PE NX support doesn't > > regress. > > > > Only patches 5 and 10 are carried over from v1, the rest are new. > > > > Thanks, Roger. > > > > Roger Pau Monne (11): > > automation/dockers: add to README how to rebuild all containers > > x86/mkreloc: fix obtaining PE image base address > > x86/mkreloc: use the string table to get names > > x86/mkreloc: print the linear address of relocations to read-only > > sections > > xen: remove -N from the linker command line > > x86/efi: discard .text.header for PE binary > > x86/efi: discard multiboot related entry code for PE binary > > x86/boot: place trampoline code in a non-execute section > > x86/efi: avoid a relocation in efi_arch_post_exit_boot() > > x86/efi: do not merge all .init sections > > automation/x86: add a xen.efi test with a strict NX OVMF build > > > > automation/build/README.md | 7 ++ > > automation/build/fedora/41-x86_64.dockerfile | 5 ++ > > automation/gitlab-ci/test.yaml | 9 +++ > > automation/scripts/qemu-smoke-x86-64-efi.sh | 22 +++++- > > xen/arch/arm/Makefile | 6 +- > > xen/arch/ppc/Makefile | 6 +- > > xen/arch/riscv/Makefile | 6 +- > > xen/arch/x86/Makefile | 12 +-- > > xen/arch/x86/boot/head.S | 3 +- > > xen/arch/x86/efi/efi-boot.h | 7 +- > > xen/arch/x86/efi/mkreloc.c | 77 +++++++++++++++++--- > > xen/arch/x86/xen.lds.S | 20 +++-- > > 12 files changed, 138 insertions(+), 42 deletions(-) > > From titles and diffstat (all Makefile changes being covered by patch 05) > it looks like you still don't add passing --nxcompat to the linker. Is > that intentionally left out here?
Hm, and I see I also failed to add (the already RB patch) "xen/build: warn about RWX load segments". nxcompat should be enabled by default I think? I can of course make it explicit by adding to the PE link command line. Thanks, Roger.
