[go: up one dir, main page]
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * Extensible Firmware Interface
4 *
5 * Based on Extensible Firmware Interface Specification version 2.4
6 *
7 * Copyright (C) 2013, 2014 Linaro Ltd.
8 */
9
10#include <linux/efi.h>
11#include <linux/init.h>
12#include <linux/kmemleak.h>
13#include <linux/kthread.h>
14#include <linux/screen_info.h>
15#include <linux/vmalloc.h>
16
17#include <asm/efi.h>
18#include <asm/stacktrace.h>
19#include <asm/vmap_stack.h>
20
21static bool region_is_misaligned(const efi_memory_desc_t *md)
22{
23 if (PAGE_SIZE == EFI_PAGE_SIZE)
24 return false;
25 return !PAGE_ALIGNED(md->phys_addr) ||
26 !PAGE_ALIGNED(md->num_pages << EFI_PAGE_SHIFT);
27}
28
29/*
30 * Only regions of type EFI_RUNTIME_SERVICES_CODE need to be
31 * executable, everything else can be mapped with the XN bits
32 * set. Also take the new (optional) RO/XP bits into account.
33 */
34static __init ptdesc_t create_mapping_protection(efi_memory_desc_t *md)
35{
36 u64 attr = md->attribute;
37 u32 type = md->type;
38
39 if (type == EFI_MEMORY_MAPPED_IO) {
40 pgprot_t prot = __pgprot(PROT_DEVICE_nGnRE);
41
42 if (arm64_is_protected_mmio(md->phys_addr,
43 md->num_pages << EFI_PAGE_SHIFT))
44 prot = pgprot_encrypted(prot);
45 else
46 prot = pgprot_decrypted(prot);
47 return pgprot_val(prot);
48 }
49
50 if (region_is_misaligned(md)) {
51 static bool __initdata code_is_misaligned;
52
53 /*
54 * Regions that are not aligned to the OS page size cannot be
55 * mapped with strict permissions, as those might interfere
56 * with the permissions that are needed by the adjacent
57 * region's mapping. However, if we haven't encountered any
58 * misaligned runtime code regions so far, we can safely use
59 * non-executable permissions for non-code regions.
60 */
61 code_is_misaligned |= (type == EFI_RUNTIME_SERVICES_CODE);
62
63 return code_is_misaligned ? pgprot_val(PAGE_KERNEL_EXEC)
64 : pgprot_val(PAGE_KERNEL);
65 }
66
67 /* R-- */
68 if ((attr & (EFI_MEMORY_XP | EFI_MEMORY_RO)) ==
69 (EFI_MEMORY_XP | EFI_MEMORY_RO))
70 return pgprot_val(PAGE_KERNEL_RO);
71
72 /* R-X */
73 if (attr & EFI_MEMORY_RO)
74 return pgprot_val(PAGE_KERNEL_ROX);
75
76 /* RW- */
77 if (((attr & (EFI_MEMORY_RP | EFI_MEMORY_WP | EFI_MEMORY_XP)) ==
78 EFI_MEMORY_XP) ||
79 type != EFI_RUNTIME_SERVICES_CODE)
80 return pgprot_val(PAGE_KERNEL);
81
82 /* RWX */
83 return pgprot_val(PAGE_KERNEL_EXEC);
84}
85
86int __init efi_create_mapping(struct mm_struct *mm, efi_memory_desc_t *md)
87{
88 ptdesc_t prot_val = create_mapping_protection(md);
89 bool page_mappings_only = (md->type == EFI_RUNTIME_SERVICES_CODE ||
90 md->type == EFI_RUNTIME_SERVICES_DATA);
91
92 /*
93 * If this region is not aligned to the page size used by the OS, the
94 * mapping will be rounded outwards, and may end up sharing a page
95 * frame with an adjacent runtime memory region. Given that the page
96 * table descriptor covering the shared page will be rewritten when the
97 * adjacent region gets mapped, we must avoid block mappings here so we
98 * don't have to worry about splitting them when that happens.
99 */
100 if (region_is_misaligned(md))
101 page_mappings_only = true;
102
103 create_pgd_mapping(mm, md->phys_addr, md->virt_addr,
104 md->num_pages << EFI_PAGE_SHIFT,
105 __pgprot(prot_val | PTE_NG), page_mappings_only);
106 return 0;
107}
108
109struct set_perm_data {
110 const efi_memory_desc_t *md;
111 bool has_bti;
112};
113
114static int __init set_permissions(pte_t *ptep, unsigned long addr, void *data)
115{
116 struct set_perm_data *spd = data;
117 const efi_memory_desc_t *md = spd->md;
118 pte_t pte = __ptep_get(ptep);
119
120 if (md->attribute & EFI_MEMORY_RO)
121 pte = set_pte_bit(pte, __pgprot(PTE_RDONLY));
122 if (md->attribute & EFI_MEMORY_XP)
123 pte = set_pte_bit(pte, __pgprot(PTE_PXN));
124 else if (system_supports_bti_kernel() && spd->has_bti)
125 pte = set_pte_bit(pte, __pgprot(PTE_GP));
126 __set_pte(ptep, pte);
127 return 0;
128}
129
130int __init efi_set_mapping_permissions(struct mm_struct *mm,
131 efi_memory_desc_t *md,
132 bool has_bti)
133{
134 struct set_perm_data data = { md, has_bti };
135
136 BUG_ON(md->type != EFI_RUNTIME_SERVICES_CODE &&
137 md->type != EFI_RUNTIME_SERVICES_DATA);
138
139 if (region_is_misaligned(md))
140 return 0;
141
142 /*
143 * Calling apply_to_page_range() is only safe on regions that are
144 * guaranteed to be mapped down to pages. Since we are only called
145 * for regions that have been mapped using efi_create_mapping() above
146 * (and this is checked by the generic Memory Attributes table parsing
147 * routines), there is no need to check that again here.
