Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp895490imm; Sun, 2 Sep 2018 02:50:17 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYcMc6tIpcCTfjBeOMEbRjr11RfaSO9dMiluidLpuVuSOuv72DgbAnFY3m3BghTft4ToRyI X-Received: by 2002:a63:e811:: with SMTP id s17-v6mr21653044pgh.176.1535881817669; Sun, 02 Sep 2018 02:50:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535881817; cv=none; d=google.com; s=arc-20160816; b=jMxZlvIsXY5wmhIXmT3okIs/DU+pogTgpnHx/PAlP7tbsss2knInix4wSw/E7LhGhT EK854fGc58N/5XSmboYBlagMVu5q4f26IukBiN8Tf2p7pEBOovyh/eUsdyC3I2VIQFak cBJbqW1BwAnDmFr7qLXUfhYiULUPWdDVP7ttG79MVfUo17qPzvpJWx1Cok4MaDoGakE1 nOn1gaon57UQ0jKAsLSryj3Q5EiJNibG6IsGpPPSKv5WdYsOA1F1cTfgOzK/omrO2l5/ Tf0XL5/L1L6S0unibgg4d7lsFi0TUwszrFOtoPvJ8wBxXksRuM/IbODtwOMpexwo+FXn lSHw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=XNo5lzuzuB5ZV0Jb+Z1ZQKVPsKwQjfTE8K3wbTElLFQ=; b=np2ajsLjqkqajOaF/J/4ANk4GPRsVUzL4EgU4yRoenIdKTxP6WvpcH7xIqzKQbjTR3 WKa6Gdjucf5JNE4/I/ZMLUODLeN/wuTG0qSzDy9Lhe/pmefqTFg99DfoJHjDKJCAAWm/ p+7JGySAVeF5hgFjLczw0Py0vU1NohIKEETckq0GD+CxblTy/FAHDLpV5q292MvKF9E2 HHu08y7CI6UaJBzbrW6cglmob6hJCkhRMr3OZZu0mSgFfrpjFkGwfaP9FUG9G7spU2NY oBceBGaebIC0CL7r7WM0T0IAbdN79CgiRRk9LuFKEQ/9Ke8E7pakEVoZStF2dWBJ+Rup +yWg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q90-v6si15271499pfa.272.2018.09.02.02.49.46; Sun, 02 Sep 2018 02:50:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727278AbeIBOC6 (ORCPT + 99 others); Sun, 2 Sep 2018 10:02:58 -0400 Received: from mga07.intel.com ([134.134.136.100]:58897 "EHLO mga07.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727186AbeIBOC6 (ORCPT ); Sun, 2 Sep 2018 10:02:58 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga105.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 Sep 2018 02:47:47 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.53,319,1531810800"; d="scan'208";a="69718305" Received: from sai-dev-mach.sc.intel.com ([143.183.140.52]) by orsmga007.jf.intel.com with ESMTP; 02 Sep 2018 02:47:47 -0700 From: Sai Praneeth Prakhya To: linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org Cc: ricardo.neri@intel.com, matt@codeblueprint.co.uk, Sai Praneeth , Lee Chun-Yi , Al Stone , Borislav Petkov , Ingo Molnar , Andy Lutomirski , Bhupesh Sharma , Peter Zijlstra , Ard Biesheuvel Subject: [PATCH V2 6/6] x86/efi: Introduce EFI_WARN_ON_ILLEGAL_ACCESS Date: Sun, 2 Sep 2018 02:46:34 -0700 Message-Id: <1535881594-25469-7-git-send-email-sai.praneeth.prakhya@intel.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1535881594-25469-1-git-send-email-sai.praneeth.prakhya@intel.com> References: <1535881594-25469-1-git-send-email-sai.praneeth.prakhya@intel.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sai Praneeth There may exist some buggy UEFI firmware implementations that might access efi regions other than EFI_RUNTIME_SERVICES_ even after the kernel has assumed control of the platform. This violates UEFI specification. If selected, this debug option will print a warning message if the UEFI firmware tries to access any memory region which it shouldn't. Along with the warning, the efi page fault handler will also try to fixup/recover from the page fault triggered by the firmware so that the machine doesn't hang. To support this feature, two changes should be made to the existing efi subsystem 1. Map EFI_BOOT_SERVICES_ regions only when EFI_WARN_ON_ILLEGAL_ACCESS is disabled Presently, the kernel maps EFI_BOOT_SERVICES_ regions as a workaround for buggy firmware that accesses them even when they shouldn't. With EFI_WARN_ON_ILLEGAL_ACCESS enabled (and hence efi page fault handler) kernel can now detect and handle such accesses dynamically. Hence, rather than safely mapping EFI_BOOT_SERVICES_ regions *all* the time, map them on demand. 