From patchwork Thu Sep 10 15:41:39 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ard.biesheuvel@linaro.org>
X-Patchwork-Id: 53385
Return-Path: <patchwork-forward+bncBDYNJBOFRECBBJGKY2XQKGQEE5GGG6Y@linaro.org>
X-Original-To: linaro@patches.linaro.org
Delivered-To: linaro@patches.linaro.org
Received: from mail-lb0-f197.google.com (mail-lb0-f197.google.com
 [209.85.217.197])
 by patches.linaro.org (Postfix) with ESMTPS id D44B722B19
 for <linaro@patches.linaro.org>; Thu, 10 Sep 2015 15:43:33 +0000 (UTC)
Received: by lbbmp1 with SMTP id mp1sf15413965lbb.2
 for <linaro@patches.linaro.org>; Thu, 10 Sep 2015 08:43:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:delivered-to:from:to:subject:date:message-id
 :in-reply-to:references:precedence:list-id:list-unsubscribe
 :list-archive:list-post:list-help:list-subscribe:cc:mime-version
 :content-type:content-transfer-encoding:sender:errors-to
 :x-original-sender:x-original-authentication-results:mailing-list;
 bh=lZByFrpjxBThrVmjslEkbtqSpDqEBf/tpjvHg9+yE9I=;
 b=g2B4EAEa9Cqs+qf54EMnzOR8y+eOCd+PDtytT/RSFsNeQLJ5FfFT6wqyOOsUdrsf6l
 iFOlXBJfcsG2PZd5eCdaPj2OIIoxm5ePAtcvjycTRgssuJfFlcsvWFHF8Zkap47vrF/d
 cU3MOzfnfWQJKoh5wFD/oXMD+KyvqgUI0x5iMoJvnWl8rWkl3rCjPyPuuMQqHAJ5zayB
 R/XDqfflopKs5WSxycreG/1yZbuaUB5JMFxUYGT05OFTFhK0WE6t7NKPFdEtl5mfFwqn
 eYk2ChqZ0iJc62FJHrLd735CRff/UfWVVGE+5mYY/DRXoIe3k7dxImtT6ZGZPcOcroWM
 K+wA==
X-Gm-Message-State: ALoCoQmpceUuG2/xN2iIg59U/DaKVWNdPOdgcQAzsFFyCs4HgL/tltd6ktO4UICW7yF95z8zyG/D
X-Received: by 10.112.198.33 with SMTP id iz1mr9618043lbc.8.1441899812813;
 Thu, 10 Sep 2015 08:43:32 -0700 (PDT)
X-BeenThere: patchwork-forward@linaro.org
Received: by 10.152.7.146 with SMTP id j18ls216358laa.44.gmail; Thu, 10 Sep
 2015 08:43:32 -0700 (PDT)
X-Received: by 10.112.36.196 with SMTP id s4mr37010343lbj.59.1441899812661; 
 Thu, 10 Sep 2015 08:43:32 -0700 (PDT)
Received: from mail-la0-f47.google.com (mail-la0-f47.google.com.
 [209.85.215.47]) by mx.google.com with ESMTPS id
 y10si1455234lay.136.2015.09.10.08.43.32
 for <patchwork-forward@linaro.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 10 Sep 2015 08:43:32 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.47 as permitted sender) client-ip=209.85.215.47; 
Received: by lagj9 with SMTP id j9so31172981lag.2
 for <patchwork-forward@linaro.org>;
 Thu, 10 Sep 2015 08:43:32 -0700 (PDT)
X-Received: by 10.112.235.130 with SMTP id um2mr36795999lbc.72.1441899812219; 
 Thu, 10 Sep 2015 08:43:32 -0700 (PDT)
X-Forwarded-To: patchwork-forward@linaro.org
X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org
Delivered-To: patch@linaro.org
Received: by 10.112.59.35 with SMTP id w3csp1053637lbq;
 Thu, 10 Sep 2015 08:43:30 -0700 (PDT)
X-Received: by 10.68.88.69 with SMTP id be5mr84674180pbb.105.1441899810736; 
 Thu, 10 Sep 2015 08:43:30 -0700 (PDT)
Received: from bombadil.infradead.org (bombadil.infradead.org.
 [2001:1868:205::9]) by mx.google.com with ESMTPS id
 ev3si7486410pbc.67.2015.09.10.08.43.29 for <patch@linaro.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 10 Sep 2015 08:43:30 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org
 designates 2001:1868:205::9 as permitted sender)
 client-ip=2001:1868:205::9; 
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
 by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux))
 id 1Za3zL-00015D-Hc; Thu, 10 Sep 2015 15:42:15 +0000
