[PATCH 1/3] Align EFI linking options with recent gnu-efi

0 views
Skip to first unread message

Jan Kiszka

unread,
Aug 22, 2025, 7:32:47 AMAug 22
to efibootg...@googlegroups.com, Christian Storm
From: Jan Kiszka <jan.k...@siemens.com>

Add linker and objcopy switches that gnu-efi uses since 3.0.19 and that
were missing in our configuration so far. Those have no negative impact
with older gnu-efi and toolchains - tested down to Debian 10 setups -
while fixing some gaps with gnu-efi 3.0.19. These gaps break validation
of signatures with EFI runtimes, specifically U-Boot. Seen on armhf.

There are two exceptions in the alignment:

We do not replace -shared with -pie --no-dynamic-linker as that is
breaking with older build environments while -shared is fine for all
versions.

And then we need to keep .dynsym for 3.0.15 and older because arm64 is
otherwise breaking.

Signed-off-by: Jan Kiszka <jan.k...@siemens.com>
---
Makefile.am | 21 ++++++++++++++-------
configure.ac | 7 ++++++-
2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index f2d6241..35eb08c 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,7 @@
#
# EFI Boot Guard
#
-# Copyright (c) Siemens AG, 2017
+# Copyright (c) Siemens AG, 2017-2025
#
# Authors:
# Claudius Heine <c...@denx.de>
@@ -286,8 +286,11 @@ efi_ldflags = \
-shared \
-Bsymbolic \
-nostdlib \
- -znoexecstack \
- -znocombreloc \
+ -z noexecstack \
+ -z nocombreloc \
+ -z norelro \
+ -z common-page-size=4096 \
+ -z max-page-size=4096 \
--warn-common \
--no-undefined \
--fatal-warnings \
@@ -306,6 +309,11 @@ objcopy_format = --target=efi-app-$(ARCH)
endif
endif

+efi_sections = \
+ -j .text -j .sdata -j .data -j .dynamic -j .rodata \
+ -j .rel -j .rela -j .rel.* -j .rela.* -j .rel* -j .rela* -j .areloc \
+ -j .reloc $(EXTRA_EFI_SECTIONS)
+
efi_objects_pre1 = $(efi_sources:.c=.o)
efi_objects_pre2 = $(efi_objects_pre1:.S=.o)
efi_objects = $(addprefix $(top_builddir)/,$(efi_objects_pre2))
@@ -352,8 +360,8 @@ $(efi_solib): $(efi_objects)
nm -D -u $@ | grep ' U ' && exit 1 || :

$(efi_loadername): $(efi_solib)
- $(AM_V_GEN) $(OBJCOPY) -j .text -j .wdfuncs -j .sdata -j .data -j .dynamic \
- -j .dynsym -j .rodata -j .rel* $(objcopy_format) $< $@
+ $(AM_V_GEN) $(OBJCOPY) $(efi_sections) -j .wdfuncs \
+ $(objcopy_format) $< $@

$(kernel_stub_solib): $(kernel_stub_objects)
$(AM_V_CCLD)$(LD) $(efi_ldflags) $(kernel_stub_objects) \
@@ -361,8 +369,7 @@ $(kernel_stub_solib): $(kernel_stub_objects)
nm -D -u $@ | grep ' U ' && exit 1 || :

$(kernel_stub_name): $(kernel_stub_solib)
- $(AM_V_GEN) $(OBJCOPY) -j .text -j .sdata -j .data -j .dynamic \
- -j .dynsym -j .rodata -j .rel* $(objcopy_format) $< $@
+ $(AM_V_GEN) $(OBJCOPY) $(efi_sections) $(objcopy_format) $< $@

endif # BOOTLOADER

diff --git a/configure.ac b/configure.ac
index 16d25b9..59f9e03 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
#
# EFI Boot Guard
#
-# Copyright (c) Siemens AG, 2017
+# Copyright (c) Siemens AG, 2017-2025
#
# Authors:
# Claudius Heine <c...@denx.de>
@@ -255,6 +255,11 @@ AS_IF([test -z "$ARCH_IS_X86_FALSE" -a $GNU_EFI_VERSION -eq 0],
[LDFLAGS_NO_WARN_RWX_SEGMENTS=])
AC_SUBST([LDFLAGS_NO_WARN_RWX_SEGMENTS])])

+# Keep .dynsym section for gnu-efi 3.0.15 or older
+AS_IF([test $GNU_EFI_VERSION -eq 0],
+ EXTRA_EFI_SECTIONS="-j .dynsym"
+ AC_SUBST([EXTRA_EFI_SECTIONS]))
+
AS_IF([test "x$enable_bootloader" != "xno"],
[
PKG_CHECK_MODULES(LIBPCI, libpci)
--
2.43.0

Jan Kiszka

unread,
Aug 22, 2025, 7:32:47 AMAug 22
to efibootg...@googlegroups.com, Christian Storm
Despite all the changes here as well as in gnu-efi upstream, we still
had issues with wholes in the arm 32-bit EFI binaries we built when
using gnu-efi 3.0.19 or newer. These wholes did not prevent to sign the
binaries, and also sbverify was validating them successfully but it
already warned that the result could lead to different checksums. And
that was actually the case for U-Boot as EFI provider.

There were multiple reasons for the wholes such as empty sections that
still used space or the wdfuncs section that could not be known to the
linker script of gnu-efi but required in the final EFI image.

This series resolves the wholes while keeping things fine for older
gnu-efi versions. Successfully tested with buster (3.0.9) through trixie
(3.0.19 + [1]) on all supported archs (riscv64 only on trixie).

Jan

[1] https://github.com/ncroxon/gnu-efi/commit/24a4cd0e5653fd84b004c00c808c45cc3fb7a7e2

Jan Kiszka (3):
Align EFI linking options with recent gnu-efi
Do exploit constructors for registering drivers
Makefile: Drop no longer needed assembly rule

Makefile.am | 24 +++++++++++++---------
configure.ac | 8 +++++++-
drivers/watchdog/wdfuncs_end.c | 10 ++++++---
drivers/watchdog/wdfuncs_start.c | 10 ++++++---
include/utils.h | 19 ++++++++++++-----
main.c | 35 ++++++++++++++++++++++++--------
scripts/cppcheck.sh | 5 +++--
7 files changed, 79 insertions(+), 32 deletions(-)

--
2.43.0

Jan Kiszka

unread,
Aug 22, 2025, 8:23:36 AMAug 22
to efibootg...@googlegroups.com, Christian Storm
Not all gaps are gone, though, but that is an upstream gnu-efi topic:

https://github.com/ncroxon/gnu-efi/issues/79

Jan

--
Siemens AG, Foundational Technologies
Linux Expert Center
Reply all
Reply to author
Forward
0 new messages