Re: [XEN PATCH v3] sbat: Add SBAT section to the Xen EFI binary

Thu, 08 May 2025 01:52:27 -0700 

On 07/05/2025 2:54 pm, Gerald Elder-Vass wrote:
> diff --git a/xen/arch/x86/efi/Makefile b/xen/arch/x86/efi/Makefile
> index 24dfecfad184..75aa35870a9a 100644
> --- a/xen/arch/x86/efi/Makefile
> +++ b/xen/arch/x86/efi/Makefile
> @@ -6,11 +6,17 @@ cmd_objcopy_o_ihex = $(OBJCOPY) -I ihex -O binary $< $@
>  $(obj)/%.o: $(src)/%.ihex FORCE
>       $(call if_changed,objcopy_o_ihex)
>  
> +$(obj)/sbat.o: OBJCOPYFLAGS := -I binary -O elf64-x86-64 --rename-section 
> .data=.sbat,readonly,data,contents
> +$(obj)/sbat.o: $(src)/sbat.sbat FORCE
> +     $(call if_changed,objcopy)
> +

Doing a build locally with this, I've found two issues.  One is:

> ld: warning: arch/x86/efi/sbat.o: missing .note.GNU-stack section implies 
> executable stack
> ld: NOTE: This behaviour is deprecated and will be removed in a future 
> version of the linker
> ld: warning: arch/x86/efi/built_in.o: requires executable stack (because the 
> .note.GNU-stack section is executable)
> ld: warning: arch/x86/built_in.o: requires executable stack (because the 
> .note.GNU-stack section is executable)
> ld: warning: prelink.o: requires executable stack (because the 
> .note.GNU-stack section is executable)
> ld: warning: prelink.o: requires executable stack (because the 
> .note.GNU-stack section is executable)
> ld: warning: prelink.o: requires executable stack (because the 
> .note.GNU-stack section is executable)

which isn't a terribly good look on a "higher security" feature.  The
easiest way to fix this is:

$(obj)/sbat.o: OBJCOPYFLAGS := -I binary -O elf64-x86-64 \
        --rename-section .data=.sbat,readonly,data,contents \
        --add-section .note.GNU-stack=/dev/null

to add the required section.



>  $(obj)/boot.init.o: $(obj)/buildid.o
>  
>  $(call cc-option-add,cflags-stack-boundary,CC,-mpreferred-stack-boundary=4)
>  $(addprefix $(obj)/,$(EFIOBJ-y)): CFLAGS_stack_boundary := 
> $(cflags-stack-boundary)
>  
> +EFIOBJ-y += sbat.o

Also,

> ld: warning: orphan section `.sbat' from `prelink.o' being placed in section 
> `.sbat'

This is because sbat.o is getting linked into the non-EFI build of Xen too.

I'm less sure how to go about fixing this.  There's no nice way I can
see of of getting sbat.o only in the EFI build.  The other option is to
discard it for the ELF build.

~Andrew

Reply via email to