From patchwork Fri Mar 24 13:24:07 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 95934 Delivered-To: patch@linaro.org Received: by 10.140.89.233 with SMTP id v96csp43755qgd; Fri, 24 Mar 2017 06:24:44 -0700 (PDT) X-Received: by 10.98.91.130 with SMTP id p124mr9441307pfb.165.1490361884220; Fri, 24 Mar 2017 06:24:44 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w15si2862053plk.292.2017.03.24.06.24.44; Fri, 24 Mar 2017 06:24:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-efi-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934839AbdCXNYd (ORCPT + 2 others); Fri, 24 Mar 2017 09:24:33 -0400 Received: from mail-wm0-f47.google.com ([74.125.82.47]:35707 "EHLO mail-wm0-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935546AbdCXNY2 (ORCPT ); Fri, 24 Mar 2017 09:24:28 -0400 Received: by mail-wm0-f47.google.com with SMTP id u132so12996379wmg.0 for ; Fri, 24 Mar 2017 06:24:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=ff4hQUtQmqYHUaLpVoZ9JEJ65lK1TiqAHW+FNJv26tA=; b=YX0YdgpM2s2V63l4UNRz7PpnJc0/k7yca3tZUytQInDmTsWyzrevrfy4mwh/x3BL8B UIhVk6wwxdKcPP8Iz90cWjHwPgfJ/IYZteQZd5yQGkwWlN1xH6BvX6jEtQ5a2BmKYGoZ LEbQVOzg6q+QeyblvWmWvI8GEmMcgb0b6yd9s= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=ff4hQUtQmqYHUaLpVoZ9JEJ65lK1TiqAHW+FNJv26tA=; b=SgZQfNjeCWz0nUn1jm3lA69bPjOSZ+DeYrsZqNkug3p1yxQFDRvstRjJr79cmzYBvL kIsIelUEdt6+YWOFu+bnu0jdfJ/8+W2T9GUbg6tsClsod0xSPkGeJyHtOzbB6Esn6bjo nw8Bap2WvvLQOmtb4VtNNCslnJGEEEYtlbz7t3MhOfPhnB8KsmuaervhD8n88rvm9bwJ RufPWZsrNAWIH76xDvt7ONYQbzl676W+H2xCnf6Bc4PdYigKSCIYPP0AL7kp6P9UPZ0w jX+DdbI+6p6zWgKZSOIryIH1goLqDDBa97/sk7jjML0lDzjq7ofe7Y7kKRSs4Tlug4gp HyHQ== X-Gm-Message-State: AFeK/H0QVwYrDWzXZSoYOjhHl/Fr/iQf85I9vhb2VNvAIQM03lEJ4q7aNGfQ6EYmObo+jCkh X-Received: by 10.28.173.193 with SMTP id w184mr3188956wme.106.1490361861392; Fri, 24 Mar 2017 06:24:21 -0700 (PDT) Received: from localhost.localdomain ([196.67.95.24]) by smtp.gmail.com with ESMTPSA id 92sm2924626wrh.8.2017.03.24.06.24.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Mar 2017 06:24:20 -0700 (PDT) From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org, matt@codeblueprint.co.uk, leif.lindholm@linaro.org, rfranz@cavium.com, mingo@kernel.org, bp@alien8.de, mark.rutland@arm.com, kernel-hardening@lists.openwall.com, Ard Biesheuvel Subject: [PATCH 1/4] efi/libstub: fix harmless command line parsing bug Date: Fri, 24 Mar 2017 13:24:07 +0000 Message-Id: <20170324132410.16628-2-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170324132410.16628-1-ard.biesheuvel@linaro.org> References: <20170324132410.16628-1-ard.biesheuvel@linaro.org> Sender: linux-efi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org When we parse the 'efi=' command line parameter in the stub, we fail to take spaces into account. Currently, the only way this could result in unexpected behavior is when the string 'nochunk' appears as a separate command line argument after 'efi=xxx,yyy,zzz ', so this is harmless in practice. But let's fix it nonetheless. Cc: Matt Fleming Signed-off-by: Ard Biesheuvel --- drivers/firmware/efi/libstub/efi-stub-helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.9.3 -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c index 919822b7773d..3290fae0b38f 100644 --- a/drivers/firmware/efi/libstub/efi-stub-helper.c +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c @@ -436,14 +436,14 @@ efi_status_t efi_parse_options(char *cmdline) * Remember, because efi= is also used by the kernel we need to * skip over arguments we don't understand. */ - while (*str) { + while (*str && *str != ' ') { if (!strncmp(str, "nochunk", 7)) { str += strlen("nochunk"); __chunk_size = -1UL; } /* Group words together, delimited by "," */ - while (*str && *str != ',') + while (*str && *str != ' ' && *str != ',') str++; if (*str == ',') From patchwork Fri Mar 24 13:24:08 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 95936 Delivered-To: patch@linaro.org Received: by 10.140.89.233 with SMTP id v96csp43767qgd; Fri, 24 Mar 2017 06:24:46 -0700 (PDT) X-Received: by 10.98.42.200 with SMTP id q191mr9420686pfq.73.1490361886084; Fri, 24 Mar 2017 06:24:46 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w15si2862053plk.292.2017.03.24.06.24.45; Fri, 24 Mar 2017 06:24:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-efi-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757254AbdCXNYm (ORCPT + 2 others); Fri, 24 Mar 2017 09:24:42 -0400 Received: from mail-wr0-f182.google.com ([209.85.128.182]:32793 "EHLO mail-wr0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757106AbdCXNYk (ORCPT ); Fri, 24 Mar 2017 09:24:40 -0400 Received: by mail-wr0-f182.google.com with SMTP id y90so1702062wrb.0 for ; Fri, 24 Mar 2017 06:24:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=AmISxpxVmMyPqmQ++uQrfnKQMBaBAajqrLI8eYg5Fbo=; b=HCY8VFNEf4wcd/ZKHdKHhlwVKbgIm96FozXUO+6XiAYbRznPiGMPYDN7Uq4itqpUOG CYUh3NAV7VC8wM5tE2dhaeytVd0XAP2FR59nTcnQXmsAGZwkKaHMEo32U1l2qs3xBG6t ZRLruu5M5e8GsmY9vjdohT7Qo7krf5QnVD1kw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=AmISxpxVmMyPqmQ++uQrfnKQMBaBAajqrLI8eYg5Fbo=; b=keyyLlHwWtlnLHjbGdY/9RhYt3reB+Pyw6Y5yCjH53CPU8JK9/N2KWkDAMNKsWD2LV ZkfoFflNtIp9pa8euXC4KPiEYVsw1xqURbcWfFrh6jvPLFhcSdPgZiwwoF5+TQUrRLuM i2H0uUfVNsCqBol4V17CclFMrtHIePf0KeQnMBnwTaoQdvUetQANeTwScq3YrSrzVt/g lj7Umu8w89bJyaMOOMfLmPocEx1FdKFJ5sqTCMZEKIfCwFGpjXAbOlfjpcSqEES7l4Mn /HoAcFcAjKf6TAuvW0D+Tvi+theec9Z8Z3vcupoidyKTEtYZ0tLCZDwMV330kvf0oIcm HGaA== X-Gm-Message-State: AFeK/H10BU8wzeZJ5Cx6V7Wk5LX1E0UR+XsRqtOfV3F1phATU0LJfEakxOUcOCLiudmEukty X-Received: by 10.223.149.35 with SMTP id 32mr3634619wrs.107.1490361863900; Fri, 24 Mar 2017 06:24:23 -0700 (PDT) Received: from localhost.localdomain ([196.67.95.24]) by smtp.gmail.com with ESMTPSA id 92sm2924626wrh.8.2017.03.24.06.24.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Mar 2017 06:24:23 -0700 (PDT) From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org, matt@codeblueprint.co.uk, leif.lindholm@linaro.org, rfranz@cavium.com, mingo@kernel.org, bp@alien8.de, mark.rutland@arm.com, kernel-hardening@lists.openwall.com, Ard Biesheuvel Subject: [PATCH 2/4] efi/libstub: unify command line param parsing Date: Fri, 24 Mar 2017 13:24:08 +0000 Message-Id: <20170324132410.16628-3-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170324132410.16628-1-ard.biesheuvel@linaro.org> References: <20170324132410.16628-1-ard.biesheuvel@linaro.org> Sender: linux-efi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org Merge the parsing of the command line carried out in arm-stub.c with the handling in efi_parse_options. Note that this also fixes the missing handling of CONFIG_CMDLINE_FORCE=y, in which case the builtin command line should supersede the one passed by the firmware. Cc: Matt Fleming Signed-off-by: Ard Biesheuvel --- drivers/firmware/efi/libstub/arm-stub.c | 14 ------------ drivers/firmware/efi/libstub/arm64-stub.c | 4 +--- drivers/firmware/efi/libstub/efi-stub-helper.c | 23 +++++++++++++------- drivers/firmware/efi/libstub/efistub.h | 2 ++ include/linux/efi.h | 2 +- 5 files changed, 19 insertions(+), 26 deletions(-) -- 2.9.3 -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c index 02049ff25c6b..fcd34057dc1c 100644 --- a/drivers/firmware/efi/libstub/arm-stub.c +++ b/drivers/firmware/efi/libstub/arm-stub.c @@ -18,8 +18,6 @@ #include "efistub.h" -bool __nokaslr; - efi_status_t efi_open_volume(efi_system_table_t *sys_table_arg, void *__image, void **__fh) { @@ -153,18 +151,6 @@ unsigned long efi_entry(void *handle, efi_system_table_t *sys_table, goto fail; } - /* check whether 'nokaslr' was passed on the command line */ - if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) { - static const u8 default_cmdline[] = CONFIG_CMDLINE; - const u8 *str, *cmdline = cmdline_ptr; - - if (IS_ENABLED(CONFIG_CMDLINE_FORCE)) - cmdline = default_cmdline; - str = strstr(cmdline, "nokaslr"); - if (str == cmdline || (str > cmdline && *(str - 1) == ' ')) - __nokaslr = true; - } - si = setup_graphics(sys_table); status = handle_kernel_image(sys_table, image_addr, &image_size, diff --git a/drivers/firmware/efi/libstub/arm64-stub.c b/drivers/firmware/efi/libstub/arm64-stub.c index eae693eb3e91..b4c2589d7c91 100644 --- a/drivers/firmware/efi/libstub/arm64-stub.c +++ b/drivers/firmware/efi/libstub/arm64-stub.c @@ -16,8 +16,6 @@ #include "efistub.h" -extern bool __nokaslr; - efi_status_t check_platform_features(efi_system_table_t *sys_table_arg) { u64 tg; @@ -52,7 +50,7 @@ efi_status_t handle_kernel_image(efi_system_table_t *sys_table_arg, u64 phys_seed = 0; if (IS_ENABLED(CONFIG_RANDOMIZE_BASE)) { - if (!__nokaslr) { + if (!nokaslr()) { status = efi_get_random_bytes(sys_table_arg, sizeof(phys_seed), (u8 *)&phys_seed); diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c index 3290fae0b38f..1575b566cd4a 100644 --- a/drivers/firmware/efi/libstub/efi-stub-helper.c +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c @@ -32,6 +32,13 @@ static unsigned long __chunk_size = EFI_READ_CHUNK_SIZE; +static int __section(.data) __nokaslr; + +int __pure nokaslr(void) +{ + return __nokaslr; +} + #define EFI_MMAP_NR_SLACK_SLOTS 8 struct file_info { @@ -409,17 +416,17 @@ static efi_status_t efi_file_close(void *handle) * environments, first in the early boot environment of the EFI boot * stub, and subsequently during the kernel boot. */ -efi_status_t efi_parse_options(char *cmdline) +efi_status_t efi_parse_options(char const *cmdline) { + static const