From c9f368b597a02f9919cb0c1c03e6b231129e9262 Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Wed, 14 Feb 2024 21:43:21 +0100 Subject: efi_loader: set IMAGE_DLLCHARACTERISTICS_NX_COMPAT The IMAGE_DLLCHARACTERISTICS_NX_COMPAT flag marks an EFI binary where the following conditions are met [1]: * Executable and writable sections are separated. * The application does not run self-modifying code. * The application uses the EFI_MEMORY_ATTRIBUTE_PROTOCOL when loading executable code. * The application does not assume that all memory ranges are usable. * The stack is not expected to be executable. The only EFI binaries U-Boot provides that do not fulfill these requirements are the EFI app and the EFI payload. Once we have implemented separation of writable and executable memory in U-Boot we can use the IMAGE_DLLCHARACTERISTICS_NX_COMPAT flag to decide if we will load an EFI binary. [1] New UEFI CA memory mitigation requirements for signing https://techcommunity.microsoft.com/t5/hardware-dev-center/new-uefi-ca-memory-mitigation-requirements-for-signing/ba-p/3608714 Signed-off-by: Heinrich Schuchardt --- include/asm-generic/pe.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'include/asm-generic') diff --git a/include/asm-generic/pe.h b/include/asm-generic/pe.h index b9d674b6da4..cd5b6ad62bf 100644 --- a/include/asm-generic/pe.h +++ b/include/asm-generic/pe.h @@ -51,6 +51,9 @@ #define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 #define IMAGE_SUBSYSTEM_EFI_ROM 13 +/* DLL characteristics */ +#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x100 + /* Section flags */ #define IMAGE_SCN_CNT_CODE 0x00000020 #define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 -- cgit v1.2.3