From patchwork Wed Feb 19 09:43:37 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 206561 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 96AACC34047 for ; Wed, 19 Feb 2020 09:43:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 70BB024676 for ; Wed, 19 Feb 2020 09:43:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1582105431; bh=IFeKqUgeJV2n7+UfgpcbERriRaaDjRKasrOnKGYW4KE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=dCjs+mhEMkipEY5Ji2hxkc8+EqdB1c/LBUN3ojC8m9kp7qz70/l5D6cw2UgUpOJtm pgtOdM0i5ks62VF+JxHjBzuwqF1xZqQwuSYUL0yhGyZ97krw3EjYhB0UuUneg2H129 4LUDSGvCxGc6BqSNCcx3I0bwVrZi87wFt6oJJkCE= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726385AbgBSJnv (ORCPT ); Wed, 19 Feb 2020 04:43:51 -0500 Received: from mail.kernel.org ([198.145.29.99]:56130 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726210AbgBSJnv (ORCPT ); Wed, 19 Feb 2020 04:43:51 -0500 Received: from e123331-lin.home (amontpellier-657-1-18-247.w109-210.abo.wanadoo.fr [109.210.65.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DA20D24671; Wed, 19 Feb 2020 09:43:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1582105430; bh=IFeKqUgeJV2n7+UfgpcbERriRaaDjRKasrOnKGYW4KE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=p2MTQBZizJ4UrgefK5SkbPxOEESDJrHLVICZbwMsWK7jr1wha9aA37dROV0bjUsKX SVTyYC3YVlQYlwSV/GcPiMbRg4+LVDquCGj/r8DlVTcv3HXP5AUYtxk17/YEsqaSRa N2IWtLzo9GMmVN8yDtdNa7sROdhZcH5SzHSHcPd4= From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org, Ard Biesheuvel , Russell King , Marc Zyngier , Nicolas Pitre , Catalin Marinas , Tony Lindgren Subject: [PATCH v2 1/4] efi/arm: work around missing cache maintenance in decompressor handover Date: Wed, 19 Feb 2020 10:43:37 +0100 Message-Id: <20200219094340.16597-2-ardb@kernel.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200219094340.16597-1-ardb@kernel.org> References: <20200219094340.16597-1-ardb@kernel.org> Sender: linux-efi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org The EFI stub executes within the context of the zImage as it was loaded by the firmware, which means it is treated as an ordinary PE/COFF executable, which is loaded into memory, and cleaned to the PoU to ensure that it can be executed safely while the MMU and caches are on. When the EFI stub hands over to the decompressor, we clean the caches by set/way and disable the MMU and D-cache, to comply with the Linux boot protocol for ARM. However, cache maintenance by set/way is not sufficient to ensure that subsequent instruction fetches and data accesses done with the MMU off see the correct data. This means that proceeding as we do currently is not safe, especially since we also perform data accesses with the MMU off, from a literal pool as well as the stack. So let's kick this can down the road a bit, and jump into the relocated zImage before disabling the caches. This removes the requirement to perform any by-VA cache maintenance on the original PE/COFF executable, but it does require that the relocated zImage is cleaned to the PoC, which is currently not the case. This will be addressed in a subsequent patch. Signed-off-by: Ard Biesheuvel --- arch/arm/boot/compressed/head.S | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S index 088b0a060876..6c98d3d2de2f 100644 --- a/arch/arm/boot/compressed/head.S +++ b/arch/arm/boot/compressed/head.S @@ -1461,6 +1461,19 @@ ENTRY(efi_stub_entry) @ Preserve return value of efi_entry() in r4 mov r4, r0 bl cache_clean_flush + + @ The PE/COFF loader might not have cleaned the code we are + @ running beyond the PoU, and so calling cache_off below from + @ inside the PE/COFF loader allocated region is unsafe. Let's + @ assume our own zImage relocation code did a better job, and + @ jump into its version of this routine before proceeding. + ldr r0, [sp] @ relocated zImage + ldr r1, 0f + sub r1, r0, r1 + mov pc, r1 @ no mode switch + .align 2 +0: .long start - (. + 4) + bl cache_off @ Set parameters for booting zImage according to boot protocol @@ -1469,12 +1482,7 @@ ENTRY(efi_stub_entry) mov r0, #0 mov r1, #0xFFFFFFFF mov r2, r4 - - @ Branch to (possibly) relocated zImage that is