Received: by 2002:a05:6a10:8395:0:0:0:0 with SMTP id n21csp361251pxh; Wed, 10 Nov 2021 03:02:09 -0800 (PST) X-Google-Smtp-Source: ABdhPJyBlllZDg7DmG0qHk9DLLdkq+BEZOMejC+ykOvDkeCtqhLVoEhwKLlDQZwD69a5VPOmq3LT X-Received: by 2002:a05:6402:28a1:: with SMTP id eg33mr7363020edb.161.1636542129072; Wed, 10 Nov 2021 03:02:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1636542129; cv=none; d=google.com; s=arc-20160816; b=iLF0VVZ52G7iN7XM21tc8Cf+uv8scI5VaVPh4rQ9Mndj253n3IrqoEp1/R72xuCoDJ VDoSA0vlQokSeH6NEpCufobZ7K1nL43ulNgWPqW+HSDylgPV+PtvefTCTSEFBje+IrOI hpx9zSCSgS7cyLfCQXAaUfcyMc6Uw0M8+K4WMj4ojEztey9FBOdMgM3CSVALMTByahWD iCcaHosxYeaKb0NzzzLXNKZyne1E/h9XbkVmp9pM9ihamu84+u0lJTUrIy01P6yk08Z+ PRX6HKO8AQhbEDIRMLe9HOq3DdIWrRYvsXPtL7CvHEqyB+aEhtbd3gLlwf7G3h0sU9Xv WnZg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=S5ZIe87mTmR0OvTmv6E41RKY3Fvfao/ppJDMh+eT9F4=; b=zR/ArLaN5uuLPBrdejUa54ZdIReFPYQWdMQkUHPR5UMK+OsKKnzBhW/DUfGyy2PilO 32y2h8PGdq6IPWQJcUT9+mxUneGttAER9lckt1xnUM+83dvkUHbtj/x9xZ8jqCzvg8i1 yRxFweroreZt06SDfBwXJcPBkyA0A3rWHa1Kv5BQwEa4BfCZzS42CclV86hug7DIsEz8 Kw11aSw6nV7UwZso3jMXAUnZDMAK1W/ZZk4S66+ELog0GSdFcjYri1pVmr7+YELjGqhN piWE5PE/qGnQ56ZZPKzepI3w4rDLSUAKocum00vBkGY6aMnNrGbhmSGItEKY/rUL+rU5 l26A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i10si41513190edf.522.2021.11.10.03.01.44; Wed, 10 Nov 2021 03:02:09 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231523AbhKJK7l (ORCPT + 99 others); Wed, 10 Nov 2021 05:59:41 -0500 Received: from mail.ispras.ru ([83.149.199.84]:53898 "EHLO mail.ispras.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231380AbhKJK7i (ORCPT ); Wed, 10 Nov 2021 05:59:38 -0500 Received: from localhost.localdomain (unknown [80.240.223.29]) by mail.ispras.ru (Postfix) with ESMTPSA id 08A7540A2BBC; Wed, 10 Nov 2021 10:46:59 +0000 (UTC) From: Baskov Evgeniy To: Ard Biesheuvel Cc: Baskov Evgeniy , Borislav Petkov , Dave Hansen , Ingo Molnar , Jonathan Corbet , Thomas Gleixner , x86@kernel.org, linux-doc@vger.kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH RFC 0/5] Handle UEFI NX-restricted page tables Date: Wed, 10 Nov 2021 13:46:08 +0300 Message-Id: <20211110104613.23881-1-baskov@ispras.ru> X-Mailer: git-send-email 2.33.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Note, that this patch series is RFC, since it is yet untested and possibly incompatible with AMD SEV and related extensions. The UEFI specification states that certain memory regions may not have every permission, i.e. may not be writable or executable. Furthermore there exist some implementations (at least on i386/x86_64) that restrict execution of memory regions expected by the kernel to be executable. E.g. first megabyte of address space, where trampoline for switching between 4/5 level paging is placed and memory regions, allocated as loader data. This patch series allows Linux kernel to boot on such UEFI implementations on i386 and x86_64. The simplest way to achieve that on i386 is to disable paging before jumping to potentially relocated code. x86_64, on the other hand, does not allow disabling paging so it is required to build temporary page tables containing memory regions required for Linux kernel to boot with appropriate access permissions. Baskov Evgeniy (5): Docs: document notemppt option efi: Add option for handling efi memory protection libstub: build temporary page table without NX-bit efi/x86_64: set page table if provided by libstub efi/x86: Disable paging when booting via efistub Documentation/admin-guide/kernel-parameters.txt | 7 arch/x86/boot/compressed/head_32.S | 12 + arch/x86/boot/compressed/head_64.S | 12 + drivers/firmware/efi/Kconfig | 17 ++ drivers/firmware/efi/libstub/Makefile | 2 drivers/firmware/efi/libstub/efi-stub-helper.c | 3 drivers/firmware/efi/libstub/efistub.h | 10 + drivers/firmware/efi/libstub/temp-pgtable.c | 190 ++++++++++++++++++++++++ drivers/firmware/efi/libstub/x86-stub.c | 8 - 9 files changed, 258 insertions(+), 3 deletions(-)