[PATCH v2 04/10] modules: load module sections at page-aligned addresses

Currently we load module sections at whatever alignment gcc+ld happened to dump into the ELF section header, which is often less then the page size. Since NX protections are page based, this alignment must be rounded up to page size on platforms supporting NX protections. This patch switches most

[PATCH v2 03/10] modules: Don't allocate space for non-allocable sections.

From: Peter Jones Currently when loading grub modules, we allocate space for all sections, including those without SHF_ALLOC set. We then copy the sections that /do/ have SHF_ALLOC set into the allocated memory, leaving some of our allocation untouched forever. Additionally, on platforms with G

[PATCH v2 05/10] nx: add memory attribute get/set API

For NX, we need to set the page access permission attributes for write and execute permissions. This patch adds two new primitives, grub_set_mem_attrs() and grub_clear_mem_attrs(), and associated constant definitions, to be used for that purpose. For most platforms, it adds a dummy implementation

[PATCH v2 10/10] efi: Disallow fallback to legacy Linux loader when shim says NX is required.

Signed-off-by: Mate Kukri --- grub-core/loader/efi/linux.c | 41 +++- 1 file changed, 36 insertions(+), 5 deletions(-) diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c index 99365536a..e44692c92 100644 --- a/grub-core/loader/efi/linux.c +++

[PATCH v2 08/10] efi: Provide wrappers for load_image, start_image, unload_image

From: Julian Andres Klode These can be used to register a different implementation later, for example, when shim provides a protocol with those functions. Signed-off-by: Mate Kukri --- grub-core/kern/efi/efi.c | 57 ++ grub-core/loader/efi/chainloader.c |

[PATCH v2 06/10] nx: set page permissions for loaded modules.

For NX, we need to set write and executable permissions on the sections of grub modules when we load them. On sections with SHF_ALLOC set, which is typically everything except .modname and the symbol and string tables, this patch clears the Read Only flag on sections that have the ELF flag SHF_WRI

[PATCH v2 07/10] nx: set the nx compatible flag in EFI grub images

For NX, we need the grub binary to announce that it is compatible with the NX feature. This implies that when loading the executable grub image, several attributes are true: - the binary doesn't need an executable stack - the binary doesn't need sections to be both executable and writable - the b

[PATCH v2 09/10] efi: Use shim's loader protocol for EFI image verification and loading

Signed-off-by: Mate Kukri --- grub-core/kern/efi/sb.c | 39 +--- grub-core/loader/efi/linux.c | 16 --- include/grub/efi/api.h | 5 + include/grub/efi/efi.h | 19 +++--- include/grub/efi/sb.h| 3 --- 5 files ch

[PATCH v2 02/10] modules: strip .llvm_addrsig sections and similar.

From: Peter Jones Currently grub modules built with clang or gcc have several sections which we don't actually need or support. We already have a list of section to skip in genmod.sh, and this patch adds the following sections to that list (as well as a few newlines): .note.gnu.property .llvm*

[PATCH v2 00/10] UEFI NX support and NX Linux loader using shim loader protocol

Currently the patchset consists of: - Reworked Fedora NX patches to make GRUB itself work under NX. - Julian Andres Klode's loader framework patch (used in Debian and Ubuntu for the downstream loader). - Implemented shim loader protocol support using the above loader framework. - Added patch to di

[PATCH v2 01/10] modules: make .module_license read-only

From: Peter Jones Currently .module_license is set writable (that is, the section has the SHF_WRITE flag set) in the module's ELF headers. This probably never actually matters, but it can't possibly be correct. This patch sets that data as "const", which causes that flag not to be set. Signed-