2019-02-02 10:41:15 +01:00
|
|
|
// SPDX-License-Identifier: GPL-2.0
|
2013-09-22 15:45:27 -07:00
|
|
|
/*
|
|
|
|
|
* Helper functions used by the EFI stub on multiple
|
|
|
|
|
* architectures. This should be #included by the EFI stub
|
|
|
|
|
* implementation files.
|
|
|
|
|
*
|
|
|
|
|
* Copyright 2011 Intel Corporation; author Matt Fleming
|
|
|
|
|
*/
|
|
|
|
|
|
2020-05-18 15:06:56 -04:00
|
|
|
#include <stdarg.h>
|
|
|
|
|
|
2020-05-20 20:29:21 -04:00
|
|
|
#include <linux/ctype.h>
|
2014-07-02 14:54:42 +02:00
|
|
|
#include <linux/efi.h>
|
2020-05-18 15:06:55 -04:00
|
|
|
#include <linux/kernel.h>
|
2020-05-20 19:07:54 +02:00
|
|
|
#include <linux/printk.h> /* For CONSOLE_LOGLEVEL_* */
|
2014-07-02 14:54:42 +02:00
|
|
|
#include <asm/efi.h>
|
2020-05-20 20:29:21 -04:00
|
|
|
#include <asm/setup.h>
|
2014-07-02 14:54:42 +02:00
|
|
|
|
|
|
|
|
#include "efistub.h"
|
2014-01-28 10:41:28 -08:00
|
|
|
|
2020-04-16 18:45:24 +02:00
|
|
|
bool efi_nochunk;
|
2020-07-09 21:48:41 +01:00
|
|
|
bool efi_nokaslr = !IS_ENABLED(CONFIG_RANDOMIZE_BASE);
|
2020-04-16 18:45:24 +02:00
|
|
|
bool efi_noinitrd;
|
2020-05-20 19:07:54 +02:00
|
|
|
int efi_loglevel = CONSOLE_LOGLEVEL_DEFAULT;
|
2020-04-16 18:45:24 +02:00
|
|
|
bool efi_novamap;
|
|
|
|
|
|
2020-04-16 11:12:27 -04:00
|
|
|
static bool efi_nosoftreserve;
|
|
|
|
|
static bool efi_disable_pci_dma = IS_ENABLED(CONFIG_EFI_DISABLE_PCI_DMA);
|
2017-04-04 17:09:08 +01:00
|
|
|
|
2019-11-06 17:43:11 -08:00
|
|
|
bool __pure __efi_soft_reserve_enabled(void)
|
|
|
|
|
{
|
|
|
|
|
return !efi_nosoftreserve;
|
|
|
|
|
}
|
2017-04-04 17:09:08 +01:00
|
|
|
|
2020-06-16 01:42:31 +02:00
|
|
|
/**
|
|
|
|
|
* efi_char16_puts() - Write a UCS-2 encoded string to the console
|
|
|
|
|
* @str: UCS-2 encoded string
|
|
|
|
|
*/
|
2020-05-18 15:06:54 -04:00
|
|
|
void efi_char16_puts(efi_char16_t *str)
|
|
|
|
|
{
|
|
|
|
|
efi_call_proto(efi_table_attr(efi_system_table, con_out),
|
|
|
|
|
output_string, str);
|
|
|
|
|
}
|
|
|
|
|
|
2020-05-18 15:07:13 -04:00
|
|
|
static
|
|
|
|
|
u32 utf8_to_utf32(const u8 **s8)
|
|
|
|
|
{
|
|
|
|
|
u32 c32;
|
|
|
|
|
u8 c0, cx;
|
|
|
|
|
size_t clen, i;
|
|
|
|
|
|
|
|
|
|
c0 = cx = *(*s8)++;
|
|
|
|
|
/*
|
|
|
|
|
* The position of the most-significant 0 bit gives us the length of
|
|
|
|
|
* a multi-octet encoding.
|
|
|
|
|
*/
|
|
|
|
|
for (clen = 0; cx & 0x80; ++clen)
|
|
|
|
|
cx <<= 1;
|
|
|
|
|
/*
|
|
|
|
|
* If the 0 bit is in position 8, this is a valid single-octet
|
|
|
|
|
* encoding. If the 0 bit is in position 7 or positions 1-3, the
|
|
|
|
|
* encoding is invalid.
|
|
|
|
|
* In either case, we just return the first octet.
|
|
|
|
|
*/
|
|
|
|
|
if (clen < 2 || clen > 4)
|
|
|
|
|
return c0;
|
|
|
|
|
/* Get the bits from the first octet. */
|
|
|
|
|
c32 = cx >> clen--;
|
|
|
|
|
for (i = 0; i < clen; ++i) {
|
|
|
|
|
/* Trailing octets must have 10 in most significant bits. */
|
|
|
|
|
cx = (*s8)[i] ^ 0x80;
|
|
|
|
|
if (cx & 0xc0)
|
|
|
|
|
return c0;
|
|
|
|
|
c32 = (c32 << 6) | cx;
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Check for validity:
|
|
|
|
|
* - The character must be in the Unicode range.
|
|
|
|
|
* - It must not be a surrogate.
|
|
|
|
|
* - It must be encoded using the correct number of octets.
|
|
|
|
|
*/
|
|
|
|
|
if (c32 > 0x10ffff ||
|
|
|
|
|
(c32 & 0xf800) == 0xd800 ||
|
|
|
|
|
clen != (c32 >= 0x80) + (c32 >= 0x800) + (c32 >= 0x10000))
|
|
|
|
|
return c0;
|
|
|
|
|
*s8 += clen;
|
|
|
|
|
return c32;
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-16 01:42:31 +02:00
|
|
|
/**
|
|
|
|
|
* efi_puts() - Write a UTF-8 encoded string to the console
|
|
|
|
|
* @str: UTF-8 encoded string
|
|
|
|
|
*/
|
2020-05-18 15:06:54 -04:00
|
|
|
void efi_puts(const char *str)
|
2013-09-22 15:45:27 -07:00
|
|
|
{
|
2020-05-18 15:06:55 -04:00
|
|
|
efi_char16_t buf[128];
|
|
|
|
|
size_t pos = 0, lim = ARRAY_SIZE(buf);
|
2020-05-18 15:07:13 -04:00
|
|
|
const u8 *s8 = (const u8 *)str;
|
|
|
|
|
u32 c32;
|
2013-09-22 15:45:27 -07:00
|
|
|
|
2020-05-18 15:07:13 -04:00
|
|
|
while (*s8) {
|
|
|
|
|
if (*s8 == '\n')
|
2020-05-18 15:06:55 -04:00
|
|
|
buf[pos++] = L'\r';
|
2020-05-18 15:07:13 -04:00
|
|
|
c32 = utf8_to_utf32(&s8);
|
|
|
|
|
if (c32 < 0x10000) {
|
|
|
|
|
/* Characters in plane 0 use a single word. */
|
|
|
|
|
buf[pos++] = c32;
|
|
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* Characters in other planes encode into a surrogate
|
|
|
|
|
* pair.
|
|
|
|
|
*/
|
|
|
|
|
buf[pos++] = (0xd800 - (0x10000 >> 10)) + (c32 >> 10);
|
|
|
|
|
buf[pos++] = 0xdc00 + (c32 & 0x3ff);
|
|
|
|
|
}
|
|
|
|
|
if (*s8 == '\0' || pos >= lim - 2) {
|
2020-05-18 15:06:55 -04:00
|
|
|
buf[pos] = L'\0';
|
|
|
|
|
efi_char16_puts(buf);
|
|
|
|
|
pos = 0;
|
|
|
|
|
}
|
2013-09-22 15:45:27 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-16 01:42:31 +02:00
|
|
|
/**
|
|
|
|
|
* efi_printk() - Print a kernel message
|
|
|
|
|
* @fmt: format string
|
|
|
|
|
*
|
|
|
|
|
* The first letter of the format string is used to determine the logging level
|
|
|
|
|
* of the message. If the level is less then the current EFI logging level, the
|
|
|
|
|
* message is suppressed. The message will be truncated to 255 bytes.
