arch/x86/Kconfig | 20 ++
arch/x86/include/asm/efi.h | 16 ++
arch/x86/kernel/setup.c | 1 +
arch/x86/platform/efi/Makefile | 4 +-
arch/x86/platform/efi/efi.c | 8 +-
{drivers/firmware => arch/x86/platform}/efi/fake_mem.c | 79 ++++++-
arch/x86/platform/efi/memmap.c | 238 ++++++++++++++++++++
drivers/firmware/efi/Kconfig | 22 --
drivers/firmware/efi/Makefile | 4 -
drivers/firmware/efi/efi.c | 25 +-
drivers/firmware/efi/esrt.c | 18 +-
drivers/firmware/efi/fake_mem.h | 10 -
drivers/firmware/efi/fdtparams.c | 4 +
drivers/firmware/efi/memmap.c | 224 +-----------------
drivers/firmware/efi/x86_fake_mem.c | 75 ------
drivers/xen/efi.c | 58 +++++
include/linux/efi.h | 19 +-
17 files changed, 446 insertions(+), 379 deletions(-)
rename {drivers/firmware => arch/x86/platform}/efi/fake_mem.c (58%)
create mode 100644 arch/x86/platform/efi/memmap.c
delete mode 100644 drivers/firmware/efi/fake_mem.h
delete mode 100644 drivers/firmware/efi/x86_fake_mem.c
This is an alternate approach to addressing the issue that Demi Marie is
attempting to fix in [0] (i.e., ESRT config table exposed to a x86 dom0
is corrupted because it resides in boot services memory as per the EFI
spec, where it gets corrupted by Xen). My main objection to that approach
is that it needs Xen-specific fixes in multiple different places, but we
still end up only fixing the ESRT case specifically.
So instead, I am proposing this series as a more generic way to handle
configuration tables that reside in boot services memory, and confining
the Xen specific logic to the Xen EFI glue code.
Given that EFI boot without a memory map is only permitted on x86 and
only when doing Xen boot, let's clear up some inconsistencies there
first so we can set the EFI_PARAVIRT flag on all architectures that do
pseudo-EFI boot straight into the core kernel (i.e., without going
through the stub). This moves a good chunk of EFI memory map
manipulation code into the x86 arch tree, where it arguably belongs as
no other architectures rely on it. This is implemented in patches 1 - 3.
Patch #4 refactors the ESRT sanity checks on the memory descriptor, by
moving them into the efi_mem_desc_lookup() helper, which should not
return corrupted descriptors in the first place.
Patch #5 adds a Xen hypercall fallback to efi_mem_desc_lookup() when
running under Xen without a EFI memory map, so that, e.g., the existing
ESRT code will perform its validation against the Xen provided
descriptor if no memory map is available.
Patch #6 updates the config table traversal code so that the Xen glue
code can force them to be disregarded, which happens when the table in
question points into a memory region that is not of a type that Xen
automatically reserves. Future changes can refine this logic if needed.
Changes since v1:
- add patch #4
- move Xen descriptor lookup into efi_mem_desc_lookup()
- drop allowlist for ACPI and SMBIOS tables
[0] https://lore.kernel.org/all/cover.1664298147.git.demi@invisiblethingslab.com/
Cc: Demi Marie Obenour <demi@invisiblethingslab.com>
Cc: Peter Jones <pjones@redhat.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: Oleksandr Tyshchenko <oleksandr_tyshchenko@epam.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Anton Vorontsov <anton@enomsg.org>
Cc: Colin Cross <ccross@android.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Ard Biesheuvel (6):
efi: Move EFI fake memmap support into x86 arch tree
efi: memmap: Move manipulation routines into x86 arch tree
efi: xen: Set EFI_PARAVIRT for Xen dom0 boot on all architectures
efi: memmap: Disregard bogus entries instead of returning them
efi: xen: Implement memory descriptor lookup based on hypercall
efi: Apply allowlist to EFI configuration tables when running under
Xen
arch/x86/Kconfig | 20 ++
arch/x86/include/asm/efi.h | 16 ++
arch/x86/kernel/setup.c | 1 +
arch/x86/platform/efi/Makefile | 4 +-
arch/x86/platform/efi/efi.c | 8 +-
{drivers/firmware => arch/x86/platform}/efi/fake_mem.c | 79 ++++++-
arch/x86/platform/efi/memmap.c | 238 ++++++++++++++++++++
drivers/firmware/efi/Kconfig | 22 --
drivers/firmware/efi/Makefile | 4 -
drivers/firmware/efi/efi.c | 25 +-
drivers/firmware/efi/esrt.c | 18 +-
drivers/firmware/efi/fake_mem.h | 10 -
drivers/firmware/efi/fdtparams.c | 4 +
drivers/firmware/efi/memmap.c | 224 +-----------------
drivers/firmware/efi/x86_fake_mem.c | 75 ------
drivers/xen/efi.c | 58 +++++
include/linux/efi.h | 19 +-
17 files changed, 446 insertions(+), 379 deletions(-)
rename {drivers/firmware => arch/x86/platform}/efi/fake_mem.c (58%)
create mode 100644 arch/x86/platform/efi/memmap.c
delete mode 100644 drivers/firmware/efi/fake_mem.h
delete mode 100644 drivers/firmware/efi/x86_fake_mem.c
--
2.35.1
This patch series fixes handling of EFI tables when running under Xen.
