On Thu, Feb 15, 2024 at 10:17:20AM +0100, Ard Biesheuvel wrote:
(cc stakeholders from various distros - apologies if I missed anyone)
Please consider the patches below for backporting to the linux-6.6.y stable tree.
These are prerequisites for building a signed x86 efistub kernel image that complies with the tightened UEFI boot requirements imposed by MicroSoft, and this is the condition under which it is willing to sign future Linux secure boot shim builds with its 3rd party CA certificate. (Such builds must enforce a strict separation between executable and writable code, among other things)
The patches apply cleanly onto 6.6.17 (-rc2), resulting in a defconfig build that boots as expected under OVMF/KVM.
5f51c5d0e905 x86/efi: Drop EFI stub .bss from .data section 7e50262229fa x86/efi: Disregard setup header of loaded image bfab35f552ab x86/efi: Drop alignment flags from PE section headers 768171d7ebbc x86/boot: Remove the 'bugger off' message 8eace5b35556 x86/boot: Omit compression buffer from PE/COFF image memory footprint 7448e8e5d15a x86/boot: Drop redundant code setting the root device b618d31f112b x86/boot: Drop references to startup_64 2e765c02dcbf x86/boot: Grab kernel_info offset from zoffset header directly eac956345f99 x86/boot: Set EFI handover offset directly in header asm 093ab258e3fb x86/boot: Define setup size in linker script aeb92067f6ae x86/boot: Derive file size from _edata symbol efa089e63b56 x86/boot: Construct PE/COFF .text section from assembler fa5750521e0a x86/boot: Drop PE/COFF .reloc section 34951f3c28bd x86/boot: Split off PE/COFF .data section 3e3eabe26dc8 x86/boot: Increase section and file alignment to 4k/512
1ad55cecf22f x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section
Is the list here the order in which they should be applied in?
And is this not an issue for 6.1.y as well?
thanks,
greg k-h