Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp5751787rwb; Tue, 22 Nov 2022 04:35:59 -0800 (PST) X-Google-Smtp-Source: AA0mqf5WXPUR3YF9m/l47SE+8365BSKd4hSw8bmGPVRz+GAo7aVVcV2VErtFr71Xw0cP4Ufjov0j X-Received: by 2002:a17:902:ef89:b0:189:3b49:9ef1 with SMTP id iz9-20020a170902ef8900b001893b499ef1mr173413plb.71.1669120559581; Tue, 22 Nov 2022 04:35:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669120559; cv=none; d=google.com; s=arc-20160816; b=MqH7EdXHtM/VZI4VgtbaLvHAWZTO/x2p2IlWnoG64aTh0Q4KyNPk4BjIddmVlvOdy1 ew2LoP4bDZbEL2rVpuZkfeaY5QLWTGbk2He4SePFXl1DtnWp3KCN9dJ6hRuf+IG4O3j0 4KMFWVAtiW4VZxNSVQ8tAfKzn/DBFmOQVvA88ne3Ad04+K5PHsmw5kT9nDDL+Of3guGJ og/vnH1V7n+RNQyR4EmCwBNUZGAq2AsRbSZOKNSelrflla5qvFI/xbdR0tubm83xfuKb mankBUrDSDLTb/qslYZk85uXI0E0F21G+qlsRxwXdIN6KFXrGjHPhLXATpwpVIvfIYJj MxLQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-filter; bh=2Z3eUgmMTKBvXlCU86hmKECd7rhhkSSGu3zwsXuXe64=; b=epSq7bFtTtxRmGZ/tIM+nRgOlRycj4XP82uP4Lowq2QUOnoprX8sIfWepbY0ZG4G6k fl4qaN5Qc9IoqXSgXUVyVEB8RerHcazySVMhi1TV2EaL7mCM9KkLjvw1lMAVnYl9o2vI YKOdO/gHDEHFUloUheKzAsSWC5qINny29s/hyt9Qg8onkOOhzcszoZ7DYyVb4G8xgnkb DZZrEwtefg9FT9SC0q7Ce89Zbxcw52i33m4Rvv7+dGjdlZaNjmafT+Q4cGMAKUaBYAn8 B0vazADD2ZkQJsig+YI8oDIOfY98USBbAEPQhYjkkhFTnRm0TWd33PBeQ/1F4INpTcob cQmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=lm7JzWv6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id on16-20020a17090b1d1000b00218a592ceacsi7674505pjb.107.2022.11.22.04.35.47; Tue, 22 Nov 2022 04:35:59 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@ispras.ru header.s=default header.b=lm7JzWv6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233368AbiKVLTT (ORCPT + 90 others); Tue, 22 Nov 2022 06:19:19 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60906 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233168AbiKVLRh (ORCPT ); Tue, 22 Nov 2022 06:17:37 -0500 Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5374E6069D; Tue, 22 Nov 2022 03:14:50 -0800 (PST) Received: from localhost.localdomain (unknown [83.149.199.65]) by mail.ispras.ru (Postfix) with ESMTPSA id 303F540737CC; Tue, 22 Nov 2022 11:14:46 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 303F540737CC DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru; s=default; t=1669115686; bh=2Z3eUgmMTKBvXlCU86hmKECd7rhhkSSGu3zwsXuXe64=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=lm7JzWv6usfro23PK+b4IBbUG87BJ/E76vutLNGBVjRCcg2q6qYI2BRIvKvpBsyMh pLVskgvaOiMJQJt6bAnwON4iQvWn2HjDrv0KXxXLqRLb57M4d6ffUcWkNhffHDvYIz n39ceZw8c8Mw4MYf0dty0sqvjmM4t96qbdqlT18g= From: Evgeniy Baskov To: Ard Biesheuvel Cc: Evgeniy Baskov , Borislav Petkov , Andy Lutomirski , Dave Hansen , Ingo Molnar , Peter Zijlstra , Thomas Gleixner , Alexey Khoroshilov , Peter Jones , "Limonciello, Mario" , joeyli , lvc-project@linuxtesting.org, x86@kernel.org, linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org Subject: [PATCH v3 23/24] efi/libstub: Use memory attribute protocol Date: Tue, 22 Nov 2022 14:12:32 +0300 Message-Id: X-Mailer: git-send-email 2.37.4 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Add EFI_MEMORY_ATTRIBUTE_PROTOCOL as preferred alternative to DXE services for changing memory attributes in the EFISTUB. Use DXE services only as a fallback in case aforementioned protocol is not supported by UEFI implementation. Move DXE services initialization code closer to the place they are used to match EFI_MEMORY_ATTRIBUTE_PROTOCOL initialization code. Tested-by: Mario Limonciello Signed-off-by: Evgeniy Baskov --- drivers/firmware/efi/libstub/mem.c | 168 ++++++++++++++++++------ drivers/firmware/efi/libstub/x86-stub.c | 17 --- 2 files changed, 128 insertions(+), 57 deletions(-) diff --git a/drivers/firmware/efi/libstub/mem.c