The way we compile the barebox EFI runtime makes it clash with some of our hardening measures:
- ARM_MMU_PERMISSIONS: currently handles only a single text/rodata section, but with .efi_runtime we have twice of each, but the code can't yet handle applying permissions. But even with that fixed, eFI payloads expet to be mapped RWX apparently? Needs some more thought put into it. - Stack protector: Stack protector sits outside of EFI runtime section for now. Signed-off-by: Ahmad Fatoum <[email protected]> --- arch/arm/Kconfig | 1 + lib/Kconfig.hardening | 2 ++ 2 files changed, 3 insertions(+) diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig index 4b7f5b83c67e..ae3de9504a9b 100644 --- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -414,6 +414,7 @@ config ARM_UNWIND config ARM_MMU_PERMISSIONS bool "Map with extended RO/X permissions" + depends on !EFI_RUNTIME default y help Enable this option to map readonly sections as readonly, executable diff --git a/lib/Kconfig.hardening b/lib/Kconfig.hardening index 3b3ba6267aec..59dd02c9cfae 100644 --- a/lib/Kconfig.hardening +++ b/lib/Kconfig.hardening @@ -169,6 +169,7 @@ config STACKPROTECTOR_NONE config STACKPROTECTOR_STRONG bool "Strong" depends on $(cc-option,-fstack-protector-strong) + depends on !EFI_RUNTIME select STACKPROTECTOR help This option turns on the "stack-protector" GCC feature. This @@ -196,6 +197,7 @@ config STACKPROTECTOR_ALL bool "All" depends on $(cc-option,-fstack-protector-all) depends on COMPILE_TEST + depends on !EFI_RUNTIME select STACKPROTECTOR help This pushes and verifies stack protector canaries on all functions, -- 2.47.3