char default_cmdline[] = CONFIG_CMDLINE; char *str; - /* - * Currently, the only efi= option we look for is 'nochunk', which - * is intended to work around known issues on certain x86 UEFI - * versions. So ignore for now on other architectures. - */ - if (!IS_ENABLED(CONFIG_X86)) - return EFI_SUCCESS; + if (IS_ENABLED(CONFIG_CMDLINE_FORCE)) + cmdline = default_cmdline; + + str = strstr(cmdline, "nokaslr"); + if (str == cmdline || (str && str > cmdline && *(str - 1) == ' ')) + __nokaslr = 1; /* * If no EFI parameters were specified on the cmdline we've got diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h index 71c4d0e3c4ed..a7a2a2c3f199 100644 --- a/drivers/firmware/efi/libstub/efistub.h +++ b/drivers/firmware/efi/libstub/efistub.h @@ -24,6 +24,8 @@ #define EFI_ALLOC_ALIGN EFI_PAGE_SIZE #endif +extern int __pure nokaslr(void); + void efi_char16_printk(efi_system_table_t *, efi_char16_t *); efi_status_t efi_open_volume(efi_system_table_t *sys_table_arg, void *__image, diff --git a/include/linux/efi.h b/include/linux/efi.h index 94d34e0be24f..e485e87615d1 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1471,7 +1471,7 @@ efi_status_t handle_cmdline_files(efi_system_table_t *sys_table_arg, unsigned long *load_addr, unsigned long *load_size); -efi_status_t efi_parse_options(char *cmdline); +efi_status_t efi_parse_options(char const *cmdline); efi_status_t efi_setup_gop(efi_system_table_t *sys_table_arg, struct screen_info *si, efi_guid_t *proto, From patchwork Fri Mar 24 13:24:09 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 95935 Delivered-To: patch@linaro.org Received: by 10.140.89.233 with SMTP id v96csp43762qgd; Fri, 24 Mar 2017 06:24:45 -0700 (PDT) X-Received: by 10.98.33.68 with SMTP id h65mr9413700pfh.214.1490361885271; Fri, 24 Mar 2017 06:24:45 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w15si2862053plk.292.2017.03.24.06.24.45; Fri, 24 Mar 2017 06:24:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-efi-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935776AbdCXNYf (ORCPT + 2 others); Fri, 24 Mar 2017 09:24:35 -0400 Received: from mail-wm0-f42.google.com ([74.125.82.42]:37960 "EHLO mail-wm0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934412AbdCXNY2 (ORCPT ); Fri, 24 Mar 2017 09:24:28 -0400 Received: by mail-wm0-f42.google.com with SMTP id t189so2179955wmt.1 for ; Fri, 24 Mar 2017 06:24:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=iOmWBtTliQ5rLJmyZ1P7C/YhOJtcvqf7/E9zJaytohs=; b=QBOKylMKJi60MLAWmbwbgPiQvZKG/BMf+0O244UzjnzZ6tmLRhQCMIYY3aT9CBsWqy ePm+zfZUMLVzZ7o2NQrCWPKPaAp/9HC7Am7GKRDhsNLvCvh8ujyBosRGF1ka/uGYV/x9 WfWE+PRsPiNs3Cj6BSXORDFmo8EQvvHsXdzf4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=iOmWBtTliQ5rLJmyZ1P7C/YhOJtcvqf7/E9zJaytohs=; b=BEMGH0tCjJQYjPHDh2iwU8F+vc4EqHQe+pEFYDbV7+oXBvJ5p7AgxiWRuE8RYzjfYt iH2dwsGvSuHZA0ugtDo+js1C/EYDjyWpmGrRtOpVNU+c2YzfmHMvxvvSrXZzHIS6umVP n78ELODZ8gR8dxvtnMKuoAcPUhWYc+WnJSjg9cYIO3kzO+dG9hbgIHmQDSD6L0jvfi7m YgvGqNrMAYJ3wAnRjP9UpzHls3jbVwGKDnDtvDBkZaM65Vn5ebWf7Grxe8M3VuHVJqto Zd5oHkuZhHPfYRw4+mSvIJPuiiYcH64bfy/MdH9xdbGmuJR5IOMg3yqmfBuswuE9+g6S vgzQ== X-Gm-Message-State: AFeK/H0DZ7f/wY/FDQP9RAGedRRsoEkh2HbVU/vrZHN1iH6m1sasOmbqv4C/yyCH7UDuxaP1 X-Received: by 10.28.0.136 with SMTP id 130mr3174969wma.126.1490361866491; Fri, 24 Mar 2017 06:24:26 -0700 (PDT) Received: from localhost.localdomain ([196.67.95.24]) by smtp.gmail.com with ESMTPSA id 92sm2924626wrh.8.2017.03.24.06.24.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Mar 2017 06:24:25 -0700 (PDT) From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org, matt@codeblueprint.co.uk, leif.lindholm@linaro.org, rfranz@cavium.com, mingo@kernel.org, bp@alien8.de, mark.rutland@arm.com, kernel-hardening@lists.openwall.com, Ard Biesheuvel Subject: [PATCH 3/4] efi/libstub: arm/arm64: disable debug prints on 'quiet' cmdline arg Date: Fri, 24 Mar 2017 13:24:09 +0000 Message-Id: <20170324132410.16628-4-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170324132410.16628-1-ard.biesheuvel@linaro.org> References: <20170324132410.16628-1-ard.biesheuvel@linaro.org> Sender: linux-efi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org The EFI stub currently prints a number of diagnostic messages that do not carry a lot of information. Since these prints are not controlled by 'loglevel' or other command line parameters, and since they appear on the EFI framebuffer as well (if enabled), it would be nice if we could turn them off. So let's add support for the 'quiet' command line parameter in the stub, and disable the non-error prints if it is passed. Cc: Matt Fleming Signed-off-by: Ard Biesheuvel --- This was previously sent out as a separate patch. The difference is that this version looks for 'quiet' rather than 'efi=debug', and preserves the noisy console as the default. drivers/firmware/efi/libstub/arm-stub.c | 12 ++++++------ drivers/firmware/efi/libstub/arm32-stub.c | 2 ++ drivers/firmware/efi/libstub/efi-stub-helper.c | 9 +++++++++ drivers/firmware/efi/libstub/efistub.h | 7 +++++++ drivers/firmware/efi/libstub/secureboot.c | 2 ++ include/linux/efi.h | 3 --- 6 files changed, 26 insertions(+), 9 deletions(-) -- 2.9.3 -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Acked-by: Mark Rutland diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c index fcd34057dc1c..6f522e3091af 100644 --- a/drivers/firmware/efi/libstub/arm-stub.c +++ b/drivers/firmware/efi/libstub/arm-stub.c @@ -116,8 +116,6 @@ unsigned long efi_entry(void *handle, efi_system_table_t *sys_table, if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) goto fail; - pr_efi(sys_table, "Booting Linux Kernel...\n"); - status = check_platform_features(sys_table); if (status != EFI_SUCCESS) goto fail; @@ -151,6 +149,12 @@ unsigned long efi_entry(void *handle, efi_system_table_t *sys_table, goto fail; } + status = efi_parse_options(cmdline_ptr); + if (status != EFI_SUCCESS) + pr_efi_err(sys_table, "Failed to parse EFI cmdline options\n"); + + pr_efi(sys_table, "Booting Linux Kernel...