b/drivers/firmware/efi/libstub/mem.c index cdf1e6fb6430..35acec241dd3 100644 --- a/drivers/firmware/efi/libstub/mem.c +++ b/drivers/firmware/efi/libstub/mem.c @@ -5,6 +5,9 @@ #include "efistub.h" +const efi_dxe_services_table_t *efi_dxe_table; +efi_memory_attribute_protocol_t *efi_mem_attrib_proto; + /** * efi_get_memory_map() - get memory map * @map: pointer to memory map pointer to which to assign the @@ -126,66 +129,47 @@ void efi_free(unsigned long size, unsigned long addr) efi_bs_call(free_pages, addr, nr_pages); } -/** - * efi_adjust_memory_range_protection() - change memory range protection attributes - * @start: memory range start address - * @size: memory range size - * - * Actual memory range for which memory attributes are modified is - * the smallest ranged with start address and size aligned to EFI_PAGE_SIZE - * that includes [start, start + size]. - * - * @return: status code - */ -efi_status_t efi_adjust_memory_range_protection(unsigned long start, - unsigned long size, - unsigned long attributes) +static void retrieve_dxe_table(void) +{ + efi_dxe_table = get_efi_config_table(EFI_DXE_SERVICES_TABLE_GUID); + if (efi_dxe_table && + efi_dxe_table->hdr.signature != EFI_DXE_SERVICES_TABLE_SIGNATURE) { + efi_warn("Ignoring DXE services table: invalid signature\n"); + efi_dxe_table = NULL; + } +} + +static efi_status_t adjust_mem_attrib_dxe(efi_physical_addr_t rounded_start, + efi_physical_addr_t rounded_end, + unsigned long attributes) { efi_status_t status; efi_gcd_memory_space_desc_t desc; - efi_physical_addr_t end, next; - efi_physical_addr_t rounded_start, rounded_end; + efi_physical_addr_t end, next, start; efi_physical_addr_t unprotect_start, unprotect_size; - if (efi_dxe_table == NULL) - return EFI_UNSUPPORTED; + if (!efi_dxe_table) { + retrieve_dxe_table(); - /* - * This function should not be used to modify attributes - * other than writable/executable. - */ - - if ((attributes & ~(EFI_MEMORY_RO | EFI_MEMORY_XP)) != 0) - return EFI_INVALID_PARAMETER; - - /* - * Disallow simultaniously executable and writable memory - * to inforce W^X policy if direct extraction code is enabled. - */ - - if ((attributes & (EFI_MEMORY_RO | EFI_MEMORY_XP)) == 0) { - efi_warn("W^X violation at [%08lx,%08lx]\n", - (unsigned long)rounded_start, - (unsigned long)rounded_end); + if (!efi_dxe_table) + return EFI_UNSUPPORTED; } - rounded_start = rounddown(start, EFI_PAGE_SIZE); - rounded_end = roundup(start + size, EFI_PAGE_SIZE); - /* * Don't modify memory region attributes, they are * already suitable, to lower the possibility to * encounter firmware bugs. */ - for (end = start + size; start < end; start = next) { + + for (start = rounded_start, end = rounded_end; start < end; start = next) { status = efi_dxe_call(get_memory_space_descriptor, start, &desc); if (status != EFI_SUCCESS) { efi_warn("Unable to get memory descriptor at %lx\n", - start); + (unsigned long)start); return status; } @@ -227,3 +211,107 @@ efi_status_t efi_adjust_memory_range_protection(unsigned long start, return EFI_SUCCESS; } + +static void retrieve_memory_attributes_proto(void) +{ + efi_status_t status; + efi_guid_t guid = EFI_MEMORY_ATTRIBUTE_PROTOCOL_GUID; + + status = efi_bs_call(locate_protocol, &guid, NULL, + (void **)&efi_mem_attrib_proto); + if (status != EFI_SUCCESS) + efi_mem_attrib_proto = NULL; +} + +/** + * efi_adjust_memory_range_protection() - change memory range protection attributes + * @start: memory range start address + * @size: memory range size + * + * Actual memory range for which memory attributes are modified is + * the smallest ranged with start address and size aligned to EFI_PAGE_SIZE + * that includes [start, start + size]. + * + * This function first