From 878919d80864301328f3e9c471fe2dce2a8ea61d Mon Sep 17 00:00:00 2001
From: Amlal El Mahrouss <amlal@nekernel.org>
Date: Sun, 11 Jan 2026 15:17:49 +0100
Subject: chore: kernel/boot: Enforce subsystem 17 by default.

Signed-off-by: Amlal El Mahrouss <amlal@nekernel.org>
---
 src/kernel/KernelKit/PE.h     | 2 ++
 src/kernel/src/PE32CodeMgr.cc | 6 ++++++
 2 files changed, 8 insertions(+)

(limited to 'src/kernel')

diff --git a/src/kernel/KernelKit/PE.h b/src/kernel/KernelKit/PE.h
index 751e7ceb..bef39481 100644
--- a/src/kernel/KernelKit/PE.h
+++ b/src/kernel/KernelKit/PE.h
@@ -15,6 +15,8 @@
 #define kPeMachineAMD64 (0x8664)
 #define kPeMachineARM64 (0xaa64)
 
+#define kNeKernelPESubsystem (0x11)
+
 typedef struct LDR_EXEC_HEADER final {
   Kernel::UInt32 Signature;
   Kernel::UInt16 Machine;
diff --git a/src/kernel/src/PE32CodeMgr.cc b/src/kernel/src/PE32CodeMgr.cc
index 517900c4..7f5250fd 100644
--- a/src/kernel/src/PE32CodeMgr.cc
+++ b/src/kernel/src/PE32CodeMgr.cc
@@ -98,6 +98,12 @@ ErrorOr<VoidPtr> PE32Loader::FindSectionByName(const Char* name) {
     return ErrorOr<VoidPtr>{kErrorInvalidData};
   }
 
+#if !defined(__nekernel_allow_non_nekernel_pe)
+  if (opt_header_ptr->Subsystem != kNeKernelPESubsystem) {
+    return ErrorOr<VoidPtr>{kErrorInvalidData};
+  }
+#endif
+
   LDR_SECTION_HEADER_PTR secs =
       (LDR_SECTION_HEADER_PTR) (((Char*) opt_header_ptr) + header_ptr->SizeOfOptionalHeader);
 
-- 
cgit v1.2.3