\n"); + si = setup_graphics(sys_table); status = handle_kernel_image(sys_table, image_addr, &image_size, @@ -162,10 +166,6 @@ unsigned long efi_entry(void *handle, efi_system_table_t *sys_table, goto fail_free_cmdline; } - status = efi_parse_options(cmdline_ptr); - if (status != EFI_SUCCESS) - pr_efi_err(sys_table, "Failed to parse EFI cmdline options\n"); - secure_boot = efi_get_secureboot(sys_table); /* diff --git a/drivers/firmware/efi/libstub/arm32-stub.c b/drivers/firmware/efi/libstub/arm32-stub.c index 18a8b5eb55e7..becbda445913 100644 --- a/drivers/firmware/efi/libstub/arm32-stub.c +++ b/drivers/firmware/efi/libstub/arm32-stub.c @@ -9,6 +9,8 @@ #include #include +#include "efistub.h" + efi_status_t check_platform_features(efi_system_table_t *sys_table_arg) { int block; diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c index 1575b566cd4a..93685f79f9e8 100644 --- a/drivers/firmware/efi/libstub/efi-stub-helper.c +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c @@ -33,11 +33,16 @@ static unsigned long __chunk_size = EFI_READ_CHUNK_SIZE; static int __section(.data) __nokaslr; +static int __section(.data) __quiet; int __pure nokaslr(void) { return __nokaslr; } +int __pure is_quiet(void) +{ + return __quiet; +} #define EFI_MMAP_NR_SLACK_SLOTS 8 @@ -428,6 +433,10 @@ efi_status_t efi_parse_options(char const *cmdline) if (str == cmdline || (str && str > cmdline && *(str - 1) == ' ')) __nokaslr = 1; + str = strstr(cmdline, "quiet"); + if (str == cmdline || (str && str > cmdline && *(str - 1) == ' ')) + __quiet = 1; + /* * If no EFI parameters were specified on the cmdline we've got * nothing to do. diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h index a7a2a2c3f199..83f268c05007 100644 --- a/drivers/firmware/efi/libstub/efistub.h +++ b/drivers/firmware/efi/libstub/efistub.h @@ -25,6 +25,13 @@ #endif extern int __pure nokaslr(void); +extern int __pure is_quiet(void); + +#define pr_efi(sys_table, msg) do { \ + if (!is_quiet()) efi_printk(sys_table, "EFI stub: "msg); \ +} while (0) + +#define pr_efi_err(sys_table, msg) efi_printk(sys_table, "EFI stub: ERROR: "msg) void efi_char16_printk(efi_system_table_t *, efi_char16_t *); diff --git a/drivers/firmware/efi/libstub/secureboot.c b/drivers/firmware/efi/libstub/secureboot.c index 5da36e56b36a..8c34d50a4d80 100644 --- a/drivers/firmware/efi/libstub/secureboot.c +++ b/drivers/firmware/efi/libstub/secureboot.c @@ -12,6 +12,8 @@ #include #include +#include "efistub.h" + /* BIOS variables */ static const efi_guid_t efi_variable_guid = EFI_GLOBAL_VARIABLE_GUID; static const efi_char16_t const efi_SecureBoot_name[] = { diff --git a/include/linux/efi.h b/include/linux/efi.h index e485e87615d1..ec36f42a2add 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -1435,9 +1435,6 @@ static inline int efi_runtime_map_copy(void *buf, size_t bufsz) /* prototypes shared between arch specific and generic stub code */ -#define pr_efi(sys_table, msg) efi_printk(sys_table, "EFI stub: "msg) -#define pr_efi_err(sys_table, msg) efi_printk(sys_table, "EFI stub: ERROR: "msg) - void efi_printk(efi_system_table_t *sys_table_arg, char *str); void efi_free(efi_system_table_t *sys_table_arg, unsigned long size, From patchwork Fri Mar 24 13:24:10 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 95937 Delivered-To: patch@linaro.org Received: by 10.140.89.233 with SMTP id v96csp43765qgd; Fri, 24 Mar 2017 06:24:45 -0700 (PDT) X-Received: by 10.99.173.6 with SMTP id g6mr8813174pgf.75.1490361885915; Fri, 24 Mar 2017 06:24:45 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w15si2862053plk.292.2017.03.24.06.24.45; Fri, 24 Mar 2017 06:24:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-efi-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757252AbdCXNYl (ORCPT + 2 others); Fri, 24 Mar 2017 09:24:41 -0400 Received: from mail-wm0-f52.google.com ([74.125.82.52]:37988 "EHLO mail-wm0-f52.