These fixes allow the ESRT to be loaded when running paravirtualized in
dom0, making the use of EFI capsule updates possible.
Demi Marie Obenour (5):
efi: memmap: Disregard bogus entries instead of returning them
efi: xen: Implement memory descriptor lookup based on hypercall
efi: Apply allowlist to EFI configuration tables when running under
Xen
efi: Actually enable the ESRT under Xen
efi: Warn if trying to reserve memory under Xen
drivers/firmware/efi/efi.c | 22 ++++++++++++-
drivers/firmware/efi/esrt.c | 15 +++------
drivers/xen/efi.c | 61 +++++++++++++++++++++++++++++++++++++
include/linux/efi.h | 3 ++
4 files changed, 90 insertions(+), 11 deletions(-)
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
On Thu, 19 Jan 2023 at 20:04, Demi Marie Obenour <demi@invisiblethingslab.com> wrote: > > This patch series fixes handling of EFI tables when running under Xen. > These fixes allow the ESRT to be loaded when running paravirtualized in > dom0, making the use of EFI capsule updates possible. > > Demi Marie Obenour (5): > efi: memmap: Disregard bogus entries instead of returning them > efi: xen: Implement memory descriptor lookup based on hypercall > efi: Apply allowlist to EFI configuration tables when running under > Xen > efi: Actually enable the ESRT under Xen > efi: Warn if trying to reserve memory under Xen > I have given these a spin on a system with a dodgy ESRT (the region in question is not covered by the memory map at all), and things are exactly as broken before, which is good. I have queued these up in efi/next now, they should appear in -next tomorrow. > drivers/firmware/efi/efi.c | 22 ++++++++++++- > drivers/firmware/efi/esrt.c | 15 +++------ > drivers/xen/efi.c | 61 +++++++++++++++++++++++++++++++++++++ > include/linux/efi.h | 3 ++ > 4 files changed, 90 insertions(+), 11 deletions(-) > > -- > Sincerely, > Demi Marie Obenour (she/her/hers) > Invisible Things Lab
Xen on x86 boots dom0 in EFI mode but without providing a memory map.
This means that some consistency checks we would like to perform on
configuration tables or other data structures in memory are not
currently possible. Xen does, however, expose EFI memory descriptor
info via a Xen hypercall, so let's wire that up instead. It turns out
that the returned information is not identical to what Linux's
efi_mem_desc_lookup would return: the address returned is the address
passed to the hypercall, and the size returned is the number of bytes
remaining in the configuration table. However, none of the callers of
efi_mem_desc_lookup() currently care about this. In the future, Xen may
gain a hypercall that returns the actual start address, which can be
used instead.
Co-developed-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
drivers/firmware/efi/efi.c | 5 ++++-
drivers/xen/efi.c | 36 ++++++++++++++++++++++++++++++++++++
include/linux/efi.h | 1 +
3 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index 780caea594e0ffce30abb69bddcccf3bacf25382..bcb848e44e7b1350b10b7c0479c0b38d980fe37d 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -456,7 +456,7 @@ void __init efi_find_mirror(void)
* and if so, populate the supplied memory descriptor with the appropriate
* data.
*/
-int efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md)
+int __efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md)
{
efi_memory_desc_t *md;
@@ -490,6 +490,9 @@ int efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md)
return -ENOENT;
}
+extern int efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md)
+ __weak __alias(__efi_mem_desc_lookup);
+
/*
* Calculate the highest address of an efi memory descriptor.