Received: from mail-wi0-f170.google.com ([209.85.212.170])
 by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat
 Linux)) id 1Za3zI-00010H-Kl for linux-arm-kernel@lists.infradead.org;
 Thu, 10 Sep 2015 15:42:13 +0000
Received: by wicfx3 with SMTP id fx3so33178976wic.1
 for <linux-arm-kernel@lists.infradead.org>;
 Thu, 10 Sep 2015 08:41:51 -0700 (PDT)
X-Received: by 10.180.186.98 with SMTP id fj2mr7746780wic.58.1441899710943; 
 Thu, 10 Sep 2015 08:41:50 -0700 (PDT)
Received: from localhost.localdomain (cag06-7-83-153-85-71.fbx.proxad.net.
 [83.153.85.71]) by smtp.gmail.com with ESMTPSA id
 bi6sm16303895wjc.25.2015.09.10.08.41.49
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Thu, 10 Sep 2015 08:41:50 -0700 (PDT)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux-efi@vger.kernel.org, matt.fleming@intel.com,
 linux-arm-kernel@lists.infradead.org, mark.rutland@arm.com,
 msalter@redhat.com
Subject: [PATCH v3] arm64/efi: don't pad between EFI_MEMORY_RUNTIME regions
Date: Thu, 10 Sep 2015 17:41:39 +0200
Message-Id: <1441899699-14893-1-git-send-email-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1441782414-16284-1-git-send-email-ard.biesheuvel@linaro.org>
References: <1441782414-16284-1-git-send-email-ard.biesheuvel@linaro.org>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3
X-CRM114-CacheID: sfid-20150910_084212_833347_CF615D4E
X-CRM114-Status: GOOD (  22.33  )
X-Spam-Score: -2.6 (--)
X-Spam-Report: SpamAssassin version 3.4.0 on bombadil.infradead.org summary:
 Content analysis details:   (-2.6 points)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/,
 low trust [209.85.212.170 listed in list.dnswl.org]
 -0.0 RCVD_IN_MSPIKE_H3      RBL: Good reputation (+3)
 [209.85.212.170 listed in wl.mailspike.net]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -1.9 BAYES_00               BODY: Bayes spam probability is 0 to 1%
 [score: 0.0000]
 -0.0 RCVD_IN_MSPIKE_WL      Mailspike good senders
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: <patchwork-forward.linaro.org>
List-Unsubscribe: <mailto:googlegroups-manage+836684582541+unsubscribe@googlegroups.com>, 
 <http://groups.google.com/a/linaro.org/group/patchwork-forward/subscribe>
List-Archive: <http://groups.google.com/a/linaro.org/group/patchwork-forward/>
List-Post: <http://groups.google.com/a/linaro.org/group/patchwork-forward/post>, 
 <mailto:patchwork-forward@linaro.org>
List-Help: <http://support.google.com/a/linaro.org/bin/topic.py?topic=25838>, 
 <mailto:patchwork-forward+help@linaro.org>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>, 
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Cc: catalin.marinas@arm.com, will.deacon@arm.com,
 Ard Biesheuvel <ard.biesheuvel@linaro.org>
MIME-Version: 1.0
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: linux-arm-kernel-bounces+patch=linaro.org@lists.infradead.org
X-Removed-Original-Auth: Dkim didn't pass.
X-Original-Sender: ard.biesheuvel@linaro.org
X-Original-Authentication-Results: mx.google.com; spf=pass (google.com:
 domain of
 patch+caf_=patchwork-forward=linaro.org@linaro.org designates
 209.85.215.47 as permitted sender)
 smtp.mailfrom=patch+caf_=patchwork-forward=linaro.org@linaro.org
Mailing-list: list patchwork-forward@linaro.org;
 contact patchwork-forward+owners@linaro.org
X-Google-Group-Id: 836684582541