2. If EFI_WARN_ON_ILLEGAL_ACCESS is enabled don't call efi_free_boot_services() Presently, during early boot phase EFI_BOOT_SERVICES_ regions are marked as reserved by kernel (see efi_reserve_boot_services()) and are freed before entering runtime (see efi_free_boot_services()). But, while dynamically fixing page faults caused by the firmware, efi page fault handler assumes that EFI_BOOT_SERVICES_ regions are still intact. Hence, to make this assumption true, don't call efi_free_boot_services() if EFI_WARN_ON_ILLEGAL_ACCESS is enabled. Suggested-by: Matt Fleming Based-on-code-from: Ricardo Neri Signed-off-by: Sai Praneeth Prakhya Cc: Lee Chun-Yi Cc: Al Stone Cc: Borislav Petkov Cc: Ingo Molnar Cc: Andy Lutomirski Cc: Bhupesh Sharma Cc: Peter Zijlstra Cc: Ard Biesheuvel --- arch/x86/Kconfig | 21 +++++++++++++++++++++ arch/x86/platform/efi/efi.c | 4 ++++ arch/x86/platform/efi/quirks.c | 3 +++ 3 files changed, 28 insertions(+) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index f1dbb4ee19d7..0fb1309d510d 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -1957,6 +1957,27 @@ config EFI_MIXED If unsure, say N. +config EFI_WARN_ON_ILLEGAL_ACCESS + bool "Warn about illegal memory accesses by firmware" if EXPERT + depends on EFI + help + Enable this debug feature so that the kernel can detect illegal + memory accesses by firmware and issue a warning. Also, + 1. If the illegally accessed region is EFI_BOOT_SERVICES_, + the kernel fixes it up by mapping the requested region. + 2. If the illegally accessed region is any other region (Eg: + EFI_CONVENTIONAL_MEMORY or EFI_LOADER_), then the + kernel freezes efi_rts_wq and schedules a new process. Also, it + disables EFI Runtime Services, so that it will never again call + buggy firmware. + 3. If the access is to any other efi region like above but if the + buggy efi runtime service is efi_reset_system(), then the + platform is rebooted through BIOS. + Please see the UEFI specification for details on the expectations + of memory usage. + + If unsure, say N. + config SECCOMP def_bool y prompt "Enable seccomp to safely compute untrusted bytecode" diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c index 7d18b7ed5d41..77fbcb798f4e 100644 --- a/arch/x86/platform/efi/efi.c +++ b/arch/x86/platform/efi/efi.c @@ -768,9 +768,13 @@ static bool should_map_region(efi_memory_desc_t *md) /* * Map boot services regions as a workaround for buggy * firmware that accesses them even when they shouldn't. + * (only if CONFIG_EFI_WARN_ON_ILLEGAL_ACCESS is disabled) * * See efi_{reserve,free}_boot_services(). */ + if (IS_ENABLED(CONFIG_EFI_WARN_ON_ILLEGAL_ACCESS)) + return false; + if (md->type == EFI_BOOT_SERVICES_CODE || md->type == EFI_BOOT_SERVICES_DATA) return true; diff --git a/arch/x86/platform/efi/quirks.c b/arch/x86/platform/efi/quirks.c index e38e823382ba..60cb7a8d5371 100644 --- a/arch/x86/platform/efi/quirks.c +++ b/arch/x86/platform/efi/quirks.c @@ -377,6 +377,9 @@ void __init efi_free_boot_services(void) int num_entries = 0; void *new, *new_md; + if (IS_ENABLED(CONFIG_EFI_WARN_ON_ILLEGAL_ACCESS)) + return; + for_each_efi_memory_desc(md) { unsigned long long start = md->phys_addr; unsigned long long size = md->num_pages << EFI_PAGE_SHIFT; -- 2.7.4