|
|
|
|
|
*
|
|
|
|
|
* Return: number of printed characters
|
|
|
|
|
*/
|
2020-05-18 15:06:56 -04:00
|
|
|
int efi_printk(const char *fmt, ...)
|
|
|
|
|
{
|
|
|
|
|
char printf_buf[256];
|
|
|
|
|
va_list args;
|
|
|
|
|
int printed;
|
2020-05-20 19:07:54 +02:00
|
|
|
int loglevel = printk_get_level(fmt);
|
|
|
|
|
|
|
|
|
|
switch (loglevel) {
|
|
|
|
|
case '0' ... '9':
|
|
|
|
|
loglevel -= '0';
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
/*
|
|
|
|
|
* Use loglevel -1 for cases where we just want to print to
|
|
|
|
|
* the screen.
|
|
|
|
|
*/
|
|
|
|
|
loglevel = -1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (loglevel >= efi_loglevel)
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (loglevel >= 0)
|
|
|
|
|
efi_puts("EFI stub: ");
|
|
|
|
|
|
|
|
|
|
fmt = printk_skip_level(fmt);
|
2020-05-18 15:06:56 -04:00
|
|
|
|
|
|
|
|
va_start(args, fmt);
|
2020-05-18 15:07:08 -04:00
|
|
|
printed = vsnprintf(printf_buf, sizeof(printf_buf), fmt, args);
|
2020-05-18 15:06:56 -04:00
|
|
|
va_end(args);
|
|
|
|
|
|
|
|
|
|
efi_puts(printf_buf);
|
2020-05-18 15:07:08 -04:00
|
|
|
if (printed >= sizeof(printf_buf)) {
|
|
|
|
|
efi_puts("[Message truncated]\n");
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
2020-05-18 15:06:56 -04:00
|
|
|
|
|
|
|
|
return printed;
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-16 01:42:31 +02:00
|
|
|
/**
|
|
|
|
|
* efi_parse_options() - Parse EFI command line options
|
|
|
|
|
* @cmdline: kernel command line
|
|
|
|
|
*
|
|
|
|
|
* Parse the ASCII string @cmdline for EFI options, denoted by the efi=
|
2014-08-05 11:52:11 +01:00
|
|
|
* option, e.g. efi=nochunk.
|
|
|
|
|
*
|
|
|
|
|
* It should be noted that efi= is parsed in two very different
|
|
|
|
|
* environments, first in the early boot environment of the EFI boot
|
|
|
|
|
* stub, and subsequently during the kernel boot.
|
2020-06-16 01:42:31 +02:00
|
|
|
*
|
|
|
|
|
* Return: status code
|
2014-08-05 11:52:11 +01:00
|
|
|
*/
|
2017-04-04 17:09:08 +01:00
|
|
|
efi_status_t efi_parse_options(char const *cmdline)
|
2014-08-05 11:52:11 +01:00
|
|
|
{
|
2020-07-29 15:33:00 -04:00
|
|
|
size_t len;
|
efi/libstub: Clean up command line parsing routine
We currently parse the command non-destructively, to avoid having to
allocate memory for a copy before passing it to the standard parsing
routines that are used by the core kernel, and which modify the input
to delineate the parsed tokens with NUL characters.
Instead, we call strstr() and strncmp() to go over the input multiple
times, and match prefixes rather than tokens, which implies that we
would match, e.g., 'nokaslrfoo' in the stub and disable KASLR, while
the kernel would disregard the option and run with KASLR enabled.
In order to avoid having to reason about whether and how this behavior
may be abused, let's clean up the parsing routines, and rebuild them
on top of the existing helpers.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2020-02-10 17:02:46 +01:00
|
|
|
efi_status_t status;
|
|
|
|
|
char *str, *buf;
|
2014-08-05 11:52:11 +01:00
|
|
|
|
2020-07-29 15:33:00 -04:00
|
|
|
if (!cmdline)
|
|
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
|
2020-08-13 14:58:11 -04:00
|
|
|
len = strnlen(cmdline, COMMAND_LINE_SIZE - 1) + 1;
|
efi/libstub: Clean up command line parsing routine
We currently parse the command non-destructively, to avoid having to
allocate memory for a copy before passing it to the standard parsing
routines that are used by the core kernel, and which modify the input
to delineate the parsed tokens with NUL characters.
Instead, we call strstr() and strncmp() to go over the input multiple
times, and match prefixes rather than tokens, which implies that we
would match, e.g., 'nokaslrfoo' in the stub and disable KASLR, while
the kernel would disregard the option and run with KASLR enabled.
In order to avoid having to reason about whether and how this behavior
may be abused, let's clean up the parsing routines, and rebuild them
on top of the existing helpers.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2020-02-10 17:02:46 +01:00
|
|
|
status = efi_bs_call(allocate_pool, EFI_LOADER_DATA, len, (void **)&buf);
|
|
|
|
|
if (status != EFI_SUCCESS)
|
|
|
|
|
return status;
|
efi/arm/arm64: Allow SetVirtualAddressMap() to be omitted
The UEFI spec revision 2.7 errata A section 8.4 has the following to
say about the virtual memory runtime services:
"This section contains function definitions for the virtual memory
support that may be optionally used by an operating system at runtime.
If an operating system chooses to make EFI runtime service calls in a
virtual addressing mode instead of the flat physical mode, then the
operating system must use the services in this section to switch the
EFI runtime services from flat physical addressing to virtual
addressing."
So it is pretty clear that calling SetVirtualAddressMap() is entirely
optional, and so there is no point in doing so unless it achieves
anything useful for us.
This is not the case for 64-bit ARM. The identity mapping used by the
firmware is arbitrarily converted into another permutation of userland
addresses (i.e., bits [63:48] cleared), and the runtime code could easily
deal with the original layout in exactly the same way as it deals with
the converted layout. However, due to constraints related to page size
differences if the OS is not running with 4k pages, and related to
systems that may expose the individual sections of PE/COFF runtime
modules as different memory regions, creating the virtual layout is a
bit fiddly, and requires us to sort the memory map and reason about
adjacent regions with identical memory types etc etc.
So the obvious fix is to stop calling SetVirtualAddressMap() altogether
on arm64 systems. However, to avoid surprises, which are notoriously
hard to diagnose when it comes to OS<->firmware interactions, let's
start by making it an opt-out feature, and implement support for the
'efi=novamap' kernel command line parameter on ARM and arm64 systems.
( Note that 32-bit ARM generally does require SetVirtualAddressMap() to be
used, given that the physical memory map and the kernel virtual address
map are not guaranteed to be non-overlapping like on arm64. However,
having support for efi=novamap,noruntime on 32-bit ARM, combined with
the recently proposed support for earlycon=efifb, is likely to be useful
to diagnose boot issues on such systems if they have no accessible serial
port. )
Tested-by: Jeffrey Hugo <jhugo@codeaurora.org>
Tested-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Tested-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: AKASHI Takahiro <takahiro.akashi@linaro.org>
Cc: Alexander Graf <agraf@suse.de>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
Cc: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Peter Jones <pjones@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sai Praneeth Prakhya <sai.praneeth.prakhya@intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: http://lkml.kernel.org/r/20190202094119.13230-8-ard.biesheuvel@linaro.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2019-02-02 10:41:16 +01:00
|
|
|
|
2020-08-13 14:58:11 -04:00
|
|
|
memcpy(buf, cmdline, len - 1);
|
|
|
|
|
buf[len - 1] = '\0';
|
|
|
|
|
str = skip_spaces(buf);
|
2019-11-06 17:43:11 -08:00
|
|
|
|
efi/libstub: Clean up command line parsing routine
We currently parse the command non-destructively, to avoid having to
allocate memory for a copy before passing it to the standard parsing
routines that are used by the core kernel, and which modify the input
to delineate the parsed tokens with NUL characters.
