| Message ID | 20250401130840.72119-12-roger.pau@citrix.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | x86/EFI: prevent write-execute sections | expand |
On 01/04/2025 2:08 pm, Roger Pau Monne wrote: > Such OVMF build does honor the PE sections attributes, and will not blindly > create all section mappings with read-write-execute permissions. > > Strict NX build is only available in the Fedora edk2-experimental > package, so add the required dependencies to run a QEMU EFI job on the > Fedora 41 container and use it for the test. > > Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> I guess this always has to go last? It will need a bit of careful gymnastics to deploy the new container prior to committing this patch, but it shouldn't be difficult. Alternatively, you can submit hunk 1 in a separate patch and we can get the new container deployed independently of the rest of the series. > diff --git a/automation/build/fedora/41-x86_64.dockerfile b/automation/build/fedora/41-x86_64.dockerfile > index 8032a2098632..84f366ac0643 100644 > --- a/automation/build/fedora/41-x86_64.dockerfile > +++ b/automation/build/fedora/41-x86_64.dockerfile > @@ -65,6 +65,11 @@ RUN <<EOF > glib2-devel > pixman-devel > ninja-build > + > + # EFI Strict NX test > + qemu-system-x86 > + edk2-experimental > + expect Please could this follow the pattern in debian. # for test phase, qemu-smoke-* jobs expect qemu-system-x86 # for *-efi-strictnx edk2-experimental > diff --git a/automation/scripts/qemu-smoke-x86-64-efi.sh b/automation/scripts/qemu-smoke-x86-64-efi.sh > index 7572722be6e5..fbb662f1a756 100755 > --- a/automation/scripts/qemu-smoke-x86-64-efi.sh > +++ b/automation/scripts/qemu-smoke-x86-64-efi.sh > @@ -4,6 +4,7 @@ set -ex -o pipefail > > # variant should be either pv or pvh > variant=$1 # mode should be nothing, or strict Also, I'd suggest using mode=strictnx here as it matches both the test name and the OVMF file name. Assuming you're ok with these changes, Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> (however you end up splitting).
diff --git a/automation/build/fedora/41-x86_64.dockerfile b/automation/build/fedora/41-x86_64.dockerfile index 8032a2098632..84f366ac0643 100644 --- a/automation/build/fedora/41-x86_64.dockerfile +++ b/automation/build/fedora/41-x86_64.dockerfile @@ -65,6 +65,11 @@ RUN <<EOF glib2-devel pixman-devel ninja-build + + # EFI Strict NX test + qemu-system-x86 + edk2-experimental + expect ) dnf -y --setopt=install_weak_deps=False install "${DEPS[@]}" diff --git a/automation/gitlab-ci/test.yaml b/automation/gitlab-ci/test.yaml index 225eb4399807..dec14420ab62 100644 --- a/automation/gitlab-ci/test.yaml +++ b/automation/gitlab-ci/test.yaml @@ -593,6 +593,15 @@ qemu-smoke-x86-64-gcc-efi: needs: - debian-12-x86_64-gcc-debug +qemu-smoke-x86-64-gcc-efi-strictnx: + extends: .qemu-smoke-x86-64 + variables: + CONTAINER: fedora:41-x86_64 + script: + - ./automation/scripts/qemu-smoke-x86-64-efi.sh pv strict 2>&1 | tee ${LOGFILE} + needs: + - debian-12-x86_64-gcc-debug + qemu-smoke-riscv64-gcc: extends: .qemu-riscv64 script: diff --git a/automation/scripts/qemu-smoke-x86-64-efi.sh b/automation/scripts/qemu-smoke-x86-64-efi.sh index 7572722be6e5..fbb662f1a756 100755 --- a/automation/scripts/qemu-smoke-x86-64-efi.sh +++ b/automation/scripts/qemu-smoke-x86-64-efi.sh @@ -4,6 +4,7 @@ set -ex -o pipefail # variant should be either pv or pvh variant=$1 +mode=$2 # Clone and build XTF git clone https://xenbits.xen.org/git-http/xtf.git @@ -14,6 +15,19 @@ case $variant in *) k=test-pv64-example extra= ;; esac +case $mode in + strict) + ovmf_code=/usr/share/edk2/experimental/OVMF_CODE_4M.secboot.strictnx.qcow2 + ovmf_vars=/usr/share/edk2/ovmf/OVMF_VARS_4M.qcow2 + ovmf_format=qcow2 + ;; + *) + ovmf_code=/usr/share/OVMF/OVMF_CODE.fd + ovmf_vars=/usr/share/OVMF/OVMF_VARS.fd + ovmf_format=raw + ;; +esac + mkdir -p boot-esp/EFI/BOOT cp binaries/xen.efi boot-esp/EFI/BOOT/BOOTX64.EFI cp xtf/tests/example/$k boot-esp/EFI/BOOT/kernel @@ -27,13 +41,13 @@ options=loglvl=all console=com1 noreboot console_timestamps=boot $extra kernel=kernel EOF -cp /usr/share/OVMF/OVMF_CODE.fd OVMF_CODE.fd -cp /usr/share/OVMF/OVMF_VARS.fd OVMF_VARS.fd +cp $ovmf_code OVMF_CODE.fd +cp $ovmf_vars OVMF_VARS.fd rm -f smoke.serial export TEST_CMD="qemu-system-x86_64 -nographic -M q35,kernel-irqchip=split \ - -drive if=pflash,format=raw,readonly=on,file=OVMF_CODE.fd \ - -drive if=pflash,format=raw,file=OVMF_VARS.fd \ + -drive if=pflash,format=${ovmf_format},readonly=on,file=OVMF_CODE.fd \ + -drive if=pflash,format=${ovmf_format},file=OVMF_VARS.fd \ -drive file=fat:rw:boot-esp,media=disk,index=0,format=raw \ -m 512 -monitor none -serial stdio"
Such OVMF build does honor the PE sections attributes, and will not blindly create all section mappings with read-write-execute permissions. Strict NX build is only available in the Fedora edk2-experimental package, so add the required dependencies to run a QEMU EFI job on the Fedora 41 container and use it for the test. Signed-off-by: Roger Pau Monné <roger.pau@citrix.com> --- automation/build/fedora/41-x86_64.dockerfile | 5 +++++ automation/gitlab-ci/test.yaml | 9 ++++++++ automation/scripts/qemu-smoke-x86-64-efi.sh | 22 ++++++++++++++++---- 3 files changed, 32 insertions(+), 4 deletions(-)