From f56ab9a5b73ca2aee777ccdf2d355ae2dd31db5a Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Fri, 18 Aug 2017 20:49:34 +0100 Subject: efi/arm: Don't mark ACPI reclaim memory as MEMBLOCK_NOMAP On ARM, regions of memory that are described by UEFI as having special significance to the firmware itself are omitted from the linear mapping. This is necessary since we cannot guarantee that alternate mappings of the same physical region will use attributes that are compatible with the ones we use for the linear mapping, and aliases with mismatched attributes are prohibited by the architecture. The above does not apply to ACPI reclaim regions: such regions have no special significance to the firmware, and it is up to the OS to decide whether or not to preserve them after it has consumed their contents, and for how long, after which time the OS can use the memory in any way it likes. In the Linux case, such regions are preserved indefinitely, and are simply treated the same way as other 'reserved' memory types. Punching holes into the linear mapping causes page table fragmentation, which increases TLB pressure, and so we should avoid doing so if we can. So add a special case for regions of type EFI_ACPI_RECLAIM_MEMORY, and memblock_reserve() them instead of marking them MEMBLOCK_NOMAP. Signed-off-by: Ard Biesheuvel Acked-by: Mark Rutland Cc: Linus Torvalds Cc: Matt Fleming Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20170818194947.19347-2-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar --- drivers/firmware/efi/arm-init.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'drivers') diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c index 1027d7b44358..0aa4ce7b4fbb 100644 --- a/drivers/firmware/efi/arm-init.c +++ b/drivers/firmware/efi/arm-init.c @@ -159,6 +159,7 @@ static __init int is_usable_memory(efi_memory_desc_t *md) switch (md->type) { case EFI_LOADER_CODE: case EFI_LOADER_DATA: + case EFI_ACPI_RECLAIM_MEMORY: case EFI_BOOT_SERVICES_CODE: case EFI_BOOT_SERVICES_DATA: case EFI_CONVENTIONAL_MEMORY: @@ -211,6 +212,10 @@ static __init void reserve_regions(void) if (!is_usable_memory(md)) memblock_mark_nomap(paddr, size); + + /* keep ACPI reclaim memory intact for kexec etc. */ + if (md->type == EFI_ACPI_RECLAIM_MEMORY) + memblock_reserve(paddr, size); } } } -- cgit v1.2.3 From 0426a4e68f18d75515414361de9e3e1445d2644e Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Fri, 18 Aug 2017 20:49:36 +0100 Subject: efi/libstub/arm64: Force 'hidden' visibility for section markers To prevent the compiler from emitting absolute references to the section markers when running in PIC mode, override the visibility to 'hidden' for all contents of asm/sections.h Tested-by: Matthias Kaehlcke Signed-off-by: Ard Biesheuvel Cc: Linus Torvalds Cc: Matt Fleming Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20170818194947.19347-4-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar --- drivers/firmware/efi/libstub/arm64-stub.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/firmware/efi/libstub/arm64-stub.c b/drivers/firmware/efi/libstub/arm64-stub.c index b4c2589d7c91..f7a6970e9abc 100644 --- a/drivers/firmware/efi/libstub/arm64-stub.c +++ b/drivers/firmware/efi/libstub/arm64-stub.c @@ -9,9 +9,17 @@ * published by the Free Software Foundation. * */ + +/* + * To prevent the compiler from emitting GOT-indirected (and thus absolute) + * references to the section markers, override their visibility as 'hidden' + */ +#pragma GCC visibility push(hidden) +#include +#pragma GCC visibility pop + #include #include -#include #include #include "efistub.h" -- cgit v1.2.3 From 91ee5b21ee026c49e4e7483de69b55b8b47042be Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Fri, 18 Aug 2017 20:49:37 +0100 Subject: efi/libstub/arm64: Set -fpie when building the EFI stub Clang may emit absolute symbol