Instead, we call strstr() and strncmp() to go over the input multiple
times, and match prefixes rather than tokens, which implies that we
would match, e.g., 'nokaslrfoo' in the stub and disable KASLR, while
the kernel would disregard the option and run with KASLR enabled.
In order to avoid having to reason about whether and how this behavior
may be abused, let's clean up the parsing routines, and rebuild them
on top of the existing helpers.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2020-02-10 17:02:46 +01:00
|
|
|
while (*str) {
|
|
|
|
|
char *param, *val;
|
2020-01-03 12:39:50 +01:00
|
|
|
|
efi/libstub: Clean up command line parsing routine
We currently parse the command non-destructively, to avoid having to
allocate memory for a copy before passing it to the standard parsing
routines that are used by the core kernel, and which modify the input
to delineate the parsed tokens with NUL characters.
Instead, we call strstr() and strncmp() to go over the input multiple
times, and match prefixes rather than tokens, which implies that we
would match, e.g., 'nokaslrfoo' in the stub and disable KASLR, while
the kernel would disregard the option and run with KASLR enabled.
In order to avoid having to reason about whether and how this behavior
may be abused, let's clean up the parsing routines, and rebuild them
on top of the existing helpers.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2020-02-10 17:02:46 +01:00
|
|
|
str = next_arg(str, ¶m, &val);
|
2020-07-25 11:59:16 -04:00
|
|
|
if (!val && !strcmp(param, "--"))
|
|
|
|
|
break;
|
2020-01-03 12:39:50 +01:00
|
|
|
|
efi/libstub: Clean up command line parsing routine
We currently parse the command non-destructively, to avoid having to
allocate memory for a copy before passing it to the standard parsing
routines that are used by the core kernel, and which modify the input
to delineate the parsed tokens with NUL characters.
Instead, we call strstr() and strncmp() to go over the input multiple
times, and match prefixes rather than tokens, which implies that we
would match, e.g., 'nokaslrfoo' in the stub and disable KASLR, while
the kernel would disregard the option and run with KASLR enabled.
In order to avoid having to reason about whether and how this behavior
may be abused, let's clean up the parsing routines, and rebuild them
on top of the existing helpers.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2020-02-10 17:02:46 +01:00
|
|
|
if (!strcmp(param, "nokaslr")) {
|
|
|
|
|
efi_nokaslr = true;
|
|
|
|
|
} else if (!strcmp(param, "quiet")) {
|
2020-05-20 19:07:54 +02:00
|
|
|
efi_loglevel = CONSOLE_LOGLEVEL_QUIET;
|
efi/libstub: Take noinitrd cmdline argument into account for devpath initrd
One of the advantages of using what basically amounts to a callback
interface into the bootloader for loading the initrd is that it provides
a natural place for the bootloader or firmware to measure the initrd
contents while they are being passed to the kernel.
Unfortunately, this is not a guarantee that the initrd will in fact be
loaded and its /init invoked by the kernel, since the command line may
contain the 'noinitrd' option, in which case the initrd is ignored, but
this will not be reflected in the PCR that covers the initrd measurement.
This could be addressed by measuring the command line as well, and
including that PCR in the attestation policy, but this locks down the
command line completely, which may be too restrictive.
So let's take the noinitrd argument into account in the stub, too. This
forces any PCR that covers the initrd to assume a different value when
noinitrd is passed, allowing an attestation policy to disregard the
command line if there is no need to take its measurement into account
for other reasons.
As Peter points out, this would still require the agent that takes the
measurements to measure a separator event into the PCR in question at
ExitBootServices() time, to prevent replay attacks using the known
measurement from the TPM log.
Cc: Peter Jones <pjones@redhat.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2020-02-04 22:01:22 +00:00
|
|
|
} else if (!strcmp(param, "noinitrd")) {
|
|
|
|
|
efi_noinitrd = true;
|
efi/libstub: Clean up command line parsing routine
We currently parse the command non-destructively, to avoid having to
allocate memory for a copy before passing it to the standard parsing
routines that are used by the core kernel, and which modify the input
to delineate the parsed tokens with NUL characters.
Instead, we call strstr() and strncmp() to go over the input multiple
times, and match prefixes rather than tokens, which implies that we
would match, e.g., 'nokaslrfoo' in the stub and disable KASLR, while
the kernel would disregard the option and run with KASLR enabled.
In order to avoid having to reason about whether and how this behavior
may be abused, let's clean up the parsing routines, and rebuild them
on top of the existing helpers.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2020-02-10 17:02:46 +01:00
|
|
|
} else if (!strcmp(param, "efi") && val) {
|
|
|
|
|
efi_nochunk = parse_option_str(val, "nochunk");
|
|
|
|
|
efi_novamap = parse_option_str(val, "novamap");
|
2014-08-05 11:52:11 +01:00
|
|
|
|
efi/libstub: Clean up command line parsing routine
We currently parse the command non-destructively, to avoid having to
allocate memory for a copy before passing it to the standard parsing
routines that are used by the core kernel, and which modify the input
to delineate the parsed tokens with NUL characters.
Instead, we call strstr() and strncmp() to go over the input multiple
times, and match prefixes rather than tokens, which implies that we
would match, e.g., 'nokaslrfoo' in the stub and disable KASLR, while
the kernel would disregard the option and run with KASLR enabled.
In order to avoid having to reason about whether and how this behavior
may be abused, let's clean up the parsing routines, and rebuild them
on top of the existing helpers.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2020-02-10 17:02:46 +01:00
|
|
|
efi_nosoftreserve = IS_ENABLED(CONFIG_EFI_SOFT_RESERVE) &&
|
|
|
|
|
parse_option_str(val, "nosoftreserve");
|
2014-08-05 11:52:11 +01:00
|
|
|
|
efi/libstub: Clean up command line parsing routine
We currently parse the command non-destructively, to avoid having to
allocate memory for a copy before passing it to the standard parsing
routines that are used by the core kernel, and which modify the input
to delineate the parsed tokens with NUL characters.
Instead, we call strstr() and strncmp() to go over the input multiple
times, and match prefixes rather than tokens, which implies that we
would match, e.g., 'nokaslrfoo' in the stub and disable KASLR, while
the kernel would disregard the option and run with KASLR enabled.
In order to avoid having to reason about whether and how this behavior
may be abused, let's clean up the parsing routines, and rebuild them
on top of the existing helpers.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2020-02-10 17:02:46 +01:00
|
|
|
if (parse_option_str(val, "disable_early_pci_dma"))
|
|
|
|
|
efi_disable_pci_dma = true;
|
|
|
|
|
if (parse_option_str(val, "no_disable_early_pci_dma"))
|
|
|
|
|
efi_disable_pci_dma = false;
|
2020-05-20 19:07:54 +02:00
|
|
|
if (parse_option_str(val, "debug"))
|
|
|
|
|
efi_loglevel = CONSOLE_LOGLEVEL_DEBUG;
|
2020-03-19 22:00:25 -04:00
|
|
|
} else if (!strcmp(param, "video") &&
|
|
|
|
|
val && strstarts(val, "efifb:")) {
|
|
|
|
|
efi_parse_option_graphics(val + strlen("efifb:"));
|
efi/libstub: Clean up command line parsing routine
We currently parse the command non-destructively, to avoid having to
allocate memory for a copy before passing it to the standard parsing
routines that are used by the core kernel, and which modify the input
to delineate the parsed tokens with NUL characters.
