Received: by 2002:ab2:788f:0:b0:1ee:8f2e:70ae with SMTP id b15csp30501lqi; Wed, 6 Mar 2024 09:12:15 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWxVklgQIWq3GonDMWpRCOssxXjWTV9IlVZNFBoWYyaP0sBJc8MOW1OWgFV6XYEL5p91B1WXMF4cbWz2jg6WpREWC7L/nbCUvYqLpkLHQ== X-Google-Smtp-Source: AGHT+IHgCyCb398gehlWGvU8LEBtD/GEW7qy0OWrBW+UxWhdIHdg+cRpJJ7kZZkftJ3TEa/xp/Jm X-Received: by 2002:a05:6808:2008:b0:3c2:d6f:40f0 with SMTP id q8-20020a056808200800b003c20d6f40f0mr6678120oiw.30.1709745135611; Wed, 06 Mar 2024 09:12:15 -0800 (PST) Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id o2-20020ab05442000000b007da7a1cd071si2219885uaa.115.2024.03.06.09.12.15 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Mar 2024 09:12:15 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-94316-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@kernel.org header.s=k20201202 header.b=eAu0MoXI; arc=fail (body hash mismatch); spf=pass (google.com: domain of linux-kernel+bounces-94316-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-94316-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 1ED451C2239F for ; Wed, 6 Mar 2024 17:12:15 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7648613A87A; Wed, 6 Mar 2024 17:12:12 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="eAu0MoXI" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 913D68004B; Wed, 6 Mar 2024 17:12:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709745131; cv=none; b=XbS9yXadQDeyInxm3R+O6pLM2nmwzHYa25x+8tDh+W++L3/DQOS/PZSnPeufsER6unkNNAt0yfKMe+sDbmqFdGN7CLqEHGxf6gebexz8+vHANBS5E8kk2lVSfkh3fMfyoBEREmJvZ3begKlGxrfm9m2FzOsnHn/YeIWNEbc8avo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1709745131; c=relaxed/simple; bh=2qzpLpQnn8H/E5sxCIi6Nw1Lgq2F1o1a0Kzj4iP6/HE=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=E9mP4+BY/EpOcpdhr/sVB7iAnXuCJscKRecolnA//QX+4Kc29PHN6znFTl7RdK/d7C0MrFVi1HMDjby//PYyRxtdF3+sW6zbLlddIuY1T/Xw992WqerLeLcA7pTG8PIY4tYFU03zSC1C9W54tEhir47nEkoNT6N4JThwi8jKMno= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=eAu0MoXI; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 149CEC433F1; Wed, 6 Mar 2024 17:12:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1709745131; bh=2qzpLpQnn8H/E5sxCIi6Nw1Lgq2F1o1a0Kzj4iP6/HE=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=eAu0MoXIxajSQQaL1LT0wSKdAeRRyrrqtfu8uHL5NK6Fo4ueVjLvZrm6In+I2aN+P C4o4B2HDf4p87eAqtB2nH25/+ea+yZOQPuwcnVAVNvwHtA9yrPgEOeQFDnZBLTdxqZ nn3AL1tnZVxtUVECtZgu6qnEnumr+MYQ+ofCleEIk0EsLEBcmxczK4KAblyFAkTPxu ENsZV1gkOx901rIg9qDGK6My6wusgClqj4xX1f+cIjCBw33KMeMFcXnKR0F6rqxzq6 uBTeVMVhvI8aK6K35MylHj1Bsoh/rXUZI8CZmUA217HbPNxzJIVUBQa7TrjwxpScFZ Nt521NH0ci+9w== Received: by mail-lf1-f49.google.com with SMTP id 2adb3069b0e04-513173e8191so9059280e87.1; Wed, 06 Mar 2024 09:12:10 -0800 (PST) X-Forwarded-Encrypted: i=1; AJvYcCVGuL6waJvhKdSqe57FIkfO5EmlMSSvl76CI6ncI5ISsOc6hFZhtwnYk+2mnTMffVHG/oCCJGgr/z2V7OUYDAZ//+E55ZWcE7QQI3uoXAOGVOkOSpLu81QHUxO5DcyQAEWH+zLtaAxd X-Gm-Message-State: AOJu0Yz/GLkNBTVMm+qdAsBF5R1GCY2jlaRcreTkJJwe2tMdnsJGVLU4 zkaMfPtyOxV3kr6s/muq5p1GM41TNyhaSEoCqVysDJeRPt07cgA75od+zk7R+oaf3QUIaMrWLAm fSk9uB/b9XpbW4ADb+kWoi5WYemA= X-Received: by 2002:a05:6512:3489:b0:513:1a38:2406 with SMTP id v9-20020a056512348900b005131a382406mr3648590lfr.13.1709745129142; Wed, 06 Mar 2024 09:12:09 -0800 (PST) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: In-Reply-To: From: Ard Biesheuvel Date: Wed, 6 Mar 2024 18:11:57 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [External] Re: [PATCH 3/3] efistub: fix missed the initialization of gp To: Palmer Dabbelt Cc: cuiyunhui@bytedance.com, Paul Walmsley , aou@eecs.berkeley.edu, xuzhipeng.1973@bytedance.com, alexghiti@rivosinc.com, samitolvanen@google.com, bp@alien8.de, xiao.w.wang@intel.com, jan.kiszka@siemens.com, kirill.shutemov@linux.intel.com, nathan@kernel.org, linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, linux-efi@vger.kernel.org, Conor Dooley , Heinrich Schuchardt , Pedro Falcato Content-Type: text/plain; charset="UTF-8" On Wed, 6 Mar 2024 at 17:15, Ard Biesheuvel wrote: > > On Wed, 6 Mar 2024 at 16:44, Ard Biesheuvel wrote: > > > > On Wed, 6 Mar 2024 at 16:21, Palmer Dabbelt wrote: > > > .. > > > > > > The UEFI spec says "UEFI firmware must neither trust the > > > values of tp and gp nor make an assumption of owning the write access to > > > these register in any circumstances". It's kind of vague what "UEFI > > > firmware" means here, but I think it's reasonable to assume that the > > > kernel (and thus the EFI stub) is not included there. > > > > > > So under that interpretation, the kernel (including the EFI stub) would > > > be allowed to overwrite GP with whatever it wants. > > > .. After some more consideration, I concluded that using GP in code that executes in the context of EFI is never safe. Taking the typical Linux/EFI boot sequence as an example, where GRUB is loaded by the system firmware, and the Linux EFI stub is loaded by GRUB, it is easy to spot the problem: GRUB exposes the initial ramdisk via the LoadFile2 protocol, which is essentially a callback interface. If we assume that EFI apps can use GP as they like, we cannot safely call this callback interface without restoring GP to its original value, since we have no idea whether GRUB (or some other loader) is relying on its value. And in addition to synchronous callbacks, there may be EFI event callbacks registered by GRUB that are signaled by the system firmware asynchronously, which means GRUB code could be called behind our backs. Without any guidance in the UEFI spec on how GP needs to be managed across such boundaries, we should assume that GP needs to be restored to the old value in each of those cases, but this is impossible for async event handlers. We might conclude then that using GP is only safe for EFI apps if they don't install protocols or register for EFI events, but that would still imply that we should restore GP to its old value upon exit. So without a strong argument why GP relaxations need to be supported in the EFI stub, I don't think we should consider these changes. If there are any issues in the current code that result in inadvertent GP relaxations, we should address those instead.