references when building in non-PIC mode, even when using the default 'small' code model, which is already mostly position independent to begin with, due to its use of adrp/add pairs that have a relative range of +/- 4 GB. The remedy is to pass the -fpie flag, which can be done safely now that the code has been updated to avoid GOT indirections (which may be emitted due to the compiler assuming that the PIC/PIE code may end up in a shared library that is subject to ELF symbol preemption) Passing -fpie when building code that needs to execute at an a priori unknown offset is arguably an improvement in any case, and given that the recent visibility changes allow the PIC build to pass with GCC as well, let's add -fpie for all arm64 builds rather than only for Clang. Tested-by: Matthias Kaehlcke Signed-off-by: Ard Biesheuvel Cc: Linus Torvalds Cc: Matt Fleming Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20170818194947.19347-5-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar --- drivers/firmware/efi/libstub/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile index 37e24f525162..cf81e6cf5ae8 100644 --- a/drivers/firmware/efi/libstub/Makefile +++ b/drivers/firmware/efi/libstub/Makefile @@ -10,7 +10,7 @@ cflags-$(CONFIG_X86) += -m$(BITS) -D__KERNEL__ -O2 \ -fPIC -fno-strict-aliasing -mno-red-zone \ -mno-mmx -mno-sse -cflags-$(CONFIG_ARM64) := $(subst -pg,,$(KBUILD_CFLAGS)) +cflags-$(CONFIG_ARM64) := $(subst -pg,,$(KBUILD_CFLAGS)) -fpie cflags-$(CONFIG_ARM) := $(subst -pg,,$(KBUILD_CFLAGS)) \ -fno-builtin -fpic -mno-single-pic-base -- cgit v1.2.3 From 9a9de5c044be14c3337ef45174ac8baa568a0f93 Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Fri, 18 Aug 2017 20:49:38 +0100 Subject: efi/arm/arm64: Add missing assignment of efi.config_table The ARM EFI init code never assigns the config_table member of the efi struct, which means the sysfs device node is missing, and other in-kernel users will not work correctly. So add the missing assignment. Note that, for now, the runtime and fw_vendor members are still omitted. This is deliberate: exposing physical addresses via sysfs nodes encourages behavior that we would like to avoid on ARM (given how it is more finicky about using correct memory attributes when mapping memory in userland that may be mapped by the kernel already as well). Signed-off-by: Ard Biesheuvel Cc: Linus Torvalds Cc: Matt Fleming Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20170818194947.19347-6-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar --- drivers/firmware/efi/arm-init.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'drivers') diff --git a/drivers/firmware/efi/arm-init.c b/drivers/firmware/efi/arm-init.c index 0aa4ce7b4fbb..80d1a885def5 100644 --- a/drivers/firmware/efi/arm-init.c +++ b/drivers/firmware/efi/arm-init.c @@ -145,6 +145,9 @@ static int __init uefi_init(void) sizeof(efi_config_table_t), arch_tables); + if (!retval) + efi.config_table = (unsigned long)efi.systab->tables; + early_memunmap(config_tables, table_size); out: early_memunmap(efi.systab, sizeof(efi_system_table_t)); -- cgit v1.2.3 From b6a3780dad74f6e3d1d45eca843ae623cc3216a8 Mon Sep 17 00:00:00 2001 From: Hans de Goede Date: Fri, 18 Aug 2017 20:49:39 +0100 Subject: efi/reboot: Fall back to original power-off method if EFI_RESET_SHUTDOWN returns Commit: 44be28e9dd98 ("x86/reboot: Add EFI reboot quirk for ACPI Hardware Reduced flag") sets pm_power_off to efi_power_off() when the acpi_gbl_reduced_hardware flag is set. According to its commit message this is necessary because: "BayTrail-T class of hardware requires EFI in order to powerdown and reboot and no other reliable method exists". But I have a Bay Trail CR tablet where the EFI_RESET_SHUTDOWN call does not work, it simply returns without doing anything (AFAICT). So it seems that some Bay Trail devices must use EFI for