git.ipfire.org Git - thirdparty/systemd.git/commit

author	Luca Boccassi <luca.boccassi@gmail.com>
	Mon, 11 Aug 2025 14:33:35 +0000 (15:33 +0100)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Tue, 19 Aug 2025 15:16:57 +0000 (17:16 +0200)
commit	70b7e03ebbd90046d23423571ab0440ba8e2047f
tree	e02c4313c7cd5a9e747e21f46a94690b592c01a6	tree \| snapshot
parent	490aa05ca1ba8e3e2a5ed13e1a77f5ea9f1c93b0	commit \| diff

sd-stub: use memory proto if available and set kernel memory to RX with NX_COMPAT

When NX_COMPAT gets enabled, firmwares will enforce that executable
memory is either writable or executable.
This needs kernel compatibility, when it will happen the kernel will
have the NX_COMPAT bit set. If it is, set the memory buffer to RO.

Note that this must be undone on failure, as EDK2 in some configurations
overwrites memory ranges that are returned with FreePages() with a
fixed pattern, so if the pages are RO it will crash.

This is only an issue with the new custom PE loader, as LoadImage()
and StartImage() will always do the right thing automatically.

https://microsoft.github.io/mu/WhatAndWhy/enhancedmemoryprotection/
https://www.kraxel.org/blog/2023/12/uefi-nx-linux-boot/

Follow-up for cab9c7b5a42effa8a45611fc6b8556138c869b5f

Fixes https://github.com/systemd/systemd/issues/38545

src/boot/linux.c		diff \| blob \| blame \| history
src/boot/pe.c		diff \| blob \| blame \| history
src/boot/pe.h		diff \| blob \| blame \| history
src/boot/proto/memory-attribute.h	[new file with mode: 0644]	blob