RHEL-15513: Enable NX support in the x86 EFI stub and kernel decompressor

JIRA: https://issues.redhat.com/browse/RHEL-15513

Update the x86 early boot flow through the EFI stub and the kernel decompressor such that it can work correctly when NX is enforced by the EFI firmware and the boot loader.

Omitted-fix: 5353fff29e42

That omitted fix makes changes to scripts/head-object-list.txt. RHEL9 does not have scripts/head-object-list.txt, which was added in 6.1 and is not required by this patch set.

Regression Testing:

This patch set primarily affects the very early x86_64 EFI kernel boot path. However, some early boot code that is common to aarch64 EFI and x86_64 BIOS boot was also touched. Additionally, the kernel image file header was touched, which could affect kdump/kexec. As such, these changes were booted via the stock shim and grub on x86_64 EFI, x86_64 BIOS, aarch64, and were booted directly from the EFI shell on x86_64 and aarch64. These changes were also booted on an x86_64 system with AMD SEV enabled. Successful start of the kdump.service was checked on each of those and successful operation of the crash kernel was verified via a forced panic.

Functional Testing:

These changes were booted via shim and grub in a VM using a specially built OVMF that enables NX protection on all non-code EFI memory allocations and NX protection on the stack.

The Microsoft image validation tool ./edk2toolext/image_validation.py from https://github.com/tianocore/edk2-pytool-extensions.git was used on the resultant kernel image to verify compliance with the statically verifiable NX requirements for EFI images.

Signed-off-by: Lenny Szubowicz lszubowi@redhat.com