Linux 6.7 Reworks PE Header Generation To Reduce Attack Area

Written by Michael Larabel in Linux Kernel on 29 October 2023 at 08:35 AM EDT. 5 Comments
LINUX KERNEL
One of the many early pull requests sent in for Linux 6.7 were the x86/boot changes that are headlined by a rework to the PE header generation in order to generate a modern, 4K-aligned kernel image view to ultimately aim for better system security.

Ard Biesheuvel led the effort on this PE header generation rework. He explained in the patch series last month:
"Now that the EFI stub boot flow no longer relies on memory that is executable and writable at the same time, we can reorganize the PE/COFF view of the kernel image and expose the decompressor binary's code and r/o data as a .text section and data/bss as a .data section, using 4k alignment and limited permissions.

Doing so is necessary for compatibility with hardening measures that are being rolled out on x86 PCs built to run Windows (i.e., the majority of them). The EFI boot environment that the Linux EFI stub executes in is especially sensitive to safety issues, given that a vulnerability in the loader of one OS can be abused to attack another.

In true x86 fashion, this is a lot more complicated than on other architectures, which have implemented this code/data split with 4k alignment from the beginning. The complicating factor here is that the boot image consists of two different parts, which are stitched together and fixed up using a special build tool.

After this series is applied, the only remaining task performed by the build tool is generating the CRC-32. Even though this checksum is usually wrong (given that distro kernels are signed for secure boot in a way that corrupts the CRC), this feature is retained as we cannot be sure that nobody is relying on this.

This supersedes the work proposed by Evgeniy last year, which did a major rewrite of the build tool in order to clean it up, before updating it to generate the new 4k aligned image layout. As this series proves, the build tool is mostly unnecessary, and we have too many of those already."

This work is the main highlight of the x86/boot changes submitted for the Linux 6.7 merge window.
5 Comments
Related News
Arm Mali/Immortalis GPU Driver, New AMD Graphics IP & Lunar Lake Display In Linux 6.10
Linus Torvalds Is Doing More ARM64 Linux Testing Now That He Has A More Powerful System
Linux 6.10 Makes AES-XTS Disk/File Encryption Much Faster For Modern Intel/AMD CPUs
x32 Shadow Stacks, Locking Optimizations, Intel VFM & Other x86 Changes For Linux 6.10
Linux 6.9 Released With Faster Intel Core Ultra Performance, Larger Console Fonts Option
Linux 6.10 Features Expected From The NTSYNC Driver To Performance Optimizations
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
NVIDIA's Open GPU Linux Kernel Driver Will Soon Be The Default For Turing & Newer GPUs
Torvalds Voices Thoughts On Linux Mitigating Unexpected Arithmetic Overflows/Underflows
ReactOS "Open-Source Windows" Making Good Strides On SMP CPU Support
Zed Code Editor Making Progress On Linux Support
GNOME Took In $556k Last Year While Spending $675.9k
SteamOS 3.6 Preview Released With Linux 6.5, Updated Arch Linux & Mesa 24.1
Red Hat Announces RHEL AI
Intel Takes Open-Source Hyperscan Development To Proprietary Licensed Software