*/
diff --git a/drivers/xen/efi.c b/drivers/xen/efi.c
index d1ff2186ebb48a7c0981ecb6d4afcbbb25ffcea0..3c792353b7308f9c2bf0a888eda9f827aa9177f8 100644
--- a/drivers/xen/efi.c
+++ b/drivers/xen/efi.c
@@ -26,6 +26,7 @@
#include <xen/interface/xen.h>
#include <xen/interface/platform.h>
+#include <xen/page.h>
#include <xen/xen.h>
#include <xen/xen-ops.h>
@@ -292,3 +293,38 @@ void __init xen_efi_runtime_setup(void)
efi.get_next_high_mono_count = xen_efi_get_next_high_mono_count;
efi.reset_system = xen_efi_reset_system;
}
+
+int efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md)
+{
+ static_assert(XEN_PAGE_SHIFT == EFI_PAGE_SHIFT,
+ "Mismatch between EFI_PAGE_SHIFT and XEN_PAGE_SHIFT");
+ struct xen_platform_op op;
+ union xenpf_efi_info *info = &op.u.firmware_info.u.efi_info;
+ int rc;
+
+ if (!efi_enabled(EFI_PARAVIRT) || efi_enabled(EFI_MEMMAP))
+ return __efi_mem_desc_lookup(phys_addr, out_md);
+ phys_addr &= ~(u64)(EFI_PAGE_SIZE - 1);
+ op = (struct xen_platform_op) {
+ .cmd = XENPF_firmware_info,
+ .u.firmware_info = {
+ .type = XEN_FW_EFI_INFO,
+ .index = XEN_FW_EFI_MEM_INFO,
+ .u.efi_info.mem.addr = phys_addr,
+ .u.efi_info.mem.size = U64_MAX - phys_addr,
+ },
+ };
+
+ rc = HYPERVISOR_platform_op(&op);
+ if (rc) {
+ pr_warn("Failed to lookup header 0x%llx in Xen memory map: error %d\n",
+ phys_addr, rc);
+ }
+
+ out_md->phys_addr = info->mem.addr;
+ out_md->num_pages = info->mem.size >> EFI_PAGE_SHIFT;
+ out_md->type = info->mem.type;
+ out_md->attribute = info->mem.attr;
+
+ return 0;
+}
diff --git a/include/linux/efi.h b/include/linux/efi.h
index f87b2f5db9f83db6f7488648fe99a8f8fc4fdf04..b407a302b730a6cc7481afa0f582360e59faf1e0 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -724,6 +724,7 @@ extern u64 efi_mem_attribute (unsigned long phys_addr, unsigned long size);
extern int __init efi_uart_console_only (void);
extern u64 efi_mem_desc_end(efi_memory_desc_t *md);
extern int efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
+extern int __efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md);
extern void efi_mem_reserve(phys_addr_t addr, u64 size);
extern int efi_mem_reserve_persistent(phys_addr_t addr, u64 size);
extern void efi_initialize_iomem_resources(struct resource *code_resource,
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
As it turns out, Xen does not guarantee that EFI boot services data
regions in memory are preserved, which means that EFI configuration
tables pointing into such memory regions may be corrupted before the
dom0 OS has had a chance to inspect them.
This is causing problems for Qubes OS when it attempts to perform system
firmware updates, which requires that the contents of the EFI System
Resource Table are valid when the fwupd userspace program runs.
However, other configuration tables such as the memory attributes table
or the runtime properties table are equally affected, and so we need a
comprehensive workaround that works for any table type.
So when running under Xen, check the EFI memory descriptor covering the
start of the table, and disregard the table if it does not reside in
memory that is preserved by Xen.