power-off, while for others only ACPI works. Note that efi_power_off() only gets used if the platform code defines efi_poweroff_required() and that returns true, this currently only ever happens on x86. Since on the devices which need ACPI for power-off the EFI_RESET_SHUTDOWN call simply returns, this patch makes the efi-reboot code remember the old pm_power_off handler and if EFI_RESET_SHUTDOWN returns it falls back to calling that. This seems preferable to dmi-quirking our way out of this, since there are likely quite a few devices suffering from this. Signed-off-by: Hans de Goede Signed-off-by: Matt Fleming Signed-off-by: Ard Biesheuvel Cc: Andy Shevchenko Cc: Len Brown Cc: Linus Torvalds Cc: Mark Salter Cc: Peter Jones Cc: Peter Zijlstra Cc: Rafael J. Wysocki Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20170818194947.19347-7-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar --- drivers/firmware/efi/reboot.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/firmware/efi/reboot.c b/drivers/firmware/efi/reboot.c index 62ead9b9d871..7117e2d0c7f9 100644 --- a/drivers/firmware/efi/reboot.c +++ b/drivers/firmware/efi/reboot.c @@ -5,6 +5,8 @@ #include #include +void (*orig_pm_power_off)(void); + int efi_reboot_quirk_mode = -1; void efi_reboot(enum reboot_mode reboot_mode, const char *__unused) @@ -51,6 +53,12 @@ bool __weak efi_poweroff_required(void) static void efi_power_off(void) { efi.reset_system(EFI_RESET_SHUTDOWN, EFI_SUCCESS, 0, NULL); + /* + * The above call should not return, if it does fall back to + * the original power off method (typically ACPI poweroff). + */ + if (orig_pm_power_off) + orig_pm_power_off(); } static int __init efi_shutdown_init(void) @@ -58,8 +66,10 @@ static int __init efi_shutdown_init(void) if (!efi_enabled(EFI_RUNTIME_SERVICES)) return -ENODEV; - if (efi_poweroff_required()) + if (efi_poweroff_required()) { + orig_pm_power_off = pm_power_off; pm_power_off = efi_power_off; + } return 0; } -- cgit v1.2.3 From dcf8f5ce31656534efada252f6a563c09b295983 Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Fri, 18 Aug 2017 20:49:40 +0100 Subject: drivers/fbdev/efifb: Allow BAR to be moved instead of claiming it On UEFI systems, the firmware may expose a Graphics Output Protocol (GOP) instance to which the efifb driver attempts to attach in order to provide a minimal, unaccelerated framebuffer. The GOP protocol itself is not very sophisticated, and only describes the offset and size of the framebuffer in memory, and the pixel format. If the GOP framebuffer is provided by a PCI device, it will have been configured and enabled by the UEFI firmware, and the GOP protocol will simply point into a live BAR region. However, the GOP protocol itself does not describe this relation, and so we have to take care not to reconfigure the BAR without taking efifb's dependency on it into account. Commit: 55d728a40d36 ("efi/fb: Avoid reconfiguration of BAR that covers the framebuffer") attempted to do so by claiming the BAR resource early on, which prevents the PCI resource allocation routines from changing it. However, it turns out that this only works if the PCI device is not behind any bridges, since the bridge resources need to be claimed first. So instead, allow the BAR to be moved, but make the efifb driver deal with that gracefully. So record the resource that covers the BAR early on, and if it turns out to have moved by the time we probe the efifb driver, update the framebuffer address accordingly. While this is less likely to occur on x86, given that the firmware's PCI resource allocation is more likely to be preserved, this is a worthwhile sanity check to have in place, and so let's remove the preprocessor conditional that makes it !X86 only. Signed-off-by: Ard Biesheuvel Reviewed-by: Peter Jones Acked-by: Bartlomiej Zolnierkiewicz Acked-by: Bjorn Helgaas Cc: Linus