in [sp] - ldr lr, [sp] - ldr ip, =start_offset - add lr, lr, ip - mov pc, lr @ no mode switch + b __efi_start efi_load_fail: @ Return EFI_LOAD_ERROR to EFI firmware on error. From patchwork Wed Feb 19 09:43:39 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 206560 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.1 required=3.0 tests=DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7B3CC34047 for ; Wed, 19 Feb 2020 09:43:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8D31A2464E for ; Wed, 19 Feb 2020 09:43:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1582105435; bh=nzX78Zffh24BLjHSXoPPyq8OpfUkaTb/SZZiYridmWQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=efQJ53uSrWxxiVw449JTEwbP/foQEGOr9rsz8qzuXn9WqMpQrhNmqyRtbN8kl2Wd9 tg7szZq9KpcYNnUlreHa7I5HFQVWAnvi/KFonBNGCQLssIyQtNIvRb+oyBbxrg6/T/ Wip/FPdUVzxDIKNgHxWWaQQ1hkb+CAs2IVTCkiJ4= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726469AbgBSJnz (ORCPT ); Wed, 19 Feb 2020 04:43:55 -0500 Received: from mail.kernel.org ([198.145.29.99]:56190 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726210AbgBSJnz (ORCPT ); Wed, 19 Feb 2020 04:43:55 -0500 Received: from e123331-lin.home (amontpellier-657-1-18-247.w109-210.abo.wanadoo.fr [109.210.65.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id D066124670; Wed, 19 Feb 2020 09:43:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1582105434; bh=nzX78Zffh24BLjHSXoPPyq8OpfUkaTb/SZZiYridmWQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oEF4LkMbiUGVWI7t1nvMdu6IMDQU5N/TdAIEqU1oMxxadfawTeMYuJEXiYo2zRX5F DeOnZnbgHX1wuJp+oeL2LM5bM0mM+ihlRYmXoUv/gHUsxRngPUvKzJdZzhj7agUpnY Ks0gCtl13HxFTRl1bsYJPlj5/mOtTd/g/CYhtKww= From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org, Ard Biesheuvel , Russell King , Marc Zyngier , Nicolas Pitre , Catalin Marinas , Tony Lindgren Subject: [PATCH v2 3/4] ARM: decompressor: prepare cache_clean_flush for doing by-VA maintenance Date: Wed, 19 Feb 2020 10:43:39 +0100 Message-Id: <20200219094340.16597-4-ardb@kernel.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200219094340.16597-1-ardb@kernel.org> References: <20200219094340.16597-1-ardb@kernel.org> Sender: linux-efi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org In preparation for turning the decompressor's cache clean/flush operations into proper by-VA maintenance for v7 cores, pass the start and end addresses of the regions that need cache maintenance into cache_clean_flush in registers r0 and r1. Currently, all implementations of cache_clean_flush ignore these values, so no functional change is expected as a result of this patch. Signed-off-by: Ard Biesheuvel --- arch/arm/boot/compressed/head.S | 21 ++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S index c11b1b0a3ac6..5060a623e0d7 100644 --- a/arch/arm/boot/compressed/head.S +++ b/arch/arm/boot/compressed/head.S @@ -498,6 +498,7 @@ dtb_check_done: bic r9, r9, #31 @ ... of 32 bytes add r6, r9, r5 add r9, r9, r10 + stmdb sp!, {r9 - r10} @ preserve target region address #ifdef DEBUG sub r10, r6, r5 @@ -521,6 +522,8 @@ dtb_check_done: /* Preserve offset to relocated code. */ sub r6, r9, r6 + ldr r1, [sp], #4 @ end of target region + ldr r0, [sp], #4 @ start of target region #ifndef CONFIG_ZBOOT_ROM /* cache_clean_flush may use the stack, so relocate it */ add sp, sp, r6 @@ -622,6 +625,21 @@ not_relocated: mov r0, #0 add r2, sp, #0x10000 @ 64k max mov r3, r7 bl decompress_kernel + + mov r0, r4 @ base of inflated image + adr r1, LC0 @ actual LC0 + ldr r2, [r1] @ linktime LC0 + sub r2, r1, r2 @ LC0 delta + ldr r1, [r1, #16] @ link time inflated size offset + ldr r1, [r1, r2] @ actual inflated size (LE) +#ifdef __ARMEB__ + /* convert to big endian */ + eor r2, r1, r1, ror #16 + bic r2, r2, #0x00ff0000 + mov r1, r1, ror #8 + eor r1, r1, r2, lsr #8 +#endif + add r1, r1, r0 @ end of inflated image bl cache_clean_flush bl cache_off @@ -1173,6 +1191,9 @@ __armv7_mmu_cache_off: /* * Clean and flush the cache to maintain consistency. * + * On entry, + * r0 = start address + * r1 = end address (exclusive) * On exit, * r1, r2, r3, r9, r10, r11, r12 corrupted * This routine must preserve: