Received: by 2002:a05:6358:bb9e:b0:b9:5105:a5b4 with SMTP id df30csp2189070rwb; Sun, 4 Sep 2022 10:07:50 -0700 (PDT) X-Google-Smtp-Source: AA6agR61bcckSYM0R9CLk4/aKOYwCOjTHt2HjW5c64+r4ld9y/RsCAx4vSnpdbzu8vBj0T4b2BLw X-Received: by 2002:a05:6402:1f86:b0:447:8edd:1c4b with SMTP id c6-20020a0564021f8600b004478edd1c4bmr39640246edc.163.1662311270067; Sun, 04 Sep 2022 10:07:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1662311270; cv=none; d=google.com; s=arc-20160816; b=hJtbBTDeWH0cagIu5dmIFWlFTYtGqSCx3Ku7tOdo0Fork08cURwBXLg3VaSWPEDctQ 319PZoJIknjS7B5kJ9MM01vNhsiZDqIorlGObvA06c7b9j4Sr7W1Jv0e0XzuqvzASxzr owi0P/s9QUWQai9vp6p/hnGVgQDUnKBoQLeHE4tbGDNpOJXJxyhILHZLJ1AiMdFXkXep djUxlty6EqL6GShQebQlZ6umFbtt7RKXo7c0yL/ALhdns15MJQwKeZRYWnq8YRM5tS7k MYe86xV9AB9PTpB0mkWJ/vmmmKY82vTnWJY/DHP7+Me5gUuVK+kNCUrj9xRuMud78aMj 6qiw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=YXNcAp0liMqxmL43DGQLzGIaJVjmZ/8F5Gi+IgHDjE0=; b=qQ5Qxo+iY2BcCs3j6lOSA676FZT1luswpLrfDt7FVFygEzawpg/D3sEdUyDEE5/mUe F7fnTTWYkJnv7TA3HCmeU08Qg6WoVQd4M3FXwYCIni+Ehqu38iuEZ1a5Lek+hW5sh+uN tUAKuycQADVGHVcyRcD4HPtp/35pdDpwzHXN3TcV5bEYe1oK/tWye9gsLL0dJ7PTlIrz alFDZcTWscQu0a5Y2BQa/ON3x7Jw4t/+zCPSrz9Ryq7/HdM2er3QYYQGAoP33ujoykxl XKQGbxQDBBStdiBY/ih9zRFlDqLefbULpz0kKZLGfFitqvuB5sdBpS5TdJO2ZJLCiCqM 2cfQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=hLM4cvDc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=zx2c4.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k18-20020a50c092000000b0043bb9745c2esi6080970edf.172.2022.09.04.10.07.12; Sun, 04 Sep 2022 10:07:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@zx2c4.com header.s=20210105 header.b=hLM4cvDc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=zx2c4.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234342AbiIDQxj (ORCPT + 99 others); Sun, 4 Sep 2022 12:53:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56192 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230337AbiIDQxg (ORCPT ); Sun, 4 Sep 2022 12:53:36 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E7CAD220C8; Sun, 4 Sep 2022 09:53:35 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 87C7260F77; Sun, 4 Sep 2022 16:53:35 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 2D01DC433B5; Sun, 4 Sep 2022 16:53:34 +0000 (UTC) Authentication-Results: smtp.kernel.org; dkim=pass (1024-bit key) header.d=zx2c4.com header.i=@zx2c4.com header.b="hLM4cvDc" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zx2c4.com; s=20210105; t=1662310412; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=YXNcAp0liMqxmL43DGQLzGIaJVjmZ/8F5Gi+IgHDjE0=; b=hLM4cvDcwMMrumPGPOpyNhk18viVfOQeL1tnv6RewDiAP+Vl5Y4jRfRJ/S7R72v0aJ0Jly lkrVUANi/E2IqaJKJoJ0Q0k544veLxrapXSmPQS3rbH/WqpILwrloypkMkt+ShKLCzL7zp Ed1etqpCAM+7lP4uM+VibNOMo92xDlQ= Received: by mail.zx2c4.com (ZX2C4 Mail Server) with ESMTPSA id 530cf8f3 (TLSv1.3:TLS_AES_256_GCM_SHA384:256:NO); Sun, 4 Sep 2022 16:53:32 +0000 (UTC) From: "Jason A. Donenfeld" To: linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, x86@kernel.org, ardb@kernel.org, bp@alien8.de Cc: "Jason A . Donenfeld" Subject: [PATCH] efi: x86: Wipe setup_data on pure EFI boot Date: Sun, 4 Sep 2022 18:53:21 +0200 Message-Id: <20220904165321.1140894-1-Jason@zx2c4.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ard Biesheuvel When booting the x86 kernel via EFI using the LoadImage/StartImage boot services [as opposed to the deprecated EFI handover protocol], the setup header is taken from the image directly, and given that EFI's LoadImage has no Linux/x86 specific knowledge regarding struct bootparams or struct setup_header, any absolute addresses in the setup header must originate from the file and not from a prior loading stage. Since we cannot generally predict where LoadImage() decides to load an image (*), such absolute addresses must be treated as suspect: even if a prior boot stage intended to make them point somewhere inside the [signed] image, there is no way to validate that, and if they point at an arbitrary location in memory, the setup_data nodes will not be covered by any signatures or TPM measurements either, and could be made to contain an arbitrary sequence of SETUP_xxx nodes, which could interfere quite badly with the early x86 boot sequence. (*) Note that, while LoadImage() does take a buffer/size tuple in addition to a device path, which can be used to provide the image contents directly, it will re-allocate such images, as the memory footprint of an image is generally larger than the PE/COFF file representation. Next, in order to allow hypervisors to still use setup_data in scenarios where it may be useful, bump the x86 boot protocol version, so that hypervisors, e.g. QEMU in the linked patch, can do the right thing automatically depending on whether it is safe. Link: https://lore.kernel.org/qemu-devel/20220904165058.1140503-1-Jason@zx2c4.com/ Coauthored-by: Ard Biesheuvel Signed-off-by: Jason A. Donenfeld --- arch/x86/boot/header.S | 2 +- drivers/firmware/efi/libstub/x86-stub.c | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S index f912d7770130..e4e2d6e33924 100644 --- a/arch/x86/boot/header.S +++ b/arch/x86/boot/header.S @@ -307,7 +307,7 @@ _start: # Part 2 of the header, from the old setup.S .ascii "HdrS" # header signature - .word 0x020f # header version number (>= 0x0105) + .word 0x0210 # header version number (>= 0x0105) # or else old loadlin-1.5 will fail) .globl realmode_swtch realmode_swtch: .word 0, 0 # default_switch, SETUPSEG diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c index 05ae8bcc9d67..9780f32a9f24 100644 --- a/drivers/firmware/efi/libstub/x86-stub.c +++ b/drivers/firmware/efi/libstub/x86-stub.c @@ -517,6 +517,13 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle, hdr->ramdisk_image = 0; hdr->ramdisk_size = 0; + /* + * Disregard any setup data that was provided by the bootloader: + * setup_data could be pointing anywhere, and we have no way of + * authenticating or validating the payload. + */ + hdr->setup_data = 0; + efi_stub_entry(handle, sys_table_arg, boot_params); /* not reached */ -- 2.37.3