Torvalds Cc: Matt Fleming Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20170818194947.19347-8-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar --- drivers/video/fbdev/efifb.c | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) (limited to 'drivers') diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c index 1e784adb89b1..3a010641f630 100644 --- a/drivers/video/fbdev/efifb.c +++ b/drivers/video/fbdev/efifb.c @@ -149,6 +149,10 @@ ATTRIBUTE_GROUPS(efifb); static bool pci_dev_disabled; /* FB base matches BAR of a disabled device */ +static struct pci_dev *efifb_pci_dev; /* dev with BAR covering the efifb */ +static struct resource *bar_resource; +static u64 bar_offset; + static int efifb_probe(struct platform_device *dev) { struct fb_info *info; @@ -203,6 +207,13 @@ static int efifb_probe(struct platform_device *dev) efifb_fix.smem_start |= ext_lfb_base; } + if (bar_resource && + bar_resource->start + bar_offset != efifb_fix.smem_start) { + dev_info(&efifb_pci_dev->dev, + "BAR has moved, updating efifb address\n"); + efifb_fix.smem_start = bar_resource->start + bar_offset; + } + efifb_defined.bits_per_pixel = screen_info.lfb_depth; efifb_defined.xres = screen_info.lfb_width; efifb_defined.yres = screen_info.lfb_height; @@ -370,15 +381,13 @@ static struct platform_driver efifb_driver = { builtin_platform_driver(efifb_driver); -#if defined(CONFIG_PCI) && !defined(CONFIG_X86) - -static bool pci_bar_found; /* did we find a BAR matching the efifb base? */ +#if defined(CONFIG_PCI) -static void claim_efifb_bar(struct pci_dev *dev, int idx) +static void record_efifb_bar_resource(struct pci_dev *dev, int idx, u64 offset) { u16 word; - pci_bar_found = true; + efifb_pci_dev = dev; pci_read_config_word(dev, PCI_COMMAND, &word); if (!(word & PCI_COMMAND_MEMORY)) { @@ -389,12 +398,8 @@ static void claim_efifb_bar(struct pci_dev *dev, int idx) return; } - if (pci_claim_resource(dev, idx)) { - pci_dev_disabled = true; - dev_err(&dev->dev, - "BAR %d: failed to claim resource for efifb!\n", idx); - return; - } + bar_resource = &dev->resource[idx]; + bar_offset = offset; dev_info(&dev->dev, "BAR %d: assigned to efifb\n", idx); } @@ -405,7 +410,7 @@ static void efifb_fixup_resources(struct pci_dev *dev) u64 size = screen_info.lfb_size; int i; - if (pci_bar_found || screen_info.orig_video_isVGA != VIDEO_TYPE_EFI) + if (efifb_pci_dev || screen_info.orig_video_isVGA != VIDEO_TYPE_EFI) return; if (screen_info.capabilities & VIDEO_CAPABILITY_64BIT_BASE) @@ -421,7 +426,7 @@ static void efifb_fixup_resources(struct pci_dev *dev) continue; if (res->start <= base && res->end >= base + size - 1) { - claim_efifb_bar(dev, i); + record_efifb_bar_resource(dev, i, base - res->start); break; } } -- cgit v1.2.3 From 73e310769bc29b96f0657c28b7bdab42d90935d8 Mon Sep 17 00:00:00 2001 From: Arvind Yadav Date: Fri, 18 Aug 2017 20:49:45 +0100 Subject: firmware/dcdbas: Constify attribute_group structures attribute_group are not supposed to change at runtime. All functions working with attribute_group provided by work with const attribute_group. So mark the non-const structs as const. Signed-off-by: Arvind Yadav Signed-off-by: Ard Biesheuvel Cc: Douglas_Warzecha Cc: Linus Torvalds Cc: Matt Fleming Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20170818194947.19347-13-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar --- drivers/firmware/dcdbas.