File 0007-nx-Set-the-NX-compatible-flag-for-the-GRUB-EFI-image.patch of Package grub2
From 332326fcd182d0e28176d555d913e8c43fc2c684 Mon Sep 17 00:00:00 2001
From: Mate Kukri <mate.kukri@canonical.com>
Date: Wed, 9 Oct 2024 09:16:42 +0100
Subject: [PATCH 07/13] nx: Set the NX compatible flag for the GRUB EFI images
For NX the GRUB binary has to announce that it is compatible with the
NX feature. This implies that when loading the executable GRUB image
several attributes are true:
- the binary doesn't need an executable stack,
- the binary doesn't need sections to be both executable and writable,
- the binary knows how to use the EFI Memory Attributes Protocol on code
it is loading.
This patch:
- adds a definition for the PE DLL Characteristics flag GRUB_PE32_NX_COMPAT,
- changes grub-mkimage to set that flag.
Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
include/grub/efi/pe32.h | 2 ++
util/mkimage.c | 1 +
2 files changed, 3 insertions(+)
diff --git a/include/grub/efi/pe32.h b/include/grub/efi/pe32.h
index 4e6e9d254b..9887e14b27 100644
--- a/include/grub/efi/pe32.h
+++ b/include/grub/efi/pe32.h
@@ -231,6 +231,8 @@ struct grub_pe64_optional_header
#define GRUB_PE32_SUBSYSTEM_EFI_APPLICATION 10
+#define GRUB_PE32_NX_COMPAT 0x0100
+
#define GRUB_PE32_NUM_DATA_DIRECTORIES 16
struct grub_pe32_section_table
diff --git a/util/mkimage.c b/util/mkimage.c
index 6c0581836b..5d7a47e705 100644
--- a/util/mkimage.c
+++ b/util/mkimage.c
@@ -1453,6 +1453,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
#pragma GCC diagnostic push
#pragma GCC diagnostic ignored "-Wdangling-pointer"
#endif
+ PE_OHDR (o32, o64, dll_characteristics) = grub_host_to_target16 (GRUB_PE32_NX_COMPAT);
PE_OHDR (o32, o64, header_size) = grub_host_to_target32 (header_size);
PE_OHDR (o32, o64, entry_addr) = grub_host_to_target32 (layout.start_address);
PE_OHDR (o32, o64, image_base) = 0;
--
2.49.0