Instead, we call strstr() and strncmp() to go over the input multiple
times, and match prefixes rather than tokens, which implies that we
would match, e.g., 'nokaslrfoo' in the stub and disable KASLR, while
the kernel would disregard the option and run with KASLR enabled.
In order to avoid having to reason about whether and how this behavior
may be abused, let's clean up the parsing routines, and rebuild them
on top of the existing helpers.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2020-02-10 17:02:46 +01:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
efi_bs_call(free_pool, buf);
|
2014-08-05 11:52:11 +01:00
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
2013-09-22 15:45:27 -07:00
|
|
|
|
2020-09-14 17:35:35 -04:00
|
|
|
/*
|
|
|
|
|
* The EFI_LOAD_OPTION descriptor has the following layout:
|
|
|
|
|
* u32 Attributes;
|
|
|
|
|
* u16 FilePathListLength;
|
|
|
|
|
* u16 Description[];
|
|
|
|
|
* efi_device_path_protocol_t FilePathList[];
|
|
|
|
|
* u8 OptionalData[];
|
|
|
|
|
*
|
|
|
|
|
* This function validates and unpacks the variable-size data fields.
|
|
|
|
|
*/
|
|
|
|
|
static
|
|
|
|
|
bool efi_load_option_unpack(efi_load_option_unpacked_t *dest,
|
|
|
|
|
const efi_load_option_t *src, size_t size)
|
|
|
|
|
{
|
|
|
|
|
const void *pos;
|
|
|
|
|
u16 c;
|
|
|
|
|
efi_device_path_protocol_t header;
|
|
|
|
|
const efi_char16_t *description;
|
|
|
|
|
const efi_device_path_protocol_t *file_path_list;
|
|
|
|
|
|
|
|
|
|
if (size < offsetof(efi_load_option_t, variable_data))
|
|
|
|
|
return false;
|
|
|
|
|
pos = src->variable_data;
|
|
|
|
|
size -= offsetof(efi_load_option_t, variable_data);
|
|
|
|
|
|
|
|
|
|
if ((src->attributes & ~EFI_LOAD_OPTION_MASK) != 0)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
/* Scan description. */
|
|
|
|
|
description = pos;
|
|
|
|
|
do {
|
|
|
|
|
if (size < sizeof(c))
|
|
|
|
|
return false;
|
|
|
|
|
c = *(const u16 *)pos;
|
|
|
|
|
pos += sizeof(c);
|
|
|
|
|
size -= sizeof(c);
|
|
|
|
|
} while (c != L'\0');
|
|
|
|
|
|
|
|
|
|
/* Scan file_path_list. */
|
|
|
|
|
file_path_list = pos;
|
|
|
|
|
do {
|
|
|
|
|
if (size < sizeof(header))
|
|
|
|
|
return false;
|
|
|
|
|
header = *(const efi_device_path_protocol_t *)pos;
|
|
|
|
|
if (header.length < sizeof(header))
|
|
|
|
|
return false;
|
|
|
|
|
if (size < header.length)
|
|
|
|
|
return false;
|
|
|
|
|
pos += header.length;
|
|
|
|
|
size -= header.length;
|
|
|
|
|
} while ((header.type != EFI_DEV_END_PATH && header.type != EFI_DEV_END_PATH2) ||
|
|
|
|
|
(header.sub_type != EFI_DEV_END_ENTIRE));
|
|
|
|
|
if (pos != (const void *)file_path_list + src->file_path_list_length)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
dest->attributes = src->attributes;
|
|
|
|
|
dest->file_path_list_length = src->file_path_list_length;
|
|
|
|
|
dest->description = description;
|
|
|
|
|
dest->file_path_list = file_path_list;
|
|
|
|
|
dest->optional_data_size = size;
|
|
|
|
|
dest->optional_data = size ? pos : NULL;
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* At least some versions of Dell firmware pass the entire contents of the
|
|
|
|
|
* Boot#### variable, i.e. the EFI_LOAD_OPTION descriptor, rather than just the
|
|
|
|
|
* OptionalData field.
|
|
|
|
|
*
|
|
|
|
|
* Detect this case and extract OptionalData.
|
|
|
|
|
*/
|
|
|
|
|
void efi_apply_loadoptions_quirk(const void **load_options, int *load_options_size)
|
|
|
|
|
{
|
|
|
|
|
const efi_load_option_t *load_option = *load_options;
|
|
|
|
|
efi_load_option_unpacked_t load_option_unpacked;
|
|
|
|
|
|
|
|
|
|
if (!IS_ENABLED(CONFIG_X86))
|
|
|
|
|
return;
|
|
|
|
|
if (!load_option)
|
|
|
|
|
return;
|
|
|
|
|
if (*load_options_size < sizeof(*load_option))
|
|
|
|
|
return;
|
|
|
|
|
if ((load_option->attributes & ~EFI_LOAD_OPTION_BOOT_MASK) != 0)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
if (!efi_load_option_unpack(&load_option_unpacked, load_option, *load_options_size))
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
efi_warn_once(FW_BUG "LoadOptions is an EFI_LOAD_OPTION descriptor\n");
|
|
|
|
|
efi_warn_once(FW_BUG "Using OptionalData as a workaround\n");
|
|
|
|
|
|
|
|
|
|
*load_options = load_option_unpacked.optional_data;
|
|
|
|
|
*load_options_size = load_option_unpacked.optional_data_size;
|
|
|
|
|
}
|
|
|
|
|
|
2013-09-22 15:45:33 -07:00
|
|
|
/*
|
|
|
|
|
* Convert the unicode UEFI command line to ASCII to pass to kernel.
|
|
|
|
|
* Size of memory allocated return in *cmd_line_len.
|
|
|
|
|
* Returns NULL on error.
|
|
|
|
|
*/
|
2020-05-19 10:43:01 +02:00
|
|
|
char *efi_convert_cmdline(efi_loaded_image_t *image, int *cmd_line_len)
|
2013-09-22 15:45:33 -07:00
|
|
|
{
|
2013-09-20 09:55:39 -05:00
|
|
|
const u16 *s2;
|
2013-09-22 15:45:33 -07:00
|
|
|
unsigned long cmdline_addr = 0;
|
2020-09-14 17:35:35 -04:00
|
|
|
int options_chars = efi_table_attr(image, load_options_size);
|
2020-02-14 14:29:21 +01:00
|
|
|
const u16 *options = efi_table_attr(image, load_options);
|
2020-05-20 20:29:21 -04:00
|
|
|
int options_bytes = 0, safe_options_bytes = 0; /* UTF-8 bytes */
|
|
|
|
|
bool in_quote = false;
|
2013-09-22 15:45:33 -07:00
|
|
|
efi_status_t status;
|
|
|
|
|
|
2020-09-14 17:35:35 -04:00
|
|
|
efi_apply_loadoptions_quirk((const void **)&options, &options_chars);
|
|
|
|
|
options_chars /= sizeof(*options);
|
|
|
|
|
|
2013-09-22 15:45:33 -07:00
|
|
|
if (options) {
|
|
|
|
|
s2 = options;
|
2020-05-20 20:29:21 -04:00
|
|
|
while (options_bytes < COMMAND_LINE_SIZE && options_chars--) {
|
2020-05-18 15:07:15 -04:00
|
|
|
u16 c = *s2++;
|
|
|
|
|
|
2020-05-20 20:29:21 -04:00
|
|
|
if (c < 0x80) {
|
|
|
|
|
if (c == L'\0' || c == L'\n')
|
|
|
|
|
break;
|
|
|
|
|
if (c == L'"')
|
|
|
|
|
in_quote = !in_quote;
|
|
|
|
|
else if (!in_quote && isspace((char)c))
|
|
|
|
|
safe_options_bytes = options_bytes;
|
|
|
|
|
|
|
|
|
|
options_bytes++;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2020-05-18 15:07:15 -04:00
|
|
|
/*
|
|
|
|
|
* Get the number of UTF-8 bytes corresponding to a
|
|
|
|
|
* UTF-16 character.