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/firmware/dcdbas.c b/drivers/firmware/dcdbas.c index 2fe1a130189f..c16600f30611 100644 --- a/drivers/firmware/dcdbas.c +++ b/drivers/firmware/dcdbas.c @@ -534,7 +534,7 @@ static struct attribute *dcdbas_dev_attrs[] = { NULL }; -static struct attribute_group dcdbas_attr_group = { +static const struct attribute_group dcdbas_attr_group = { .attrs = dcdbas_dev_attrs, .bin_attrs = dcdbas_bin_attrs, }; -- cgit v1.2.3 From 3ad6bd7c0a1c49a78d00001cfda3d474c23bc354 Mon Sep 17 00:00:00 2001 From: Arvind Yadav Date: Fri, 18 Aug 2017 20:49:46 +0100 Subject: firmware/efi: Constify attribute_group structures attribute_group are not supposed to change at runtime. All functions working with attribute_group provided by work with const attribute_group. So mark the non-const structs as const. Signed-off-by: Arvind Yadav Signed-off-by: Ard Biesheuvel Cc: Linus Torvalds Cc: Matt Fleming Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20170818194947.19347-14-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar --- drivers/firmware/efi/efi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index 045d6d311bde..6519be44387c 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -179,7 +179,7 @@ static umode_t efi_attr_is_visible(struct kobject *kobj, return attr->mode; } -static struct attribute_group efi_subsys_attr_group = { +static const struct attribute_group efi_subsys_attr_group = { .attrs = efi_subsys_attrs, .is_visible = efi_attr_is_visible, }; -- cgit v1.2.3 From f1a5b53570001b1bcbf890ac6c4be1db99f8cc28 Mon Sep 17 00:00:00 2001 From: Arvind Yadav Date: Fri, 18 Aug 2017 20:49:47 +0100 Subject: firmware/efi/esrt: Constify attribute_group structures attribute_group are not supposed to change at runtime. All functions working with attribute_group provided by work with const attribute_group. So mark the non-const structs as const. Signed-off-by: Arvind Yadav Signed-off-by: Ard Biesheuvel Cc: Linus Torvalds Cc: Matt Fleming Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20170818194947.19347-15-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar --- drivers/firmware/efi/esrt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/firmware/efi/esrt.c b/drivers/firmware/efi/esrt.c index 8554d7aec31c..bd7ed3c1148a 100644 --- a/drivers/firmware/efi/esrt.c +++ b/drivers/firmware/efi/esrt.c @@ -230,7 +230,7 @@ static umode_t esrt_attr_is_visible(struct kobject *kobj, return attr->mode; } -static struct attribute_group esrt_attr_group = { +static const struct attribute_group esrt_attr_group = { .attrs = esrt_attrs, .is_visible = esrt_attr_is_visible, }; -- cgit v1.2.3 From ccc829ba3624beb9a703fc995d016b836d9eead8 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 25 Aug 2017 16:50:15 +0100 Subject: efi/libstub: Enable reset attack mitigation If a machine is reset while secrets are present in RAM, it may be possible for code executed after the reboot to extract those secrets from untouched memory. The Trusted Computing Group specified a mechanism for requesting that the firmware clear all RAM on reset before booting another OS. This is done by setting the MemoryOverwriteRequestControl variable at startup. If userspace can ensure that all secrets are removed as part of a controlled shutdown, it can reset this variable to 0 before triggering a hardware reboot. Signed-off-by: Matthew Garrett Signed-off-by: Ard Biesheuvel Cc: Linus Torvalds Cc: Matt Fleming Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20170825155019.6740-2-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar --- drivers/firmware/efi/Kconfig | 10 ++++++ drivers/firmware/efi/libstub/Makefile | 1 + drivers/firmware/efi/libstub/arm-stub.c | 3 ++ drivers/firmware/efi/libstub/tpm.c | 58 +++++++++++++++++++++++++++++++++ 4 files changed, 72 insertions(+) create mode 100644 drivers/firmware/efi/libstub/tpm.c (limited to 'drivers') diff --git a/drivers/firmware/efi/Kconfig b/drivers/firmware/efi/Kconfig index 394db40ed374..2b4c39fdfa91 100644 --- a/drivers/firmware/efi/Kconfig +++ b/drivers/firmware/efi/Kconfig @@ -151,6 +151,16 @@ config APPLE_PROPERTIES If unsure, say Y if you have a Mac. Otherwise N. +config RESET_ATTACK_MITIGATION + bool "Reset memory attack mitigation" + depends on EFI_STUB + help + Request that the firmware clear the contents of RAM after