Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1757204AbcC2M1F (ORCPT <rfc822;w@1wt.eu>);
	Tue, 29 Mar 2016 08:27:05 -0400
Received: from mail-wm0-f53.google.com ([74.125.82.53]:35974 "EHLO
	mail-wm0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1756956AbcC2M1C (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Tue, 29 Mar 2016 08:27:02 -0400
Date: Tue, 29 Mar 2016 13:26:58 +0100
From: Matt Fleming <matt@codeblueprint.co.uk>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: "linux-efi@vger.kernel.org" <linux-efi@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        joeyli <jlee@suse.com>, Kweh Hock Leong <hock.leong.kweh@intel.com>,
        Borislav Petkov <bp@alien8.de>, Mark Salter <msalter@redhat.com>,
        Peter Jones <pjones@redhat.com>,
        "Bryan O'Donoghue" <pure.logic@nexus-software.ie>
Subject: Re: [PATCH 2/4] efi: Capsule update support
Message-ID: <20160329122658.GC3625@codeblueprint.co.uk>
References: <1458219431-24741-1-git-send-email-matt@codeblueprint.co.uk>
 <1458219431-24741-3-git-send-email-matt@codeblueprint.co.uk>
 <CAKv+Gu8fX7x1x3Od5ThxyFxux_NKDx59PNedkgSfn_V0yg_NQQ@mail.gmail.com>
 <20160321203159.GF11676@codeblueprint.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20160321203159.GF11676@codeblueprint.co.uk>
User-Agent: Mutt/1.5.24+41 (02bc14ed1569) (2015-08-30)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1441
Lines: 41

On Mon, 21 Mar, at 08:31:59PM, Matt Fleming wrote:
> 
> Good question. They're not handled in any special way with this patch
> series, so the firmware will just initiate its own reset inside of
> UpdateCapsule().
> 
> That's probably not what we want, because things like on-disk
> consistency are not guaranteed if the machine spontaneously reboots
> without assistance from the kernel.
> 
> The simplest thing to do is to refuse to pass such capsules to the
> firmware, since it's likely not going to be a common use case. But
> maybe that's overly restrictive.
> 
> Let me have a think about that one.

OK, I did think about this, and until someone actually requests the
ability to handle CAPSULE_FLAGS_INITIATE_RESET, I'm happy to just punt
on the problem. Anyone got any objections?

---

diff --git a/drivers/firmware/efi/capsule.c b/drivers/firmware/efi/capsule.c
index dac25208ad5e..84450e9cdf41 100644
--- a/drivers/firmware/efi/capsule.c
+++ b/drivers/firmware/efi/capsule.c
@@ -84,6 +84,14 @@ int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset)
 	u64 max_size;
 	int rv = 0;
 
+	/*
+	 * We do not handle firmware-initiated reset because that
+	 * would require us to prepare the kernel for reboot. Refuse
+	 * to load any capsules with that flag.
+	 */
+	if (flags & EFI_CAPSULE_INITIATE_RESET)
+		return -EINVAL;
+
 	capsule = kmalloc(sizeof(*capsule), GFP_KERNEL);
 	if (!capsule)
 		return -ENOMEM;