|
|
|
|
|
* The first part handles everything in the BMP.
|
|
|
|
|
*/
|
2020-05-20 20:29:21 -04:00
|
|
|
options_bytes += 2 + (c >= 0x800);
|
2020-05-18 15:07:15 -04:00
|
|
|
/*
|
|
|
|
|
* Add one more byte for valid surrogate pairs. Invalid
|
|
|
|
|
* surrogates will be replaced with 0xfffd and take up
|
|
|
|
|
* only 3 bytes.
|
|
|
|
|
*/
|
|
|
|
|
if ((c & 0xfc00) == 0xd800) {
|
|
|
|
|
/*
|
|
|
|
|
* If the very last word is a high surrogate,
|
|
|
|
|
* we must ignore it since we can't access the
|
|
|
|
|
* low surrogate.
|
|
|
|
|
*/
|
2020-05-18 15:07:16 -04:00
|
|
|
if (!options_chars) {
|
2020-05-18 15:07:15 -04:00
|
|
|
options_bytes -= 3;
|
|
|
|
|
} else if ((*s2 & 0xfc00) == 0xdc00) {
|
|
|
|
|
options_bytes++;
|
2020-05-18 15:07:16 -04:00
|
|
|
options_chars--;
|
2020-05-18 15:07:15 -04:00
|
|
|
s2++;
|
|
|
|
|
}
|
|
|
|
|
}
|
2013-09-22 15:45:33 -07:00
|
|
|
}
|
2020-05-20 20:29:21 -04:00
|
|
|
if (options_bytes >= COMMAND_LINE_SIZE) {
|
|
|
|
|
options_bytes = safe_options_bytes;
|
|
|
|
|
efi_err("Command line is too long: truncated to %d bytes\n",
|
|
|
|
|
options_bytes);
|
|
|
|
|
}
|
2013-09-22 15:45:33 -07:00
|
|
|
}
|
|
|
|
|
|
2013-09-20 09:55:39 -05:00
|
|
|
options_bytes++; /* NUL termination */
|
2014-04-04 13:25:46 +01:00
|
|
|
|
2020-05-19 10:43:01 +02:00
|
|
|
status = efi_bs_call(allocate_pool, EFI_LOADER_DATA, options_bytes,
|
|
|
|
|
(void **)&cmdline_addr);
|
2013-09-22 15:45:33 -07:00
|
|
|
if (status != EFI_SUCCESS)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
2020-05-18 15:07:16 -04:00
|
|
|
snprintf((char *)cmdline_addr, options_bytes, "%.*ls",
|
|
|
|
|
options_bytes - 1, options);
|
2013-09-22 15:45:33 -07:00
|
|
|
|
2013-09-20 09:55:39 -05:00
|
|
|
*cmd_line_len = options_bytes;
|
2013-09-22 15:45:33 -07:00
|
|
|
return (char *)cmdline_addr;
|
|
|
|
|
}
|
2016-08-29 14:38:52 -06:00
|
|
|
|
2020-06-16 01:42:31 +02:00
|
|
|
/**
|
|
|
|
|
* efi_exit_boot_services() - Exit boot services
|
|
|
|
|
* @handle: handle of the exiting image
|
|
|
|
|
* @map: pointer to receive the memory map
|
|
|
|
|
* @priv: argument to be passed to @priv_func
|
|
|
|
|
* @priv_func: function to process the memory map before exiting boot services
|
|
|
|
|
*
|
2016-08-29 14:38:52 -06:00
|
|
|
* Handle calling ExitBootServices according to the requirements set out by the
|
|
|
|
|
* spec. Obtains the current memory map, and returns that info after calling
|
|
|
|
|
* ExitBootServices. The client must specify a function to perform any
|
|
|
|
|
* processing of the memory map data prior to ExitBootServices. A client
|
|
|
|
|
* specific structure may be passed to the function via priv. The client
|
|
|
|
|
* function may be called multiple times.
|
2020-06-16 01:42:31 +02:00
|
|
|
*
|
|
|
|
|
* Return: status code
|
2016-08-29 14:38:52 -06:00
|
|
|
*/
|
2019-12-24 16:10:19 +01:00
|
|
|
efi_status_t efi_exit_boot_services(void *handle,
|
2016-08-29 14:38:52 -06:00
|
|
|
struct efi_boot_memmap *map,
|
|
|
|
|
void *priv,
|
|
|
|
|
efi_exit_boot_map_processing priv_func)
|
|
|
|
|
{
|
|
|
|
|
efi_status_t status;
|
|
|
|
|
|
2019-12-24 16:10:19 +01:00
|
|
|
status = efi_get_memory_map(map);
|
2016-08-29 14:38:52 -06:00
|
|
|
|
|
|
|
|
if (status != EFI_SUCCESS)
|
|
|
|
|
goto fail;
|
|
|
|
|
|
2019-12-24 16:10:19 +01:00
|
|
|
status = priv_func(map, priv);
|
2016-08-29 14:38:52 -06:00
|
|
|
if (status != EFI_SUCCESS)
|
|
|
|
|
goto free_map;
|
|
|
|
|
|
2020-01-03 12:39:50 +01:00
|
|
|
if (efi_disable_pci_dma)
|
|
|
|
|
efi_pci_disable_bridge_busmaster();
|
|
|
|
|
|
efi/libstub: Rename efi_call_early/_runtime macros to be more intuitive
The macros efi_call_early and efi_call_runtime are used to call EFI
boot services and runtime services, respectively. However, the naming
is confusing, given that the early vs runtime distinction may suggest
that these are used for calling the same set of services either early
or late (== at runtime), while in reality, the sets of services they
can be used with are completely disjoint, and efi_call_runtime is also
only usable in 'early' code.
So do a global sweep to replace all occurrences with efi_bs_call or
efi_rt_call, respectively, where BS and RT match the idiom used by
the UEFI spec to refer to boot time or runtime services.
While at it, use 'func' as the macro parameter name for the function
pointers, which is less likely to collide and cause weird build errors.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Cc: Arvind Sankar <nivedita@alum.mit.edu>
Cc: Borislav Petkov <bp@alien8.de>
Cc: James Morse <james.morse@arm.com>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: https://lkml.kernel.org/r/20191224151025.32482-24-ardb@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2019-12-24 16:10:23 +01:00
|
|
|
status = efi_bs_call(exit_boot_services, handle, *map->key_ptr);
|
2016-08-29 14:38:52 -06:00
|
|
|
|
|
|
|
|
if (status == EFI_INVALID_PARAMETER) {
|
|
|
|
|
/*
|
|
|
|
|
* The memory map changed between efi_get_memory_map() and
|
|
|
|
|
* exit_boot_services(). Per the UEFI Spec v2.6, Section 6.4:
|
|
|
|
|
* EFI_BOOT_SERVICES.ExitBootServices we need to get the
|
|
|
|
|
* updated map, and try again. The spec implies one retry
|
|
|
|
|
* should be sufficent, which is confirmed against the EDK2
|
|
|
|
|
* implementation. Per the spec, we can only invoke
|
|
|
|
|
* get_memory_map() and exit_boot_services() - we cannot alloc
|
|
|
|
|
* so efi_get_memory_map() cannot be used, and we must reuse
|
|
|
|
|
* the buffer. For all practical purposes, the headroom in the
|
|
|
|
|
* buffer should account for any changes in the map so the call
|
|
|
|
|
* to get_memory_map() is expected to succeed here.
|
|
|
|
|
*/
|
|
|
|
|
*map->map_size = *map->buff_size;
|
efi/libstub: Rename efi_call_early/_runtime macros to be more intuitive
The macros efi_call_early and efi_call_runtime are used to call EFI
boot services and runtime services, respectively. However, the naming
is confusing, given that the early vs runtime distinction may suggest
that these are used for calling the same set of services either early
or late (== at runtime), while in reality, the sets of services they
can be used with are completely disjoint, and efi_call_runtime is also
only usable in 'early' code.