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935805AbdCXNYh (ORCPT ); Fri, 24 Mar 2017 09:24:37 -0400 Received: by mail-wm0-f52.google.com with SMTP id t189so2181173wmt.1 for ; Fri, 24 Mar 2017 06:24:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=zxQ5vquC/dh00BbVfL5jk/2fRGRP4TAoGv2MNGxi6e8=; b=DYphlG4+gCPNdZ5xXhkijcQ1Ps4J99zIDj2MHCR9wQBZDbaw/8mu8olJ42dnpTBWpp DQJoOTGYWEEgGdZwqEMpgXJykGTiL7dgonQeu48uBHfKa6L+mOebgzBwcXPCk9APY/l8 FtyGnw9H6lVS1o9Bxl72VMgKJzG/E2Ol4M2z0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=zxQ5vquC/dh00BbVfL5jk/2fRGRP4TAoGv2MNGxi6e8=; b=lgHSBsm2PEyFkp99Gy2OOIeN1ayr+v5zSaHDDlrlL5pINdylbTvbpkOkVBTLGOdRs4 zd08ByoTxk1HuF+HDHRjODcnyWMwdpBeb4oY5Dyh+OlwHBNttWAGnPJFB7j7mZdFgwjU S3RSOuTYl2n987i6zt5FgTeBHo5fS07Q4DdZo9TRP6hnp4P4cDgBscV4QEPtjLwbBZ8G xQDGWBgDEPArJBck7YKNyXwIUBOM1d5/HF0wJce0jH3025pa9RlJZGH5q7UwRyEHpxDV bGV7m5G7cuUILCWycI/dpS/plszXEdHnRFsSd8Q8J53iV+EtryUEOosqCxyvxe7c8VYA jLIw== X-Gm-Message-State: AFeK/H0FAIWoy+rWOK+h/OQEx2ZVFB57Fs6ZMLrOgpWtYgHb+2AEL9qaR+HRQgY7hwZZAdtU X-Received: by 10.28.87.6 with SMTP id l6mr2952121wmb.109.1490361869701; Fri, 24 Mar 2017 06:24:29 -0700 (PDT) Received: from localhost.localdomain ([196.67.95.24]) by smtp.gmail.com with ESMTPSA id 92sm2924626wrh.8.2017.03.24.06.24.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 24 Mar 2017 06:24:28 -0700 (PDT) From: Ard Biesheuvel To: linux-efi@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org, matt@codeblueprint.co.uk, leif.lindholm@linaro.org, rfranz@cavium.com, mingo@kernel.org, bp@alien8.de, mark.rutland@arm.com, kernel-hardening@lists.openwall.com, Ard Biesheuvel Subject: [PATCH 4/4] ef/libstub: arm/arm64: randomize the base of the UEFI rt services region Date: Fri, 24 Mar 2017 13:24:10 +0000 Message-Id: <20170324132410.16628-5-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170324132410.16628-1-ard.biesheuvel@linaro.org> References: <20170324132410.16628-1-ard.biesheuvel@linaro.org> Sender: linux-efi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-efi@vger.kernel.org Update the allocation logic for the virtual mapping of the UEFI runtime services to start from a randomized base address if KASLR is in effect, and if the UEFI firmware exposes an implementation of EFI_RNG_PROTOCOL. This makes it more difficult to predict the location of exploitable data structures in the runtime UEFI firmware, which increases robustness against attacks. Note that these regions are only mapped during the time a runtime service call is in progress, and only on a single CPU at a time, bit give the lack of a downside, let's enable it nonetheless. Cc: Ingo Molnar Cc: Borislav Petkov Cc: Matt Fleming Signed-off-by: Ard