From: Jan Kiszka <[email protected]> Add linker and objcopy switches that gnu-efi uses since 3.0.19 and that were missing in our configuration so far. Those have no negative impact with older gnu-efi and toolchains - tested down to Debian 10 setups - while fixing some gaps with gnu-efi 3.0.19. These gaps break validation of signatures with EFI runtimes, specifically U-Boot. Seen on armhf.
There are two exceptions in the alignment: We do not replace -shared with -pie --no-dynamic-linker as that is breaking with older build environments while -shared is fine for all versions. And then we need to keep .dynsym for 3.0.15 and older because arm64 is otherwise breaking. Signed-off-by: Jan Kiszka <[email protected]> --- Makefile.am | 21 ++++++++++++++------- configure.ac | 7 ++++++- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/Makefile.am b/Makefile.am index f2d6241..35eb08c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,7 +1,7 @@ # # EFI Boot Guard # -# Copyright (c) Siemens AG, 2017 +# Copyright (c) Siemens AG, 2017-2025 # # Authors: # Claudius Heine <[email protected]> @@ -286,8 +286,11 @@ efi_ldflags = \ -shared \ -Bsymbolic \ -nostdlib \ - -znoexecstack \ - -znocombreloc \ + -z noexecstack \ + -z nocombreloc \ + -z norelro \ + -z common-page-size=4096 \ + -z max-page-size=4096 \ --warn-common \ --no-undefined \ --fatal-warnings \ @@ -306,6 +309,11 @@ objcopy_format = --target=efi-app-$(ARCH) endif endif +efi_sections = \ + -j .text -j .sdata -j .data -j .dynamic -j .rodata \ + -j .rel -j .rela -j .rel.* -j .rela.* -j .rel* -j .rela* -j .areloc \ + -j .reloc $(EXTRA_EFI_SECTIONS) + efi_objects_pre1 = $(efi_sources:.c=.o) efi_objects_pre2 = $(efi_objects_pre1:.S=.o) efi_objects = $(addprefix $(top_builddir)/,$(efi_objects_pre2)) @@ -352,8 +360,8 @@ $(efi_solib): $(efi_objects) nm -D -u $@ | grep ' U ' && exit 1 || : $(efi_loadername): $(efi_solib) - $(AM_V_GEN) $(OBJCOPY) -j .text -j .wdfuncs -j .sdata -j .data -j .dynamic \ - -j .dynsym -j .rodata -j .rel* $(objcopy_format) $< $@ + $(AM_V_GEN) $(OBJCOPY) $(efi_sections) -j .wdfuncs \ + $(objcopy_format) $< $@ $(kernel_stub_solib): $(kernel_stub_objects) $(AM_V_CCLD)$(LD) $(efi_ldflags) $(kernel_stub_objects) \ @@ -361,8 +369,7 @@ $(kernel_stub_solib): $(kernel_stub_objects) nm -D -u $@ | grep ' U ' && exit 1 || : $(kernel_stub_name): $(kernel_stub_solib) - $(AM_V_GEN) $(OBJCOPY) -j .text -j .sdata -j .data -j .dynamic \ - -j .dynsym -j .rodata -j .rel* $(objcopy_format) $< $@ + $(AM_V_GEN) $(OBJCOPY) $(efi_sections) $(objcopy_format) $< $@ endif # BOOTLOADER diff --git a/configure.ac b/configure.ac index 16d25b9..59f9e03 100644 --- a/configure.ac +++ b/configure.ac @@ -1,7 +1,7 @@ # # EFI Boot Guard # -# Copyright (c) Siemens AG, 2017 +# Copyright (c) Siemens AG, 2017-2025 # # Authors: # Claudius Heine <[email protected]> @@ -255,6 +255,11 @@ AS_IF([test -z "$ARCH_IS_X86_FALSE" -a $GNU_EFI_VERSION -eq 0], [LDFLAGS_NO_WARN_RWX_SEGMENTS=]) AC_SUBST([LDFLAGS_NO_WARN_RWX_SEGMENTS])]) +# Keep .dynsym section for gnu-efi 3.0.15 or older +AS_IF([test $GNU_EFI_VERSION -eq 0], + EXTRA_EFI_SECTIONS="-j .dynsym" + AC_SUBST([EXTRA_EFI_SECTIONS])) + AS_IF([test "x$enable_bootloader" != "xno"], [ PKG_CHECK_MODULES(LIBPCI, libpci) -- 2.43.0 -- You received this message because you are subscribed to the Google Groups "EFI Boot Guard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/efibootguard-dev/4c4fb31b76cc2d86679a0dc63d47c40dd6e20ae4.1755862361.git.jan.kiszka%40siemens.com.