The new Properties Table feature introduced in UEFIv2.5 may split
memory regions that cover PE/COFF memory images into separate code
and data regions. Since these regions only differ in the type (runtime
code vs runtime data) and the permission bits, but not in the memory
type attributes (UC/WC/WT/WB), the spec does not require them to be
aligned to 64 KB.

Since the relative offset of PE/COFF .text and .data segments cannot
be changed on the fly, this means that we can no longer pad out those
regions to be mappable using 64 KB pages.
Unfortunately, there is no annotation in the UEFI memory map that
identifies data regions that were split off from a code region, so we
must apply this logic to all adjacent runtime regions whose attributes
only differ in the permission bits.

So instead of rounding each memory region to 64 KB alignment at both
ends, only round down regions that are not directly preceded by another
runtime region with the same type attributes. Since the UEFI spec does
not mandate that the memory map be sorted, this means we also need to
sort it first.

Note that this change will result in all EFI_MEMORY_RUNTIME regions whose
start addresses are not aligned to the OS page size to be mapped with
executable permissions (i.e., on kernels compiled with 64 KB pages).
However, since these mappings are only active during the time that UEFI
Runtime Services are being invoked, the window for abuse is rather small.

Tested-by: Mark Salter <msalter@redhat.com>
Reviewed-by: Mark Salter <msalter@redhat.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Tested-by: Mark Rutland <mark.rutland@arm.com> [UEFI 2.4 only]
---
Changes since v2:
- break down complex if() condition into helper functions to test for adjacency
  and compatible memory types
- update commit log to emphasize that this patch may result in data regions to
  be mapped with exec permissions on 64k pages kernels.
- no functional changes

Changes since v1:
- Ensure that we don't inadvertently set the XN bit on the preceding region at
  mapping time if we the OS is running with >4 KB pages.

 arch/arm64/kernel/efi.c                 |  3 +-
 drivers/firmware/efi/libstub/arm-stub.c | 88 ++++++++++++++++----
 2 files changed, 75 insertions(+), 16 deletions(-)

diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c
index e8ca6eaedd02..13671a9cf016 100644
--- a/arch/arm64/kernel/efi.c
+++ b/arch/arm64/kernel/efi.c
@@ -258,7 +258,8 @@ static bool __init efi_virtmap_init(void)
 		 */
 		if (!is_normal_ram(md))
 			prot = __pgprot(PROT_DEVICE_nGnRE);
-		else if (md->type == EFI_RUNTIME_SERVICES_CODE)
+		else if (md->type == EFI_RUNTIME_SERVICES_CODE ||
+			 !PAGE_ALIGNED(md->phys_addr))
 			prot = PAGE_KERNEL_EXEC;
 		else
 			prot = PAGE_KERNEL;
diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c
index e29560e6b40b..950c87f5d279 100644
--- a/drivers/firmware/efi/libstub/arm-stub.c
+++ b/drivers/firmware/efi/libstub/arm-stub.c
@@ -13,6 +13,7 @@
  */
 
 #include <linux/efi.h>
+#include <linux/sort.h>
 #include <asm/efi.h>
 
 #include "efistub.h"
@@ -305,6 +306,44 @@ fail:
  */
 #define EFI_RT_VIRTUAL_BASE	0x40000000
 