Biesheuvel --- drivers/firmware/efi/libstub/arm-stub.c | 48 ++++++++++++++------ 1 file changed, 35 insertions(+), 13 deletions(-) -- 2.9.3 -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c index 6f522e3091af..eb5225884098 100644 --- a/drivers/firmware/efi/libstub/arm-stub.c +++ b/drivers/firmware/efi/libstub/arm-stub.c @@ -18,6 +18,22 @@ #include "efistub.h" +/* + * This is the base address at which to start allocating virtual memory ranges + * for UEFI Runtime Services. This is in the low TTBR0 range so that we can use + * any allocation we choose, and eliminate the risk of a conflict after kexec. + * The value chosen is the largest non-zero power of 2 suitable for this purpose + * both on 32-bit and 64-bit ARM CPUs, to maximize the likelihood that it can + * be mapped efficiently. + * Since 32-bit ARM could potentially execute with a 1G/3G user/kernel split, + * map everything below 1 GB. (512 MB is a reasonable upper bound for the + * entire footprint of the UEFI runtime services memory regions) + */ +#define EFI_RT_VIRTUAL_BASE SZ_512M +#define EFI_RT_VIRTUAL_SIZE SZ_512M + +static u64 efi_virt_base = EFI_RT_VIRTUAL_BASE; + efi_status_t efi_open_volume(efi_system_table_t *sys_table_arg, void *__image, void **__fh) { @@ -209,6 +225,25 @@ unsigned long efi_entry(void *handle, efi_system_table_t *sys_table, efi_random_get_seed(sys_table); + if (IS_ENABLED(CONFIG_RANDOMIZE_BASE) && !nokaslr()) { + /* + * Randomize the base of the UEFI runtime services region. + * Preserve the 2 MB alignment of the region by taking a + * shift of 21 bit positions into account when scaling + * the headroom value using a 32-bit random value. + */ + u64 headroom = TASK_SIZE - EFI_RT_VIRTUAL_BASE - + EFI_RT_VIRTUAL_SIZE; + u32 rnd; + + status = efi_get_random_bytes(sys_table, sizeof(rnd), + (u8 *)&rnd); + if (status == EFI_SUCCESS) { + efi_virt_base = EFI_RT_VIRTUAL_BASE + + (((headroom >> 21) * rnd) >> (32 - 21)); + } + } + new_fdt_addr = fdt_addr; status = allocate_new_fdt_and_exit_boot(sys_table, handle, &new_fdt_addr, efi_get_max_fdt_addr(dram_base), @@ -238,18 +273,6 @@ unsigned long efi_entry(void *handle, efi_system_table_t *sys_table, return EFI_ERROR; } -/* - * This is the base address at which to start allocating virtual memory ranges - * for UEFI Runtime Services. This is in the low TTBR0 range so that we can use - * any allocation we choose, and eliminate the risk of a conflict after kexec. - * The value chosen is the largest non-zero power of 2 suitable for this purpose - * both on 32-bit and 64-bit ARM CPUs, to maximize the likelihood that it can - * be mapped efficiently. - * Since 32-bit ARM could potentially execute with a 1G/3G user/kernel split, - * map everything below 1 GB. - */ -#define EFI_RT_VIRTUAL_BASE SZ_512M - static int cmp_mem_desc(const void *l, const void *r) { const efi_memory_desc_t *left = l, *right = r; @@ -299,7 +322,6 @@ void efi_get_virtmap(efi_memory_desc_t *memory_map, unsigned long map_size, unsigned long desc_size, efi_memory_desc_t *runtime_map, int *count) { - u64 efi_virt_base = EFI_RT_VIRTUAL_BASE; efi_memory_desc_t *in, *prev = NULL, *out = runtime_map; int l;