So do a global sweep to replace all occurrences with efi_bs_call or
efi_rt_call, respectively, where BS and RT match the idiom used by
the UEFI spec to refer to boot time or runtime services.
While at it, use 'func' as the macro parameter name for the function
pointers, which is less likely to collide and cause weird build errors.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Cc: Arvind Sankar <nivedita@alum.mit.edu>
Cc: Borislav Petkov <bp@alien8.de>
Cc: James Morse <james.morse@arm.com>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: https://lkml.kernel.org/r/20191224151025.32482-24-ardb@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2019-12-24 16:10:23 +01:00
|
|
|
status = efi_bs_call(get_memory_map,
|
|
|
|
|
map->map_size,
|
|
|
|
|
*map->map,
|
|
|
|
|
map->key_ptr,
|
|
|
|
|
map->desc_size,
|
|
|
|
|
map->desc_ver);
|
2016-08-29 14:38:52 -06:00
|
|
|
|
|
|
|
|
/* exit_boot_services() was called, thus cannot free */
|
|
|
|
|
if (status != EFI_SUCCESS)
|
|
|
|
|
goto fail;
|
|
|
|
|
|
2019-12-24 16:10:19 +01:00
|
|
|
status = priv_func(map, priv);
|
2016-08-29 14:38:52 -06:00
|
|
|
/* exit_boot_services() was called, thus cannot free */
|
|
|
|
|
if (status != EFI_SUCCESS)
|
|
|
|
|
goto fail;
|
|
|
|
|
|
efi/libstub: Rename efi_call_early/_runtime macros to be more intuitive
The macros efi_call_early and efi_call_runtime are used to call EFI
boot services and runtime services, respectively. However, the naming
is confusing, given that the early vs runtime distinction may suggest
that these are used for calling the same set of services either early
or late (== at runtime), while in reality, the sets of services they
can be used with are completely disjoint, and efi_call_runtime is also
only usable in 'early' code.
So do a global sweep to replace all occurrences with efi_bs_call or
efi_rt_call, respectively, where BS and RT match the idiom used by
the UEFI spec to refer to boot time or runtime services.
While at it, use 'func' as the macro parameter name for the function
pointers, which is less likely to collide and cause weird build errors.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Cc: Arvind Sankar <nivedita@alum.mit.edu>
Cc: Borislav Petkov <bp@alien8.de>
Cc: James Morse <james.morse@arm.com>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: https://lkml.kernel.org/r/20191224151025.32482-24-ardb@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2019-12-24 16:10:23 +01:00
|
|
|
status = efi_bs_call(exit_boot_services, handle, *map->key_ptr);
|
2016-08-29 14:38:52 -06:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* exit_boot_services() was called, thus cannot free */
|
|
|
|
|
if (status != EFI_SUCCESS)
|
|
|
|
|
goto fail;
|
|
|
|
|
|
|
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
|
|
|
|
|
free_map:
|
efi/libstub: Rename efi_call_early/_runtime macros to be more intuitive
The macros efi_call_early and efi_call_runtime are used to call EFI
boot services and runtime services, respectively. However, the naming
is confusing, given that the early vs runtime distinction may suggest
that these are used for calling the same set of services either early
or late (== at runtime), while in reality, the sets of services they
can be used with are completely disjoint, and efi_call_runtime is also
only usable in 'early' code.
So do a global sweep to replace all occurrences with efi_bs_call or
efi_rt_call, respectively, where BS and RT match the idiom used by
the UEFI spec to refer to boot time or runtime services.
While at it, use 'func' as the macro parameter name for the function
pointers, which is less likely to collide and cause weird build errors.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Cc: Arvind Sankar <nivedita@alum.mit.edu>
Cc: Borislav Petkov <bp@alien8.de>
Cc: James Morse <james.morse@arm.com>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: https://lkml.kernel.org/r/20191224151025.32482-24-ardb@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2019-12-24 16:10:23 +01:00
|
|
|
efi_bs_call(free_pool, *map->map);
|
2016-08-29 14:38:52 -06:00
|
|
|
fail:
|
|
|
|
|
return status;
|
|
|
|
|
}
|
2019-06-07 13:51:46 -07:00
|
|
|
|
2020-06-16 01:42:31 +02:00
|
|
|
/**
|
|
|
|
|
* get_efi_config_table() - retrieve UEFI configuration table
|
|
|
|
|
* @guid: GUID of the configuration table to be retrieved
|
|
|
|
|
* Return: pointer to the configuration table or NULL
|
|
|
|
|
*/
|
2019-12-24 16:10:19 +01:00
|
|
|
void *get_efi_config_table(efi_guid_t guid)
|
2019-06-07 13:51:46 -07:00
|
|
|
{
|
2020-04-16 18:38:06 +02:00
|
|
|
unsigned long tables = efi_table_attr(efi_system_table, tables);
|
|
|
|
|
int nr_tables = efi_table_attr(efi_system_table, nr_tables);
|
2019-12-24 16:10:09 +01:00
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < nr_tables; i++) {
|
|
|
|
|
efi_config_table_t *t = (void *)tables;
|
|
|
|
|
|
|
|
|
|
if (efi_guidcmp(t->guid, guid) == 0)
|
2019-12-24 16:10:22 +01:00
|
|
|
return efi_table_attr(t, table);
|
2019-12-24 16:10:09 +01:00
|
|
|
|
|
|
|
|
tables += efi_is_native() ? sizeof(efi_config_table_t)
|
|
|
|
|
: sizeof(efi_config_table_32_t);
|
|
|
|
|
}
|
|
|
|
|
return NULL;
|
2019-06-07 13:51:46 -07:00
|
|
|
}
|
2019-12-24 16:10:16 +01:00
|
|
|
|
efi/libstub: Add support for loading the initrd from a device path
There are currently two ways to specify the initrd to be passed to the
Linux kernel when booting via the EFI stub:
- it can be passed as a initrd= command line option when doing a pure PE
boot (as opposed to the EFI handover protocol that exists for x86)
- otherwise, the bootloader or firmware can load the initrd into memory,
and pass the address and size via the bootparams struct (x86) or
device tree (ARM)
In the first case, we are limited to loading from the same file system
that the kernel was loaded from, and it is also problematic in a trusted
boot context, given that we cannot easily protect the command line from
tampering without either adding complicated white/blacklisting of boot
arguments or locking down the command line altogether.
In the second case, we force the bootloader to duplicate knowledge about
the boot protocol which is already encoded in the stub, and which may be
subject to change over time, e.g., bootparams struct definitions, memory
allocation/alignment requirements for the placement of the initrd etc etc.
In the ARM case, it also requires the bootloader to modify the hardware
description provided by the firmware, as it is passed in the same file.
On systems where the initrd is measured after loading, it creates a time
window where the initrd contents might be manipulated in memory before
handing over to the kernel.
Address these concerns by adding support for loading the initrd into
memory by invoking the EFI LoadFile2 protocol installed on a vendor
GUIDed device path that specifically designates a Linux initrd.
This addresses the above concerns, by putting the EFI stub in charge of
placement in memory and of passing the base and size to the kernel proper
(via whatever means it desires) while still leaving it up to the firmware
or bootloader to obtain the file contents, potentially from other file
systems than the one the kernel itself was loaded from. On platforms that
implement measured boot, it permits the firmware to take the measurement
right before the kernel actually consumes the contents.
