TODO:
* selective NX enablement on pd0, pd1 and pd3.
Unconditional NX on the whole pd3 makes memtest86+ reboot in a QEMU-emulated computer.
* if supported on all x86_64 CPUs, simply enable long mode and NX simultaneously ? A real K8 dual-core processor didn't seem to hate it, at least.
* startup code: NX enablement for x86, on capable computers (CPUID 0x80000001, edx bit 20).
* set the appropriate flag in the headers.
We have a .setup section in the EFI image that contains the remainder of
the Linux boot header and the real-mode setup code to support booting via
an intermediate bootloader. This sits between the PE header and the .text
section. We don't want the EFI loader to load this section, so simply
increase the SizeOfHeader field in the PE header to cover it.
The AP stacks section was being discarded by the linker because the
change in section name and attributes hadn't been propagated from
the startup64.S to startup32.S.
The alignment characteristics are only valid in COFF files. The section
alignment for image files is determined by the SectionAlignment field
in the image header.
When the reloc and sbat sections were added by PR #34, three bugs were
introduced:
1. The virtual address and size fields in the PE headers were set to the
same values as the raw address and size fields. This is incorrect, because
the sections in the image file are aligned on 512 byte boundaries, but when
loaded into memory they need to be aligned on 4096 byte boundaries.
2. The value programmed into the SizeOfImage field was too large, as it
double-counted the region before the start of the .text section.
3. The value programmed into the SizeOfImage field no longer included the bss
size. That potentially allowed the EFI loader to load the image immediately
before a reserved region of memory without leaving enough space for the bss
section.
This commit fixes those bugs by calculating both file and virtual memory
offsets & sizes in the ld script. Note that we can't add a bss section to the
EFI image because many EFI loaders fail to load images that have uninitialised
data sections. Instead the text region size in virtual memory is increased
to include the bss size.
This fixes issue #243. It also eliminates the gaps between sections
observed in issue #202.
A headless EFI system may have no GOP devices. In this case, disable
output to the physical display, but continue to write to the shadow
buffer. This allows operation via a serial console.
This patch adds a new section, ".sbat", which allows for the revocation
of signed binaries given a numeric value representing the set of bugs
which allow for arbitrary code execution, and therefore a Secure Boot
breakout, in a given family of binaries.
In this case, the class is defined as "memtest86+", and the current set
of bugs is 1. This doesn't imply that we're aware of bugs currently,
merely that when we change it to 2, any bugs that /have/ been discovered
have been fixed.
Documentation for how SBAT works can be found at the following URLs:
https://github.com/rhboot/shim/blob/main/SBAT.mdhttps://github.com/rhboot/shim/blob/main/SBAT.example.md
Signed-off-by: Peter Jones <pjones@redhat.com>
In the past, we've seen some problems with some EFI loaders refusing to
load a binary that has both a .text section with the VMA set and no
relocations, when the VMA set to load is already allocated for some
other purpose.
This patch adds a dummy absolute relocation from 0 to 0, so the loader
can always feel like it has done something useful.
Signed-off-by: Peter Jones <pjones@redhat.com>
SizeOfImage is defined as:
The size (in bytes) of the image, including all headers, as the image
is loaded in memory. It must be a multiple of SectionAlignment.
SizeOfHeaders likewise is defined as:
The combined size of an MS-DOS stub, PE header, and section headers
rounded up to a multiple of FileAlignment.
Currently SizeOfImage represents .bss and .text, but it doesn't include
.header or .setup, nor any sections we'll add later, and there's nothing
enforcing that it matches SectionAlignment. Additionally, since .bss is
being set up in our running code and /not/ by the loader, the current
value is dangerously high, as in the event there is an error in the
section table, it could potentially lead the loader to mark memory
allocated at runtime holding user-supplied data by any EFI binary loaded
before us as executable.
This patch adds a new symbol, _img_end, which is after .text and is
rounded up to 4kB (which is also what SectionAlignment is set to). It
also adds a local label, anchored with ".org 512", and uses that to set
SizeOfHeaders - this will ensure the build fails without outputting and
invalid binary if the headers take too much space.
Signed-off-by: Peter Jones <pjones@redhat.com>
Currently, the PE headers we create in boot/header.S do not allocate
space for any Data Directory entries, as they haven't been needed.
In order to support signatures and compatibility with some loaders, we
need the Data Directory to be populated at least enough to set
DataDirectory.Certs and DataDirectory.BaseReloc.
This patch extends that space enough to include those entries.
Signed-off-by: Peter Jones <pjones@redhat.com>
This changes header.S to use the constants defined in peimage.h to for
the values in its structure, making it a lot easier to debug.
Signed-off-by: Peter Jones <pjones@redhat.com>
This adds a header file to describe the PE binary we're building. This
has constants defined for all the values we use in the PE headers, as
well as the structures for reference (guarded by #ifdef __ASSEMBLY__).
This particular peimage.h is originally from binutils-2.10.0.18, which
is GPLv2 licensed, and is copyright the Free Software Foundation. I've
added the few additional fields we need.
Signed-off-by: Peter Jones <pjones@redhat.com>
Most legacy BIOSs will support USB legacy keyboard emulation. Using that
will avoid having to reserve memory for the USB drivers, and should
improve the chance of having a working keyboard without having to work
around various USB device quirks.
In a .code16 section, the default coding for the lgdt instruction only loads
a 24 bit base address from the GDT descriptor. When loaded above 16MB, we
need it to load the full 32 bits.
This shouldn't be needed because we don't set the relocatable_kernel flag,
but the GRUB linuxefi command pays no attention to that. Currently the
linuxefi command also ignores the alignment values, but set them now in
case that changes in the future.
The old barrier implementation was very slow when running on a multi-socket
machine (pcmemtest issue 16).
The new implementation provides two options:
- when blocked, spin on a thread-local flag
- when blocked, execute a HLT instruction and wait for a NMI
The first option might be faster, but we need to measure it to find out. A
new boot command line option is provided to select between the two, with a
third setting that uses a mixture of the two.
- the calculation of the RSP value when an interrupt occurred was
out by 8 bytes
- in a few places a 32-bit pointer was used instead of a 64-bit one
- incorrect tabulation (white space)
There is more in the startup code that isn't thread safe than just
the use of the temporary stack. So take the mutex for the whole time.
The code isn't that long, so it's not worth trying to cover just the
critical sections.
When using a legacy BIOS, the memory regions used by the BIOS are well
defined. This is not the case when using a UEFI BIOS. So include the
stack area in the BSS so the loader knows how much memory to allocate,
and check we have space to relocate the program to either low or high
memory.
There are still some assumptions in the USB driver code that need to
be fixed.
Because we start the APs sequentially, it is unlikely they will coincide
for the brief period that they use the temporary startup stack, but we
should guard against it. This allows us to remove the mutex around the
restart of each AP when relocating, which should improve test times.
After we relocate the program, we restart it. So there is no need to copy
over the old stack contents. This allows us to increase the maximum number
of APs without a run time overhead. The maximum number of APs will still
be limited by the size of low memory.
The BSP only needs extra stack space during program initialisation. The APs
aren't running at that point, so by positioning the BSP stack above the AP
stacks, it can extend down into the AP stack space without causing any
problems.