+static int cmp_mem_desc(const void *l, const void *r)
+{
+	const efi_memory_desc_t *left = l, *right = r;
+
+	return (left->phys_addr > right->phys_addr) ? 1 : -1;
+}
+
+/*
+ * Returns whether region @left ends exactly where region @right starts,
+ * or false if either argument is NULL.
+ */
+static bool regions_are_adjacent(efi_memory_desc_t *left,
+				 efi_memory_desc_t *right)
+{
+	u64 left_end;
+
+	if (left == NULL || right == NULL)
+		return false;
+
+	left_end = left->phys_addr + left->num_pages * EFI_PAGE_SIZE;
+
+	return left_end == right->phys_addr;
+}
+
+/*
+ * Returns whether region @left and region @right have compatible memory type
+ * mapping attributes, and are both EFI_MEMORY_RUNTIME regions.
+ */
+static bool regions_have_compatible_memory_type_attrs(efi_memory_desc_t *left,
+						      efi_memory_desc_t *right)
+{
+	static const u64 mem_type_mask = EFI_MEMORY_WB | EFI_MEMORY_WT |
+					 EFI_MEMORY_WC | EFI_MEMORY_UC |
+					 EFI_MEMORY_RUNTIME;
+
+	return ((left->attribute ^ right->attribute) & mem_type_mask) == 0;
+}
+
 /*
  * efi_get_virtmap() - create a virtual mapping for the EFI memory map
  *
@@ -317,33 +356,52 @@ void efi_get_virtmap(efi_memory_desc_t *memory_map, unsigned long map_size,
 		     int *count)
 {
 	u64 efi_virt_base = EFI_RT_VIRTUAL_BASE;
-	efi_memory_desc_t *out = runtime_map;
+	efi_memory_desc_t *in, *prev = NULL, *out = runtime_map;
 	int l;
 
-	for (l = 0; l < map_size; l += desc_size) {
-		efi_memory_desc_t *in = (void *)memory_map + l;
+	/*
+	 * To work around potential issues with the Properties Table feature
+	 * introduced in UEFI 2.5, which may split PE/COFF executable images
+	 * in memory into several RuntimeServicesCode and RuntimeServicesData
+	 * regions, we need to preserve the relative offsets between adjacent
+	 * EFI_MEMORY_RUNTIME regions with the same memory type attributes.
+	 * The easiest way to find adjacent regions is to sort the memory map
+	 * before traversing it.
+	 */
+	sort(memory_map, map_size / desc_size, desc_size, cmp_mem_desc, NULL);
+
+	for (l = 0; l < map_size; l += desc_size, prev = in) {
 		u64 paddr, size;
 
+		in = (void *)memory_map + l;
 		if (!(in->attribute & EFI_MEMORY_RUNTIME))
 			continue;
 
+		paddr = in->phys_addr;
+		size = in->num_pages * EFI_PAGE_SIZE;
+
 		/*
 		 * Make the mapping compatible with 64k pages: this allows
 		 * a 4k page size kernel to kexec a 64k page size kernel and
 		 * vice versa.
 		 */
-		paddr = round_down(in->phys_addr, SZ_64K);
-		size = round_up(in->num_pages * EFI_PAGE_SIZE +
-				in->phys_addr - paddr, SZ_64K);
-
-		/*
-		 * Avoid wasting memory on PTEs by choosing a virtual base that
-		 * is compatible with section mappings if this region has the
-		 * appropriate size and physical alignment. (Sections are 2 MB
-		 * on 4k granule kernels)
-		 */
-		if (IS_ALIGNED(in->phys_addr, SZ_2M) && size >= SZ_2M)
-			efi_virt_base = round_up(efi_virt_base, SZ_2M);
+		if (!regions_are_adjacent(prev, in) ||
+		    !regions_have_compatible_memory_type_attrs(prev, in)) {
+
+			paddr = round_down(in->phys_addr, SZ_64K);
+			size += in->phys_addr - paddr;
+
+			/*
+			 * Avoid wasting memory on PTEs by choosing a virtual
+			 * base that is compatible with section mappings if this
+			 * region has the appropriate size and physical
+			 * alignment. (Sections are 2 MB on 4k granule kernels)
+			 */
+			if (IS_ALIGNED(in->phys_addr, SZ_2M) && size >= SZ_2M)
+				efi_virt_base = round_up(efi_virt_base, SZ_2M);
+			else
+				efi_virt_base = round_up(efi_virt_base, SZ_64K);
+		}
 
 		in->virt_addr = efi_virt_base + in->phys_addr - paddr;
 		efi_virt_base += size;