148 */
149 return apply_to_page_range(mm, address: md->virt_addr,
150 size: md->num_pages << EFI_PAGE_SHIFT,
151 fn: set_permissions, data: &data);
152}
153
154/*
155 * UpdateCapsule() depends on the system being shutdown via
156 * ResetSystem().
157 */
158bool efi_poweroff_required(void)
159{
160 return efi_enabled(EFI_RUNTIME_SERVICES);
161}
162
163asmlinkage efi_status_t efi_handle_corrupted_x18(efi_status_t s, const char *f)
164{
165 pr_err_ratelimited(FW_BUG "register x18 corrupted by EFI %s\n", f);
166 return s;
167}
168
169void arch_efi_call_virt_setup(void)
170{
171 efi_runtime_assert_lock_held();
172
173 if (preemptible() && (current->flags & PF_KTHREAD)) {
174 /*
175 * Disable migration to ensure that a preempted EFI runtime
176 * service call will be resumed on the same CPU. This avoids
177 * potential issues with EFI runtime calls that are preempted
178 * while polling for an asynchronous completion of a secure
179 * firmware call, which may not permit the CPU to change.
180 */
181 migrate_disable();
182 kthread_use_mm(mm: &efi_mm);
183 } else {
184 efi_virtmap_load();
185 }
186
187 /*
188 * Enable access to the valid TTBR0_EL1 and invoke the errata
189 * workaround directly since there is no return from exception when
190 * invoking the EFI run-time services.
191 */
192 uaccess_ttbr0_enable();
193 post_ttbr_update_workaround();
194
195 __efi_fpsimd_begin();
196}
197
198void arch_efi_call_virt_teardown(void)
199{
200 __efi_fpsimd_end();
201
202 /*
203 * Defer the switch to the current thread's TTBR0_EL1 until
204 * uaccess_enable(). Do so before efi_virtmap_unload() updates the
205 * saved TTBR0 value, so the userland page tables are not activated
206 * inadvertently over the back of an exception.
207 */
208 uaccess_ttbr0_disable();
209
210 if (preemptible() && (current->flags & PF_KTHREAD)) {
211 kthread_unuse_mm(mm: &efi_mm);
212 migrate_enable();
213 } else {
214 efi_virtmap_unload();
215 }
216}
217
218asmlinkage u64 *efi_rt_stack_top __ro_after_init;
219
220asmlinkage efi_status_t __efi_rt_asm_recover(void);
221
222bool efi_runtime_fixup_exception(struct pt_regs *regs, const char *msg)
223{
224 /* Check whether the exception occurred while running the firmware */
225 if (!current_in_efi() || regs->pc >= TASK_SIZE_64)
226 return false;
227
228 pr_err(FW_BUG "Unable to handle %s in EFI runtime service\n", msg);
229 add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK);
230 clear_bit(EFI_RUNTIME_SERVICES, addr: &efi.flags);
231
232 regs->regs[0] = EFI_ABORTED;
233 regs->regs[30] = efi_rt_stack_top[-1];
234 regs->pc = (u64)__efi_rt_asm_recover;
235
236 if (IS_ENABLED(CONFIG_SHADOW_CALL_STACK))
237 regs->regs[18] = efi_rt_stack_top[-2];
238
239 return true;
240}
241
242/* EFI requires 8 KiB of stack space for runtime services */
243static_assert(THREAD_SIZE >= SZ_8K);
244
245static int __init arm64_efi_rt_init(void)
246{
247 void *p;
248
249 if (!efi_enabled(EFI_RUNTIME_SERVICES))
250 return 0;
251
252 p = arch_alloc_vmap_stack(THREAD_SIZE, NUMA_NO_NODE);
253 if (!p) {
254 pr_warn("Failed to allocate EFI runtime stack\n");
255 clear_bit(EFI_RUNTIME_SERVICES, addr: &efi.flags);
256 return -ENOMEM;
257 }
258
259 kmemleak_not_leak(ptr: p);
260 efi_rt_stack_top = p + THREAD_SIZE;
261 return 0;
262}
263core_initcall(arm64_efi_rt_init);
264

source code of linux/arch/arm64/kernel/efi.c