Acked-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2020-02-03 23:45:14 +00:00
|
|
|
/*
|
|
|
|
|
* The LINUX_EFI_INITRD_MEDIA_GUID vendor media device path below provides a way
|
|
|
|
|
* for the firmware or bootloader to expose the initrd data directly to the stub
|
|
|
|
|
* via the trivial LoadFile2 protocol, which is defined in the UEFI spec, and is
|
|
|
|
|
* very easy to implement. It is a simple Linux initrd specific conduit between
|
|
|
|
|
* kernel and firmware, allowing us to put the EFI stub (being part of the
|
|
|
|
|
* kernel) in charge of where and when to load the initrd, while leaving it up
|
|
|
|
|
* to the firmware to decide whether it needs to expose its filesystem hierarchy
|
|
|
|
|
* via EFI protocols.
|
|
|
|
|
*/
|
|
|
|
|
static const struct {
|
|
|
|
|
struct efi_vendor_dev_path vendor;
|
|
|
|
|
struct efi_generic_dev_path end;
|
|
|
|
|
} __packed initrd_dev_path = {
|
|
|
|
|
{
|
|
|
|
|
{
|
|
|
|
|
EFI_DEV_MEDIA,
|
|
|
|
|
EFI_DEV_MEDIA_VENDOR,
|
|
|
|
|
sizeof(struct efi_vendor_dev_path),
|
|
|
|
|
},
|
|
|
|
|
LINUX_EFI_INITRD_MEDIA_GUID
|
|
|
|
|
}, {
|
|
|
|
|
EFI_DEV_END_PATH,
|
|
|
|
|
EFI_DEV_END_ENTIRE,
|
|
|
|
|
sizeof(struct efi_generic_dev_path)
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
2020-06-16 01:42:31 +02:00
|
|
|
* efi_load_initrd_dev_path() - load the initrd from the Linux initrd device path
|
efi/libstub: Add support for loading the initrd from a device path
There are currently two ways to specify the initrd to be passed to the
Linux kernel when booting via the EFI stub:
- it can be passed as a initrd= command line option when doing a pure PE
boot (as opposed to the EFI handover protocol that exists for x86)
- otherwise, the bootloader or firmware can load the initrd into memory,
and pass the address and size via the bootparams struct (x86) or
device tree (ARM)
In the first case, we are limited to loading from the same file system
that the kernel was loaded from, and it is also problematic in a trusted
boot context, given that we cannot easily protect the command line from
tampering without either adding complicated white/blacklisting of boot
arguments or locking down the command line altogether.
In the second case, we force the bootloader to duplicate knowledge about
the boot protocol which is already encoded in the stub, and which may be
subject to change over time, e.g., bootparams struct definitions, memory
allocation/alignment requirements for the placement of the initrd etc etc.
In the ARM case, it also requires the bootloader to modify the hardware
description provided by the firmware, as it is passed in the same file.
On systems where the initrd is measured after loading, it creates a time
window where the initrd contents might be manipulated in memory before
handing over to the kernel.
Address these concerns by adding support for loading the initrd into
memory by invoking the EFI LoadFile2 protocol installed on a vendor
GUIDed device path that specifically designates a Linux initrd.
This addresses the above concerns, by putting the EFI stub in charge of
placement in memory and of passing the base and size to the kernel proper
(via whatever means it desires) while still leaving it up to the firmware
or bootloader to obtain the file contents, potentially from other file
systems than the one the kernel itself was loaded from. On platforms that
implement measured boot, it permits the firmware to take the measurement
right before the kernel actually consumes the contents.
Acked-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2020-02-03 23:45:14 +00:00
|
|
|
* @load_addr: pointer to store the address where the initrd was loaded
|
|
|
|
|
* @load_size: pointer to store the size of the loaded initrd
|
|
|
|
|
* @max: upper limit for the initrd memory allocation
|
2020-06-16 01:42:31 +02:00
|
|
|
*
|
|
|
|
|
* Return:
|
|
|
|
|
* * %EFI_SUCCESS if the initrd was loaded successfully, in which
|
|
|
|
|
* case @load_addr and @load_size are assigned accordingly
|
|
|
|
|
* * %EFI_NOT_FOUND if no LoadFile2 protocol exists on the initrd device path
|
|
|
|
|
* * %EFI_INVALID_PARAMETER if load_addr == NULL or load_size == NULL
|
|
|
|
|
* * %EFI_OUT_OF_RESOURCES if memory allocation failed
|
|
|
|
|
* * %EFI_LOAD_ERROR in all other cases
|
efi/libstub: Add support for loading the initrd from a device path
There are currently two ways to specify the initrd to be passed to the
Linux kernel when booting via the EFI stub:
- it can be passed as a initrd= command line option when doing a pure PE
boot (as opposed to the EFI handover protocol that exists for x86)
- otherwise, the bootloader or firmware can load the initrd into memory,
and pass the address and size via the bootparams struct (x86) or
device tree (ARM)
In the first case, we are limited to loading from the same file system
that the kernel was loaded from, and it is also problematic in a trusted
boot context, given that we cannot easily protect the command line from
tampering without either adding complicated white/blacklisting of boot
arguments or locking down the command line altogether.
In the second case, we force the bootloader to duplicate knowledge about
the boot protocol which is already encoded in the stub, and which may be
subject to change over time, e.g., bootparams struct definitions, memory
allocation/alignment requirements for the placement of the initrd etc etc.
In the ARM case, it also requires the bootloader to modify the hardware
description provided by the firmware, as it is passed in the same file.
On systems where the initrd is measured after loading, it creates a time
window where the initrd contents might be manipulated in memory before
handing over to the kernel.
Address these concerns by adding support for loading the initrd into
memory by invoking the EFI LoadFile2 protocol installed on a vendor
GUIDed device path that specifically designates a Linux initrd.
This addresses the above concerns, by putting the EFI stub in charge of
placement in memory and of passing the base and size to the kernel proper
(via whatever means it desires) while still leaving it up to the firmware
or bootloader to obtain the file contents, potentially from other file
systems than the one the kernel itself was loaded from. On platforms that
implement measured boot, it permits the firmware to take the measurement
right before the kernel actually consumes the contents.
Acked-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2020-02-03 23:45:14 +00:00
|
|
|
*/
|
2020-04-30 14:28:41 -04:00
|
|
|
static
|
efi/libstub: Add support for loading the initrd from a device path
There are currently two ways to specify the initrd to be passed to the
Linux kernel when booting via the EFI stub:
- it can be passed as a initrd= command line option when doing a pure PE
boot (as opposed to the EFI handover protocol that exists for x86)
- otherwise, the bootloader or firmware can load the initrd into memory,
and pass the address and size via the bootparams struct (x86) or
device tree (ARM)
In the first case, we are limited to loading from the same file system
that the kernel was loaded from, and it is also problematic in a trusted
boot context, given that we cannot easily protect the command line from
tampering without either adding complicated white/blacklisting of boot
arguments or locking down the command line altogether.
In the second case, we force the bootloader to duplicate knowledge about
the boot protocol which is already encoded in the stub, and which may be
subject to change over time, e.g., bootparams struct definitions, memory
allocation/alignment requirements for the placement of the initrd etc etc.
In the ARM case, it also requires the bootloader to modify the hardware
description provided by the firmware, as it is passed in the same file.
On systems where the initrd is measured after loading, it creates a time
window where the initrd contents might be manipulated in memory before
handing over to the kernel.
Address these concerns by adding support for loading the initrd into
memory by invoking the EFI LoadFile2 protocol installed on a vendor
GUIDed device path that specifically designates a Linux initrd.
This addresses the above concerns, by putting the EFI stub in charge of
placement in memory and of passing the base and size to the kernel proper
(via whatever means it desires) while still leaving it up to the firmware
or bootloader to obtain the file contents, potentially from other file
systems than the one the kernel itself was loaded from. On platforms that
implement measured boot, it permits the firmware to take the measurement
right before the kernel actually consumes the contents.
