1 files changed, 27 insertions, 0 deletions

diff --git a/debian/patches/debian/i386-686-pae-pci-set-pci-nobios-by-default.patch b/debian/patches/debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
new file mode 100644
index 000000000..1b216d0d1
--- /dev/null
+++ b/debian/patches/debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
@@ -0,0 +1,27 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 16 Feb 2016 02:45:42 +0000
+Subject: [i386/686-pae] PCI: Set pci=nobios by default
+Forwarded: not-needed
+
+CONFIG_PCI_GOBIOS results in physical addresses 640KB-1MB being mapped
+W+X, which is undesirable for security reasons and will result in a
+warning at boot now that we enable CONFIG_DEBUG_WX.
+
+This can be overridden using the kernel parameter "pci=nobios", but we
+want to disable W+X by default.  Disable PCI BIOS probing by default;
+it can still be enabled using "pci=bios".
+
+---
+--- a/arch/x86/pci/common.c
++++ b/arch/x86/pci/common.c
+@@ -21,8 +21,8 @@
+ #include <asm/setup.h>
+ #include <asm/irqdomain.h>
+ 
+-unsigned int pci_probe = PCI_PROBE_BIOS | PCI_PROBE_CONF1 | PCI_PROBE_CONF2 |
+-				PCI_PROBE_MMCONF;
++unsigned int pci_probe = PCI_PROBE_CONF1 | PCI_PROBE_CONF2 | PCI_PROBE_MMCONF |
++	(IS_ENABLED(CONFIG_X86_64) || IS_ENABLED(CONFIG_X86_PAE) ? 0 : PCI_PROBE_BIOS);
+ 
+ static int pci_bf_sort;
+ int pci_routeirq;