attempts to use EFI_MEMORY_ATTRIBUTE_PROTOCOL, + * that is a part of UEFI Specification since version 2.10. + * If the protocol is unavailable it falls back to DXE services functions. + * + * @return: status code + */ +efi_status_t efi_adjust_memory_range_protection(unsigned long start, + unsigned long size, + unsigned long attributes) +{ + efi_status_t status; + efi_physical_addr_t rounded_start, rounded_end; + unsigned long attr_clear; + + /* + * This function should not be used to modify attributes + * other than writable/executable. + */ + + if ((attributes & ~(EFI_MEMORY_RO | EFI_MEMORY_XP)) != 0) + return EFI_INVALID_PARAMETER; + + /* + * Warn if requested to make memory simultaneously + * executable and writable to enforce W^X policy. + */ + + if ((attributes & (EFI_MEMORY_RO | EFI_MEMORY_XP)) == 0) { + efi_warn("W^X violation at [%08lx,%08lx]", + (unsigned long)rounded_start, + (unsigned long)rounded_end); + } + + rounded_start = rounddown(start, EFI_PAGE_SIZE); + rounded_end = roundup(start + size, EFI_PAGE_SIZE); + + if (!efi_mem_attrib_proto) { + retrieve_memory_attributes_proto(); + + /* Fall back to DXE services if unsupported */ + if (!efi_mem_attrib_proto) { + return adjust_mem_attrib_dxe(rounded_start, + rounded_end, + attributes); + } + } + + /* + * Unlike DXE services functions, EFI_MEMORY_ATTRIBUTE_PROTOCOL + * does not clear unset protection bit, so it needs to be cleared + * explcitly + */ + + attr_clear = ~attributes & + (EFI_MEMORY_RO | EFI_MEMORY_XP | EFI_MEMORY_RP); + + status = efi_call_proto(efi_mem_attrib_proto, + clear_memory_attributes, + rounded_start, + rounded_end - rounded_start, + attr_clear); + if (status != EFI_SUCCESS) { + efi_warn("Failed to clear memory attributes at [%08lx,%08lx]: %lx", + (unsigned long)rounded_start, + (unsigned long)rounded_end, + status); + return status; + } + + status = efi_call_proto(efi_mem_attrib_proto, + set_memory_attributes, + rounded_start, + rounded_end - rounded_start, + attributes); + if (status != EFI_SUCCESS) { + efi_warn("Failed to set memory attributes at [%08lx,%08lx]: %lx", + (unsigned long)rounded_start, + (unsigned long)rounded_end, + status); + } + + return status; +} diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c index 56b8e7207361..eac55e9a5723 100644 --- a/drivers/firmware/efi/libstub/x86-stub.c +++ b/drivers/firmware/efi/libstub/x86-stub.c @@ -23,7 +23,6 @@ #define MAXMEM_X86_64_4LEVEL (1ull << 46) const efi_system_table_t *efi_system_table; -const efi_dxe_services_table_t *efi_dxe_table; extern u32 image_offset; static efi_loaded_image_t *image __section(".data"); @@ -357,15 +356,6 @@ void __noreturn efi_exit(efi_handle_t handle, efi_status_t status) static void setup_sections_memory_protection(unsigned long image_base) { #ifdef CONFIG_EFI_DXE_MEM_ATTRIBUTES - efi_dxe_table = get_efi_config_table(EFI_DXE_SERVICES_TABLE_GUID); - - if (!efi_dxe_table || - efi_dxe_table->hdr.signature != EFI_DXE_SERVICES_TABLE_SIGNATURE) { - efi_warn("Unable to locate EFI DXE services table\n"); - efi_dxe_table = NULL; - return; - } - /* .setup [image_base, _head] */ efi_adjust_memory_range_protection(image_base, (unsigned long)_head - image_base, @@ -732,13 +722,6 @@ asmlinkage unsigned long efi_main(efi_handle_t handle, if (efi_system_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) efi_exit(handle, EFI_INVALID_PARAMETER); - efi_dxe_table = get_efi_config_table(EFI_DXE_SERVICES_TABLE_GUID); - if (efi_dxe_table && - efi_dxe_table->hdr.signature != EFI_DXE_SERVICES_TABLE_SIGNATURE) { - efi_warn("Ignoring DXE services table: invalid signature\n"); - efi_dxe_table = NULL; - } - setup_sections_memory_protection(bzimage_addr - image_offset); #ifdef CONFIG_CMDLINE_BOOL -- 2.37.4