Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp543085rwb; Fri, 23 Sep 2022 00:04:20 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5WbQDus4Hr1Oznc/NCVdH5w4z0xuUF4N5YBwH92O7UOHFzkdmSOxo2jRXqW0PLoefXyVrZ X-Received: by 2002:a17:907:c03:b0:781:fd5a:c093 with SMTP id ga3-20020a1709070c0300b00781fd5ac093mr5843480ejc.89.1663916660022; Fri, 23 Sep 2022 00:04:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1663916660; cv=none; d=google.com; s=arc-20160816; b=h6dKlQMUF45Lv3R1BtsQPuMKtU3dYbhTjAmaff2fDNhnZRupam8ZBvaEVEXZjBLnbd YYdmphUIps27WWD6bDLmmpR/Trd0fm+B021ZlUCGXsmgUSmiJTDVzCpEYLkPfwRBpCrw JMR5y5zv7LNefmT1rsICQDJ//cdz2Vz3lTdDWxlzMdAlGYd1FmMpH3lNwdJEAibGJTeh 6TkjMOjdKJCUxPwd0hO95xxNulskI39L0PFf3B6J1hWanNpYfbSoBxSBE/vYOlcfr1zF 7lg77g/a+HhDnQbppiAVVk0TbkTMLa0btFg1jmZa4QUaIRTW7mV01dgO8aZNFDRVBGfs QjLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=jfb0l91mmTFM4k5+DNZ5PLB0sibGWAmt5kJhinFIlSE=; b=Qv2h44A2QwLgHKnQWJqyzKbBWw3oHjiPASnsKbbGdDX5zDU9ySnLrUTuITOdvVu2fg 9hDSAbciyQ+c0ItTOc9gnWN5dgF57RK7fEpL/Rp2YAApN9K7ALYvcY/t3TQxp7A5Sc81 PwoUCVEKdCR5ZK8QZTja3dy6YpC36ZofPeeGImad5PPlVVk8L2b9XUr8mb2IryLy5JKI rD/JunoqVtYRBXcxw/m1foWYiABePwlF5Umsa4SEvxfjdNgOLonSme8wLfdltGOCqHuV yr/TUFuohMzI72rd3DdE3nvDxKm71E9rVCbBKZHFL9JGEuTj+b1O1iqArV9v82zyumO3 9Z/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=u4aTG+Iw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p34-20020a056402502200b004359f471717si7120172eda.0.2022.09.23.00.03.54; Fri, 23 Sep 2022 00:04:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=u4aTG+Iw; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229826AbiIWGps (ORCPT + 99 others); Fri, 23 Sep 2022 02:45:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48848 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229795AbiIWGpp (ORCPT ); Fri, 23 Sep 2022 02:45:45 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C4B48E62C1; Thu, 22 Sep 2022 23:45:43 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 618AF61542; Fri, 23 Sep 2022 06:45:43 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BE644C433C1; Fri, 23 Sep 2022 06:45:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1663915542; bh=1dqZG9KYhb+QJsNASHj0txSg1wAN7+87wEVN0W2xa4o=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=u4aTG+IwaZFLv4dqMFB/IAkYpRnuCC8PHqngiMx8FYghze128xymvlOteCf9x7M1P UpDCGPgRbNceRJKdJptnomKSWyGfGE7LcAh2ZiJdtSuABZtlWOcX73FyToVCKV+H03 NrPHSQ1Qhiwv9LORapYBsDw0RwMaJJOwo5CEda/ypT3y/0x6qIYsndd1pYm4BuPN16 xxQ305nb9o3A7uvgRS8VtP8DbpiGJjLP9uK0FI85VrcEVBPS47yNbdZG3WakWTmJd/ 4JdblpmHM/tWEbrGfptTTBJUmPCwbOgSofUUXR2bGNu+eAuKbHmco4xYj9q1vXN9+r 8evp6LQAx2j8Q== Received: by mail-lf1-f49.google.com with SMTP id a3so18264527lfk.9; Thu, 22 Sep 2022 23:45:42 -0700 (PDT) X-Gm-Message-State: ACrzQf0+/KHM9bjO8qGUBau8FiSbH91CfDBlT+lrxpzRqfhCE76OL7Zk QzuFmC+6yl74wIs49e38uq9YwQrsjYXdoWynQrk= X-Received: by 2002:a05:6512:13a1:b0:48d:f14:9059 with SMTP id p33-20020a05651213a100b0048d0f149059mr2881953lfa.110.1663915540743; Thu, 22 Sep 2022 23:45:40 -0700 (PDT) MIME-Version: 1.0 References: <7930b617-d473-94dd-c7e4-33ffa19da13e@suse.com> <3671fd52-6034-7149-ebe4-f7560c0dc6b0@suse.com> <6f42a382-c5aa-ba16-f330-69a07476e2aa@suse.com> In-Reply-To: From: Ard Biesheuvel Date: Fri, 23 Sep 2022 08:45:29 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v3] Support ESRT in Xen dom0 To: Demi Marie Obenour Cc: Jan Beulich , Juergen Gross , Stefano Stabellini , Oleksandr Tyshchenko , linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org, =?UTF-8?Q?Marek_Marczykowski=2DG=C3=B3recki?= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 23 Sept 2022 at 01:27, Demi Marie Obenour wrote: > > On Fri, Sep 23, 2022 at 12:14:50AM +0200, Ard Biesheuvel wrote: > > On Thu, 22 Sept 2022 at 20:12, Demi Marie Obenour > > wrote: > > > > > > On Thu, Sep 22, 2022 at 05:05:43PM +0200, Ard Biesheuvel wrote: > > > > On Thu, 22 Sept 2022 at 16:56, Demi Marie Obenour > > > > wrote: > > > > > > > > > > On Thu, Sep 22, 2022 at 08:12:14AM +0200, Jan Beulich wrote: > > > > > > On 22.09.2022 03:09, Demi Marie Obenour wrote: > > > > > > > On Wed, Sep 21, 2022 at 10:34:04PM +0200, Jan Beulich wrote: > > > > > > >> On 20.09.2022 18:09, Ard Biesheuvel wrote: > > > > > > >>> On Tue, 20 Sept 2022 at 17:54, Jan Beulich wrote: > > > > > > >>>> > > > > > > >>>> On 20.09.2022 17:36, Ard Biesheuvel wrote: > > > > > > >>>>> On Mon, 19 Sept 2022 at 21:33, Demi Marie Obenour > > > > > > >>>>> wrote: > > > > > > >>>>>> > > > > > > >>>>>> fwupd requires access to the EFI System Resource Table (= ESRT) to > > > > > > >>>>>> discover which firmware can be updated by the OS. Curre= ntly, Linux does > > > > > > >>>>>> not