a reboot + using the TCG Platform Reset Attack Mitigation specification. This + protects against an attacker forcibly rebooting the system while it + still contains secrets in RAM, booting another OS and extracting the + secrets. + endmenu config UEFI_CPER diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile index cf81e6cf5ae8..dedf9bde44db 100644 --- a/drivers/firmware/efi/libstub/Makefile +++ b/drivers/firmware/efi/libstub/Makefile @@ -30,6 +30,7 @@ OBJECT_FILES_NON_STANDARD := y KCOV_INSTRUMENT := n lib-y := efi-stub-helper.o gop.o secureboot.o +lib-$(CONFIG_RESET_ATTACK_MITIGATION) += tpm.o # include the stub's generic dependencies from lib/ when building for ARM/arm64 arm-deps := fdt_rw.c fdt_ro.c fdt_wip.c fdt.c fdt_empty_tree.c fdt_sw.c sort.c diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c index 8181ac179d14..1cb2d1c070c3 100644 --- a/drivers/firmware/efi/libstub/arm-stub.c +++ b/drivers/firmware/efi/libstub/arm-stub.c @@ -192,6 +192,9 @@ unsigned long efi_entry(void *handle, efi_system_table_t *sys_table, goto fail_free_cmdline; } + /* Ask the firmware to clear memory on unclean shutdown */ + efi_enable_reset_attack_mitigation(sys_table); + secure_boot = efi_get_secureboot(sys_table); /* diff --git a/drivers/firmware/efi/libstub/tpm.c b/drivers/firmware/efi/libstub/tpm.c new file mode 100644 index 000000000000..6224cdbc9669 --- /dev/null +++ b/drivers/firmware/efi/libstub/tpm.c @@ -0,0 +1,58 @@ +/* + * TPM handling. + * + * Copyright (C) 2016 CoreOS, Inc + * Copyright (C) 2017 Google, Inc. + * Matthew Garrett + * + * This file is part of the Linux kernel, and is made available under the + * terms of the GNU General Public License version 2. + */ +#include +#include + +#include "efistub.h" + +static const efi_char16_t efi_MemoryOverWriteRequest_name[] = { + 'M', 'e', 'm', 'o', 'r', 'y', 'O', 'v', 'e', 'r', 'w', 'r', 'i', 't', + 'e', 'R', 'e', 'q', 'u', 'e', 's', 't', 'C', 'o', 'n', 't', 'r', 'o', + 'l', 0 +}; + +#define MEMORY_ONLY_RESET_CONTROL_GUID \ + EFI_GUID(0xe20939be, 0x32d4, 0x41be, 0xa1, 0x50, 0x89, 0x7f, 0x85, 0xd4, 0x98, 0x29) + +#define get_efi_var(name, vendor, ...) \ + efi_call_runtime(get_variable, \ + (efi_char16_t *)(name), (efi_guid_t *)(vendor), \ + __VA_ARGS__) + +#define set_efi_var(name, vendor, ...) \ + efi_call_runtime(set_variable, \ + (efi_char16_t *)(name), (efi_guid_t *)(vendor), \ + __VA_ARGS__) + +/* + * Enable reboot attack mitigation. This requests that the firmware clear the + * RAM on next reboot before proceeding with boot, ensuring that any secrets + * are cleared. If userland has ensured that all secrets have been removed + * from RAM before reboot it can simply reset this variable. + */ +void efi_enable_reset_attack_mitigation(efi_system_table_t *sys_table_arg) +{ + u8 val = 1; + efi_guid_t var_guid = MEMORY_ONLY_RESET_CONTROL_GUID; + efi_status_t status; + unsigned long datasize = 0; + + status = get_efi_var(efi_MemoryOverWriteRequest_name, &var_guid, + NULL, &datasize, NULL); + + if (status == EFI_NOT_FOUND) + return; + + set_efi_var(efi_MemoryOverWriteRequest_name, &var_guid, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, sizeof(val), &val); +} -- cgit v1.2.3 From c2ceb5fd4e921506e86208b82fca716a2c3aad59 Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Fri, 25 Aug 2017 16:50:16 +0100 Subject: efi/random: Increase size of firmware supplied randomness The crng code requires at least 64 bytes (2 * CHACHA20_BLOCK_SIZE) to complete the fast boot-time init, so provide that many bytes when invoking UEFI protocols to seed the entropy pool. Also, add a notice so we can tell from the boot log when the seeding actually took place. Signed-off-by: Ard Biesheuvel Cc: Linus Torvalds Cc: Matt Fleming Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20170825155019.6740-3-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar --- drivers/firmware/efi/efi.c | 3 ++- drivers/firmware/efi/libstub/random.c | 10 ++++------ 2 files changed, 6 insertions(+), 7 deletions(-) (limited to 'drivers') diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index a32e1460ade8..c8a27a2c30c1 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -541,6 +541,7 @@ int __init efi_config_parse_tables(void *config_tables, int count, int sz, if (seed != NULL) { add_device_randomness(seed->bits, seed->size); early_memunmap(seed, sizeof(*seed) + size); + pr_notice("seeding entropy pool\n"); } else { pr_err("Could not map UEFI random seed!\n"); } @@ -900,7 +901,7 @@ static int update_efi_random_seed(struct notifier_block *nb, seed = memremap(efi.rng_seed, sizeof(*seed), MEMREMAP_WB); if (seed != NULL) { - size = min(seed->size, 32U); + size = min(seed->size, EFI_RANDOM_SEED_SIZE); memunmap(seed); } else { pr_err("Could not map UEFI random seed!\n"); diff --git a/drivers/firmware/efi/libstub/random.c b/drivers/firmware/efi/libstub/random.c index 7e72954d5860..e0e603a89aa9 100644 --- a/drivers/firmware/efi/libstub/random.c +++ b/drivers/firmware/efi/libstub/random.c @@ -145,8 +145,6 @@ efi_status_t efi_random_alloc(efi_system_table_t *sys_table_arg, return status; } -#define RANDOM_SEED_SIZE 32 - efi_status_t efi_random_get_seed(efi_system_table_t *sys_table_arg) { efi_guid_t rng_proto = EFI_RNG_PROTOCOL_GUID; @@ -162,25 +160,25 @@ efi_status_t efi_random_get_seed(efi_system_table_t *sys_table_arg) return status; status = efi_call_early(allocate_pool, EFI_RUNTIME_SERVICES_DATA, - sizeof(*seed) + RANDOM_SEED_SIZE, + sizeof(*seed) + EFI_RANDOM_SEED_SIZE, (void **)&seed); if (status != EFI_SUCCESS) return status; - status = rng->get_rng(rng, &rng_algo_raw, RANDOM_SEED_SIZE, + status = rng->get_rng(rng, &rng_algo_raw, EFI_RANDOM_SEED_SIZE, seed->bits); if (status == EFI_UNSUPPORTED) /* * Use whatever algorithm we have available if the raw algorithm * is not implemented. */ - status = rng->get_rng(rng, NULL, RANDOM_SEED_SIZE, + status = rng->get_rng(rng, NULL, EFI_RANDOM_SEED_SIZE, seed->bits); if (status != EFI_SUCCESS) goto err_freepool; - seed->size = RANDOM_SEED_SIZE; + seed->size = EFI_RANDOM_SEED_SIZE; status = efi_call_early(install_configuration_table, &rng_table_guid, seed); if (status != EFI_SUCCESS) -- cgit v1.2.3 From 68ee51cb773bed81f9ff7144eca0a08550e1f9a1 Mon Sep 17 00:00:00 2001 From: Colin Ian King Date: Fri, 25 Aug 2017 16:50:17 +0100 Subject: efi/reboot: Make function pointer orig_pm_power_off static The function pointer orig_pm_power_off is local to the source and does not need to be in global scope, so make it static. Cleans up sparse warning: symbol 'orig_pm_power_off' was not declared. Should it be static? Signed-off-by: Colin Ian King Signed-off-by: Ard Biesheuvel Cc: Linus Torvalds Cc: Matt Fleming Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20170825155019.6740-4-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar --- drivers/firmware/efi/reboot.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/firmware/efi/reboot.c b/drivers/firmware/efi/reboot.c index 7117e2d0c7f9..22874544d301 100644 --- a/drivers/firmware/efi/reboot.c +++ b/drivers/firmware/efi/reboot.c @@ -5,7 +5,7 @@ #include #include -void (*orig_pm_power_off)(void); +static void (*orig_pm_power_off)(void); int efi_reboot_quirk_mode = -1; -- cgit v1.2.3 From 23f0571c9fd184504f7a2f27011750e0ad99bb73 Mon Sep 17 00:00:00 2001 From: Jan Beulich Date: Fri, 25 Aug 2017 16:50:18 +0100 Subject: efi: Move efi_mem_type() to common code This follows efi_mem_attributes(), as it's similarly generic. Drop __weak from that one though (and don't introduce it for efi_mem_type() in the first place) to make clear that other overrides to these functions are really not intended. Signed-off-by: Jan Beulich Signed-off-by: Ard Biesheuvel Cc: Jan Beulich Cc: Linus Torvalds Cc: Matt