efi: Apply allowlist to EFI configuration tables when running under Xen

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

As it turns out, Xen does not guarantee that EFI boot services data
regions in memory are preserved, which means that EFI configuration
tables pointing into such memory regions may be corrupted before the
dom0 OS has had a chance to inspect them.

This is causing problems for Qubes OS when it attempts to perform system
firmware updates, which requires that the contents of the EFI System
Resource Table are valid when the fwupd userspace program runs.

However, other configuration tables such as the memory attributes table
or the runtime properties table are equally affected, and so we need a
comprehensive workaround that works for any table type.

So when running under Xen, check the EFI memory descriptor covering the
start of the table, and disregard the table if it does not reside in
memory that is preserved by Xen.

Co-developed-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>

authored by

Demi Marie Obenour and committed by

Ard Biesheuvel 3 years ago c0fecaa4 aca1d27a

+45 -3

3 changed files

expand all

drivers

firmware

efi

efi.c

xen

efi.c

include

linux

efi.h

+10 -3

drivers/firmware/efi/efi.c

··· 589 589 int i; 590 590 591 591 for (i = 0; efi_guidcmp(table_types[i].guid, NULL_GUID); i++) { 592 - if (!efi_guidcmp(*guid, table_types[i].guid)) { 593 - *(table_types[i].ptr) = table; 592 + if (efi_guidcmp(*guid, table_types[i].guid)) 593 + continue; 594 + 595 + if (!efi_config_table_is_usable(guid, table)) { 594 596 if (table_types[i].name[0]) 595 - pr_cont("%s=0x%lx ", 597 + pr_cont("(%s=0x%lx unusable) ", 596 598 table_types[i].name, table); 597 599 return 1; 598 600 } 601 + 602 + *(table_types[i].ptr) = table; 603 + if (table_types[i].name[0]) 604 + pr_cont("%s=0x%lx ", table_types[i].name, table); 605 + return 1; 599 606 } 600 607 601 608 return 0;

+25

drivers/xen/efi.c

··· 328 328 329 329 return 0; 330 330 } 331 + 332 + bool __init xen_efi_config_table_is_usable(const efi_guid_t *guid, 333 + unsigned long table) 334 + { 335 + efi_memory_desc_t md; 336 + int rc; 337 + 338 + if (!efi_enabled(EFI_PARAVIRT)) 339 + return true; 340 + 341 + rc = efi_mem_desc_lookup(table, &md); 342 + if (rc) 343 + return false; 344 + 345 + switch (md.type) { 346 + case EFI_RUNTIME_SERVICES_CODE: 347 + case EFI_RUNTIME_SERVICES_DATA: 348 + case EFI_ACPI_RECLAIM_MEMORY: 349 + case EFI_ACPI_MEMORY_NVS: 350 + case EFI_RESERVED_TYPE: 351 + return true; 352 + default: 353 + return false; 354 + } 355 + }

+10

include/linux/efi.h

··· 1322 1322 /* Header of a populated EFI secret area */ 1323 1323 #define EFI_SECRET_TABLE_HEADER_GUID EFI_GUID(0x1e74f542, 0x71dd, 0x4d66, 0x96, 0x3e, 0xef, 0x42, 0x87, 0xff, 0x17, 0x3b) 1324 1324 1325 + bool xen_efi_config_table_is_usable(const efi_guid_t *guid, unsigned long table); 1326 + 1327 + static inline 1328 + bool efi_config_table_is_usable(const efi_guid_t *guid, unsigned long table) 1329 + { 1330 + if (!IS_ENABLED(CONFIG_XEN_EFI)) 1331 + return true; 1332 + return xen_efi_config_table_is_usable(guid, table); 1333 + } 1334 + 1325 1335 #endif /* _LINUX_EFI_H */