expose the ESRT when running as a Xen dom0. Therefo= re, it is not > > > > > > >>>>>> possible to use fwupd in a Xen dom0, which is a serious = problem for e.g. > > > > > > >>>>>> Qubes OS. > > > > > > >>>>>> > > > > > > >>>>>> Before Xen 4.16, this was not fixable due to hypervisor = limitations. > > > > > > >>>>>> The UEFI specification requires the ESRT to be in EfiBoo= tServicesData > > > > > > >>>>>> memory, which Xen will use for whatever purposes it like= s. Therefore, > > > > > > >>>>>> Linux cannot safely access the ESRT, as Xen may have ove= rwritten it. > > > > > > >>>>>> > > > > > > >>>>>> Starting with Xen 4.17, Xen checks if the ESRT is in Efi= BootServicesData > > > > > > >>>>>> or EfiRuntimeServicesData memory. If the ESRT is in Efi= BootServicesData > > > > > > >>>>>> memory, Xen allocates some memory of type EfiRuntimeServ= icesData, copies > > > > > > >>>>>> the ESRT to it, and finally replaces the ESRT pointer wi= th a pointer to > > > > > > >>>>>> the copy. Since Xen will not clobber EfiRuntimeServices= Data memory, > > > > > > >>>>>> this ensures that the ESRT can safely be accessed by the= OS. It is safe > > > > > > >>>>>> to access the ESRT under Xen if, and only if, it is in m= emory of type > > > > > > >>>>>> EfiRuntimeServicesData. > > > > > > >>>>>> > > > > > > >>>>> > > > > > > >>>>> Thanks for the elaborate explanation. This is really help= ful. > > > > > > >>>>> > > > > > > >>>>> So here, you are explaining that the only way for Xen to = prevent > > > > > > >>>>> itself from potentially clobbering the ESRT is by creatin= g a > > > > > > >>>>> completely new allocation? > > > > > > >>>> > > > > > > >>>> There are surely other ways, e.g. preserving BootServices*= regions > > > > > > >>>> alongside RuntimeServices* ones. But as the maintainer of = the EFI > > > > > > >>>> code in Xen I don't view this as a reasonable approach. > > > > > > >>> > > > > > > >>> Why not? > > > > > > >> > > > > > > >> Because it's against the intentions the EFI has (or at least= had) > > > > > > >> for this memory type. Much more than EfiAcpiReclaimMemory th= is > > > > > > >> type is intended for use as ordinary RAM post-boot. > > > > > > > > > > > > > > What about giving that memory to dom0? dom0=E2=80=99s balloo= n driver will give > > > > > > > anything dom0 doesn=E2=80=99t wind up using back to Xen. > > > > > > > > > > > > While perhaps in principle possible, this would require special= casing > > > > > > in Xen. Except for the memory the initrd comes in, we don't dir= ectly > > > > > > hand memory to Dom0. Instead everything goes through the page a= llocator > > > > > > first. Plus if we really were convinced boot services memory ne= eded > > > > > > retaining, then it would also need retaining across kexec (and = hence > > > > > > shouldn't be left to Dom0 to decide what to do with it). > > > > > > > > > > So how should dom0 handle the various EFI tables other than the E= SRT? > > > > > Right now most uses of these tables in Linux are not guarded by a= ny > > > > > checks for efi_enabled(EFI_MEMMAP) or similar. If some of them a= re in > > > > > EfiBootServicesData memory, they might be corrupted before Linux = gets > > > > > them. > > > > > > > > Yes, this is an annoying oversight of the EFI design: the config > > > > tables are tuples, and the size of the table is > > > > specific to each table type. So without knowing the GUID, there is = no > > > > way you can reserve the right size. > > > > > > > > Perhaps you could implement something like a hypercall in > > > > efi_arch_mem_reserve(), which is called by the EFI code to reserve > > > > regions that are in boot services memory but need to remain reserve= d? > > > > This is used for all config tables that it knows or cares about. > > > > > > On versions of Xen that support spawning multiple domains at boot > > > (instead of just dom0) this will be racy. What about refusing to use > > > tables in EfiBootServicesData when running under Xen unless a hyperca= ll > > > indicates that Xen has reserved all EfiBootServicesData memory? Wher= e > > > could such a check be placed? > > > > You could stick a check inside the for loop in > > efi_config_parse_tables() to cross reference every table address > > against the memory map when running on Xen, and disregard it if it > > doesn't meet your criteria. > > > > I take it the issue is not limited to x86? > > Indeed the issue is cross-platform. For Qubes OS, I wonder if a safer > approach would be to reserve all EfiBootServicesData memory by default. You only need to reserve the ones that have configuration tables pointing into them.