Fleming Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20170825155019.6740-5-ard.biesheuvel@linaro.org [ Resolved conflict with: f99afd08a45f: (efi: Update efi_mem_type() to return an error rather than 0) ] Signed-off-by: Ingo Molnar --- drivers/firmware/efi/efi.c | 37 +++++++++++++++++++++++++++++++------ 1 file changed, 31 insertions(+), 6 deletions(-) (limited to 'drivers') diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c index c8a27a2c30c1..f70febf680c3 100644 --- a/drivers/firmware/efi/efi.c +++ b/drivers/firmware/efi/efi.c @@ -810,6 +810,11 @@ char * __init efi_md_typeattr_format(char *buf, size_t size, return buf; } +/* + * IA64 has a funky EFI memory map that doesn't work the same way as + * other architectures. + */ +#ifndef CONFIG_IA64 /* * efi_mem_attributes - lookup memmap attributes for physical address * @phys_addr: the physical address to lookup @@ -817,13 +822,8 @@ char * __init efi_md_typeattr_format(char *buf, size_t size, * Search in the EFI memory map for the region covering * @phys_addr. Returns the EFI memory attributes if the region * was found in the memory map, 0 otherwise. - * - * Despite being marked __weak, most architectures should *not* - * override this function. It is __weak solely for the benefit - * of ia64 which has a funky EFI memory map that doesn't work - * the same way as other architectures. */ -u64 __weak efi_mem_attributes(unsigned long phys_addr) +u64 efi_mem_attributes(unsigned long phys_addr) { efi_memory_desc_t *md; @@ -839,6 +839,31 @@ u64 __weak efi_mem_attributes(unsigned long phys_addr) return 0; } +/* + * efi_mem_type - lookup memmap type for physical address + * @phys_addr: the physical address to lookup + * + * Search in the EFI memory map for the region covering @phys_addr. + * Returns the EFI memory type if the region was found in the memory + * map, EFI_RESERVED_TYPE (zero) otherwise. + */ +int efi_mem_type(unsigned long phys_addr) +{ + const efi_memory_desc_t *md; + + if (!efi_enabled(EFI_MEMMAP)) + return -ENOTSUPP; + + for_each_efi_memory_desc(md) { + if ((md->phys_addr <= phys_addr) && + (phys_addr < (md->phys_addr + + (md->num_pages << EFI_PAGE_SHIFT)))) + return md->type; + } + return -EINVAL; +} +#endif + int efi_status_to_err(efi_status_t status) { int err; -- cgit v1.2.3 From 6de47a5e371f75f80544986e6c9636211a2ae8af Mon Sep 17 00:00:00 2001 From: Jan Beulich Date: Fri, 25 Aug 2017 16:50:19 +0100 Subject: efi/bgrt: Use efi_mem_type() Avoid effectively open-coding the function. Signed-off-by: Jan Beulich Signed-off-by: Ard Biesheuvel Cc: Jan Beulich Cc: Linus Torvalds Cc: Matt Fleming Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Link: http://lkml.kernel.org/r/20170825155019.6740-6-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar --- drivers/firmware/efi/efi-bgrt.c | 22 +--------------------- 1 file changed, 1 insertion(+), 21 deletions(-) (limited to 'drivers') diff --git a/drivers/firmware/efi/efi-bgrt.c b/drivers/firmware/efi/efi-bgrt.c index b58233e4ed71..50793fda7819 100644 --- a/drivers/firmware/efi/efi-bgrt.c +++ b/drivers/firmware/efi/efi-bgrt.c @@ -27,26 +27,6 @@ struct bmp_header { u32 size; } __packed; -static bool efi_bgrt_addr_valid(u64 addr) -{ - efi_memory_desc_t *md; - - for_each_efi_memory_desc(md) { - u64 size; - u64 end; - - if (md->type != EFI_BOOT_SERVICES_DATA) - continue; - - size = md->num_pages << EFI_PAGE_SHIFT; - end = md->phys_addr + size; - if (addr >= md->phys_addr && addr < end) - return true; - } - - return false; -} - void __init efi_bgrt_init(struct acpi_table_header *table) { void *image; @@ -85,7 +65,7 @@ void __init efi_bgrt_init(struct acpi_table_header *table) goto out; } - if (!efi_bgrt_addr_valid(bgrt->image_address)) { + if (efi_mem_type(bgrt->image_address) != EFI_BOOT_SERVICES_DATA) { pr_notice("Ignoring BGRT: invalid image address\n"); goto out; } -- cgit v1.2.3