[efi] Enable stack protection where possible

Enable -fstack-protector for EFI builds, where binary size is less critical than for BIOS builds. The stack cookie must be constructed immediately on entry, which prohibits the use of any viable entropy source. Construct a cookie by XORing together various mildly random quantities to produce a value that will at least not be identical on each run. On detecting a stack corruption, attempt to call Exit() with an appropriate error. If that fails, then lock up the machine since there is no other safe action that can be taken. The old conditional check for support of -fno-stack-protector is omitted since this flag dates back to GCC 4.1. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2025-12-20 03:55:46 +03:00 · 2020-06-23 23:08:49 +01:00
parent 8830f2f351
commit a61b27b97f
6 changed files with 115 additions and 11 deletions
--- a/src/include/ipxe/efi/efi.h
+++ b/src/include/ipxe/efi/efi.h
@@ -65,6 +65,8 @@ typedef struct {} *EFI_HANDLE;

 #include <ipxe/tables.h>
 #include <ipxe/uuid.h>
+#include <ipxe/version.h>
+#include <ipxe/profile.h>

 /** An EFI protocol used by iPXE */
 struct efi_protocol {
@@ -272,6 +274,36 @@ extern void dbg_efi_protocols ( EFI_HANDLE handle );
 #define DBGCP_EFI_PROTOCOLS( ... )				\
 	DBGC_EFI_PROTOCOLS_IF ( PROFILE, ##__VA_ARGS__ )

+extern unsigned long __stack_chk_guard;
+extern unsigned long efi_stack_cookie ( EFI_HANDLE handle );
+extern void __stack_chk_fail ( void );
+
+/**
+ * Initialise stack cookie
+ *
+ * @v handle		Image handle
+ */
+static inline __attribute__ (( always_inline )) void
+efi_init_stack_guard ( EFI_HANDLE handle ) {
+
+	/* The calling function must not itself use stack protection,
+	 * since the change in the stack guard value would trigger a
+	 * false positive.
+	 *
+	 * There is unfortunately no way to annotate a function to
+	 * exclude the use of stack protection.  We must therefore
+	 * rely on correctly anticipating the compiler's decision on
+	 * the use of stack protection.
+	 *
+	 * The calculation of the stack cookie value deliberately
+	 * takes the address of a stack variable (to provide an
+	 * additional source of entropy).  This operation would
+	 * trigger the application of stack protection to the calling
+	 * function, and so must be externalised.
+	 */
+	__stack_chk_guard = efi_stack_cookie ( handle );
+}
+
 extern EFI_STATUS efi_init ( EFI_HANDLE image_handle,
 			     EFI_SYSTEM_TABLE *systab );