Acked-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
2020-02-03 23:45:14 +00:00
|
|
|
efi_status_t efi_load_initrd_dev_path(unsigned long *load_addr,
|
|
|
|
|
unsigned long *load_size,
|
|
|
|
|
unsigned long max)
|
|
|
|
|
{
|
|
|
|
|
efi_guid_t lf2_proto_guid = EFI_LOAD_FILE2_PROTOCOL_GUID;
|
|
|
|
|
efi_device_path_protocol_t *dp;
|
|
|
|
|
efi_load_file2_protocol_t *lf2;
|
|
|
|
|
unsigned long initrd_addr;
|
|
|
|
|
unsigned long initrd_size;
|
|
|
|
|
efi_handle_t handle;
|
|
|
|
|
efi_status_t status;
|
|
|
|
|
|
|
|
|
|
dp = (efi_device_path_protocol_t *)&initrd_dev_path;
|
|
|
|
|
status = efi_bs_call(locate_device_path, &lf2_proto_guid, &dp, &handle);
|
|
|
|
|
if (status != EFI_SUCCESS)
|
|
|
|
|
return status;
|
|
|
|
|
|
|
|
|
|
status = efi_bs_call(handle_protocol, handle, &lf2_proto_guid,
|
|
|
|
|
(void **)&lf2);
|
|
|
|
|
if (status != EFI_SUCCESS)
|
|
|
|
|
return status;
|
|
|
|
|
|
|
|
|
|
status = efi_call_proto(lf2, load_file, dp, false, &initrd_size, NULL);
|
|
|
|
|
if (status != EFI_BUFFER_TOO_SMALL)
|
|
|
|
|
return EFI_LOAD_ERROR;
|
|
|
|
|
|
|
|
|
|
status = efi_allocate_pages(initrd_size, &initrd_addr, max);
|
|
|
|
|
if (status != EFI_SUCCESS)
|
|
|
|
|
return status;
|
|
|
|
|
|
|
|
|
|
status = efi_call_proto(lf2, load_file, dp, false, &initrd_size,
|
|
|
|
|
(void *)initrd_addr);
|
|
|
|
|
if (status != EFI_SUCCESS) {
|
|
|
|
|
efi_free(initrd_size, initrd_addr);
|
|
|
|
|
return EFI_LOAD_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*load_addr = initrd_addr;
|
|
|
|
|
*load_size = initrd_size;
|
|
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
2020-04-30 14:28:41 -04:00
|
|
|
|
|
|
|
|
static
|
|
|
|
|
efi_status_t efi_load_initrd_cmdline(efi_loaded_image_t *image,
|
|
|
|
|
unsigned long *load_addr,
|
|
|
|
|
unsigned long *load_size,
|
|
|
|
|
unsigned long soft_limit,
|
|
|
|
|
unsigned long hard_limit)
|
|
|
|
|
{
|
|
|
|
|
if (!IS_ENABLED(CONFIG_EFI_GENERIC_STUB_INITRD_CMDLINE_LOADER) ||
|
|
|
|
|
(IS_ENABLED(CONFIG_X86) && (!efi_is_native() || image == NULL))) {
|
|
|
|
|
*load_addr = *load_size = 0;
|
|
|
|
|
return EFI_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return handle_cmdline_files(image, L"initrd=", sizeof(L"initrd=") - 2,
|
|
|
|
|
soft_limit, hard_limit,
|
|
|
|
|
load_addr, load_size);
|
|
|
|
|
}
|
|
|
|
|
|
2020-06-16 01:42:31 +02:00
|
|
|
/**
|
|
|
|
|
* efi_load_initrd() - Load initial RAM disk
|
|
|
|
|
* @image: EFI loaded image protocol
|
|
|
|
|
* @load_addr: pointer to loaded initrd
|
|
|
|
|
* @load_size: size of loaded initrd
|
|
|
|
|
* @soft_limit: preferred size of allocated memory for loading the initrd
|
|
|
|
|
* @hard_limit: minimum size of allocated memory
|
|
|
|
|
*
|
|
|
|
|
* Return: status code
|
|
|
|
|
*/
|
2020-04-30 14:28:41 -04:00
|
|
|
efi_status_t efi_load_initrd(efi_loaded_image_t *image,
|
|
|
|
|
unsigned long *load_addr,
|
|
|
|
|
unsigned long *load_size,
|
|
|
|
|
unsigned long soft_limit,
|
|
|
|
|
unsigned long hard_limit)
|
|
|
|
|
{
|
|
|
|
|
efi_status_t status;
|
|
|
|
|
|
|
|
|
|
if (!load_addr || !load_size)
|
|
|
|
|
return EFI_INVALID_PARAMETER;
|
|
|
|
|
|
|
|
|
|
status = efi_load_initrd_dev_path(load_addr, load_size, hard_limit);
|
|
|
|
|
if (status == EFI_SUCCESS) {
|
|
|
|
|
efi_info("Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path\n");
|
|
|
|
|
} else if (status == EFI_NOT_FOUND) {
|
|
|
|
|
status = efi_load_initrd_cmdline(image, load_addr, load_size,
|
|
|
|
|
soft_limit, hard_limit);
|
|
|
|
|
if (status == EFI_SUCCESS && *load_size > 0)
|
|
|
|
|
efi_info("Loaded initrd from command line option\n");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return status;
|
|
|
|
|
}
|
2020-05-18 15:07:11 -04:00
|
|
|
|
2020-06-16 01:42:31 +02:00
|
|
|
/**
|
|
|
|
|
* efi_wait_for_key() - Wait for key stroke
|
|
|
|
|
* @usec: number of microseconds to wait for key stroke
|
|
|
|
|
* @key: key entered
|
|
|
|
|
*
|
|
|
|
|
* Wait for up to @usec microseconds for a key stroke.
|
|
|
|
|
*
|
|
|
|
|
* Return: status code, EFI_SUCCESS if key received
|
|
|
|
|
*/
|
2020-05-18 15:07:11 -04:00
|
|
|
efi_status_t efi_wait_for_key(unsigned long usec, efi_input_key_t *key)
|
|
|
|
|
{
|
|
|
|
|
efi_event_t events[2], timer;
|
|
|
|
|
unsigned long index;
|
|
|
|
|
efi_simple_text_input_protocol_t *con_in;
|
|
|
|
|
efi_status_t status;
|
|
|
|
|
|
|
|
|
|
con_in = efi_table_attr(efi_system_table, con_in);
|
|
|
|
|
if (!con_in)
|
|
|
|
|
return EFI_UNSUPPORTED;
|
|
|
|
|
efi_set_event_at(events, 0, efi_table_attr(con_in, wait_for_key));
|
|
|
|
|
|
|
|
|
|
status = efi_bs_call(create_event, EFI_EVT_TIMER, 0, NULL, NULL, &timer);
|
|
|
|
|
if (status != EFI_SUCCESS)
|
|
|
|
|
return status;
|
|
|
|
|
|
|
|
|
|
status = efi_bs_call(set_timer, timer, EfiTimerRelative,
|
|
|
|
|
EFI_100NSEC_PER_USEC * usec);
|
|
|
|
|
if (status != EFI_SUCCESS)
|
|
|
|
|
return status;
|
|
|
|
|
efi_set_event_at(events, 1, timer);
|
|
|
|
|
|
|
|
|
|
status = efi_bs_call(wait_for_event, 2, events, &index);
|
|
|
|
|
if (status == EFI_SUCCESS) {
|
|
|
|
|
if (index == 0)
|
|
|
|
|
status = efi_call_proto(con_in, read_keystroke, key);
|
|
|
|
|
else
|
|
|
|
|
status = EFI_TIMEOUT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
efi_bs_call(close_event, timer);
|
|
|
|
|
|
|
|
|
|
return status;
|
|
|
|
|
}
|