Co-developed-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
drivers/firmware/efi/efi.c | 7 +++++++
drivers/xen/efi.c | 25 +++++++++++++++++++++++++
include/linux/efi.h | 2 ++
3 files changed, 34 insertions(+)
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index bcb848e44e7b1350b10b7c0479c0b38d980fe37d..b49fcde06ca0ff5347047666f38b9309bd9cfe26 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -564,6 +564,13 @@ static __init int match_config_table(const efi_guid_t *guid,
for (i = 0; efi_guidcmp(table_types[i].guid, NULL_GUID); i++) {
if (!efi_guidcmp(*guid, table_types[i].guid)) {
+ if (IS_ENABLED(CONFIG_XEN_EFI) &&
+ !xen_efi_config_table_is_usable(guid, table)) {
+ if (table_types[i].name[0])
+ pr_cont("(%s=0x%lx) may have been clobbered by Xen ",
+ table_types[i].name, table);
+ return 1;
+ }
*(table_types[i].ptr) = table;
if (table_types[i].name[0])
pr_cont("%s=0x%lx ",
diff --git a/drivers/xen/efi.c b/drivers/xen/efi.c
index 3c792353b7308f9c2bf0a888eda9f827aa9177f8..fb321cd6415a40e8c4d0ad940611adcabe20ab97 100644
--- a/drivers/xen/efi.c
+++ b/drivers/xen/efi.c
@@ -328,3 +328,28 @@ int efi_mem_desc_lookup(u64 phys_addr, efi_memory_desc_t *out_md)
return 0;
}
+
+bool __init xen_efi_config_table_is_usable(const efi_guid_t *guid,
+ unsigned long table)
+{
+ efi_memory_desc_t md;
+ int rc;
+
+ if (!efi_enabled(EFI_PARAVIRT))
+ return true;
+
+ rc = efi_mem_desc_lookup(table, &md);
+ if (rc)
+ return false;
+
+ switch (md.type) {
+ case EFI_RUNTIME_SERVICES_CODE:
+ case EFI_RUNTIME_SERVICES_DATA:
+ case EFI_ACPI_RECLAIM_MEMORY:
+ case EFI_ACPI_MEMORY_NVS:
+ case EFI_RESERVED_TYPE:
+ return true;
+ default:
+ return false;
+ }
+}
diff --git a/include/linux/efi.h b/include/linux/efi.h
index b407a302b730a6cc7481afa0f582360e59faf1e0..b210b50c4bdedaafcce6f63d44f57ff8329d1cfd 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -1322,4 +1322,6 @@ struct linux_efi_coco_secret_area {
/* Header of a populated EFI secret area */
#define EFI_SECRET_TABLE_HEADER_GUID EFI_GUID(0x1e74f542, 0x71dd, 0x4d66, 0x96, 0x3e, 0xef, 0x42, 0x87, 0xff, 0x17, 0x3b)
+bool xen_efi_config_table_is_usable(const efi_guid_t *guid, unsigned long table);
+
#endif /* _LINUX_EFI_H */
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
The ESRT can be parsed if EFI_PARAVIRT is enabled, even if EFI_MEMMAP is
not. Also allow the ESRT to be in reclaimable memory, as that is where
future Xen versions will put it.
Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
drivers/firmware/efi/esrt.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/firmware/efi/esrt.c b/drivers/firmware/efi/esrt.c
index fb9fb70e1004132eff50c712c6fca05f7aeb1d57..87729c365be1a804bb84e0b1ab874042848327b4 100644
--- a/drivers/firmware/efi/esrt.c
+++ b/drivers/firmware/efi/esrt.c
@@ -247,7 +247,7 @@ void __init efi_esrt_init(void)
int rc;
phys_addr_t end;
- if (!efi_enabled(EFI_MEMMAP))
+ if (!efi_enabled(EFI_MEMMAP) && !efi_enabled(EFI_PARAVIRT))
return;
pr_debug("esrt-init: loading.\n");
@@ -258,7 +258,9 @@ void __init efi_esrt_init(void)
if (rc < 0 ||
(!(md.attribute & EFI_MEMORY_RUNTIME) &&
md.type != EFI_BOOT_SERVICES_DATA &&
- md.type != EFI_RUNTIME_SERVICES_DATA)) {
+ md.type != EFI_RUNTIME_SERVICES_DATA &&
+ md.type != EFI_ACPI_RECLAIM_MEMORY &&
+ md.type != EFI_ACPI_MEMORY_NVS)) {
pr_warn("ESRT header is not in the memory map.\n");
return;
}
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
Doing so cannot work and should never happen.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
drivers/firmware/efi/efi.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index b49fcde06ca0ff5347047666f38b9309bd9cfe26..902f323499d8acc4f2b846a78993eb201448acad 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -519,6 +519,10 @@ void __init __weak efi_arch_mem_reserve(phys_addr_t addr, u64 size) {}
*/
void __init efi_mem_reserve(phys_addr_t addr, u64 size)
{
+ /* efi_mem_reserve() does not work under Xen */
+ if (WARN_ON_ONCE(efi_enabled(EFI_PARAVIRT)))
+ return;
+
if (!memblock_is_region_reserved(addr, size))
memblock_reserve(addr, size);
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
© 2016 - 2024 Red Hat, Inc.