1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * Extensible Firmware Interface |
4 | * |
5 | * Based on Extensible Firmware Interface Specification version 2.4 |
6 | * |
7 | * Copyright (C) 2013, 2014 Linaro Ltd. |
8 | */ |
9 | |
10 | #include <linux/efi.h> |
11 | #include <linux/init.h> |
12 | #include <linux/screen_info.h> |
13 | |
14 | #include <asm/efi.h> |
15 | #include <asm/stacktrace.h> |
16 | |
17 | static bool region_is_misaligned(const efi_memory_desc_t *md) |
18 | { |
19 | if (PAGE_SIZE == EFI_PAGE_SIZE) |
20 | return false; |
21 | return !PAGE_ALIGNED(md->phys_addr) || |
22 | !PAGE_ALIGNED(md->num_pages << EFI_PAGE_SHIFT); |
23 | } |
24 | |
25 | /* |
26 | * Only regions of type EFI_RUNTIME_SERVICES_CODE need to be |
27 | * executable, everything else can be mapped with the XN bits |
28 | * set. Also take the new (optional) RO/XP bits into account. |
29 | */ |
30 | static __init pteval_t create_mapping_protection(efi_memory_desc_t *md) |
31 | { |
32 | u64 attr = md->attribute; |
33 | u32 type = md->type; |
34 | |
35 | if (type == EFI_MEMORY_MAPPED_IO) |
36 | return PROT_DEVICE_nGnRE; |
37 | |
38 | if (region_is_misaligned(md)) { |
39 | static bool __initdata code_is_misaligned; |
40 | |
41 | /* |
42 | * Regions that are not aligned to the OS page size cannot be |
43 | * mapped with strict permissions, as those might interfere |
44 | * with the permissions that are needed by the adjacent |
45 | * region's mapping. However, if we haven't encountered any |
46 | * misaligned runtime code regions so far, we can safely use |
47 | * non-executable permissions for non-code regions. |
48 | */ |
49 | code_is_misaligned |= (type == EFI_RUNTIME_SERVICES_CODE); |
50 | |
51 | return code_is_misaligned ? pgprot_val(PAGE_KERNEL_EXEC) |
52 | : pgprot_val(PAGE_KERNEL); |
53 | } |
54 | |
55 | /* R-- */ |
56 | if ((attr & (EFI_MEMORY_XP | EFI_MEMORY_RO)) == |
57 | (EFI_MEMORY_XP | EFI_MEMORY_RO)) |
58 | return pgprot_val(PAGE_KERNEL_RO); |
59 | |
60 | /* R-X */ |
61 | if (attr & EFI_MEMORY_RO) |
62 | return pgprot_val(PAGE_KERNEL_ROX); |
63 | |
64 | /* RW- */ |
65 | if (((attr & (EFI_MEMORY_RP | EFI_MEMORY_WP | EFI_MEMORY_XP)) == |
66 | EFI_MEMORY_XP) || |
67 | type != EFI_RUNTIME_SERVICES_CODE) |
68 | return pgprot_val(PAGE_KERNEL); |
69 | |
70 | /* RWX */ |
71 | return pgprot_val(PAGE_KERNEL_EXEC); |
72 | } |
73 | |
74 | int __init efi_create_mapping(struct mm_struct *mm, efi_memory_desc_t *md) |
75 | { |
76 | pteval_t prot_val = create_mapping_protection(md); |
77 | bool page_mappings_only = (md->type == EFI_RUNTIME_SERVICES_CODE || |
78 | md->type == EFI_RUNTIME_SERVICES_DATA); |
79 | |
80 | /* |
81 | * If this region is not aligned to the page size used by the OS, the |
82 | * mapping will be rounded outwards, and may end up sharing a page |
83 | * frame with an adjacent runtime memory region. Given that the page |
84 | * table descriptor covering the shared page will be rewritten when the |
85 | * adjacent region gets mapped, we must avoid block mappings here so we |
86 | * don't have to worry about splitting them when that happens. |
87 | */ |
88 | if (region_is_misaligned(md)) |
89 | page_mappings_only = true; |
90 | |
91 | create_pgd_mapping(mm, md->phys_addr, md->virt_addr, |
92 | md->num_pages << EFI_PAGE_SHIFT, |
93 | __pgprot(prot_val | PTE_NG), page_mappings_only); |
94 | return 0; |
95 | } |
96 | |
97 | struct set_perm_data { |
98 | const efi_memory_desc_t *md; |
99 | bool has_bti; |
100 | }; |
101 | |
102 | static int __init set_permissions(pte_t *ptep, unsigned long addr, void *data) |
103 | { |
104 | struct set_perm_data *spd = data; |
105 | const efi_memory_desc_t *md = spd->md; |
106 | pte_t pte = __ptep_get(ptep); |
107 | |
108 | if (md->attribute & EFI_MEMORY_RO) |
109 | pte = set_pte_bit(pte, __pgprot(PTE_RDONLY)); |
110 | if (md->attribute & EFI_MEMORY_XP) |
111 | pte = set_pte_bit(pte, __pgprot(PTE_PXN)); |
112 | else if (system_supports_bti_kernel() && spd->has_bti) |
113 | pte = set_pte_bit(pte, __pgprot(PTE_GP)); |
114 | __set_pte(ptep, pte); |
115 | return 0; |
116 | } |
117 | |
118 | int __init efi_set_mapping_permissions(struct mm_struct *mm, |
119 | efi_memory_desc_t *md, |
120 | bool has_bti) |
121 | { |
122 | struct set_perm_data data = { md, has_bti }; |
123 | |
124 | BUG_ON(md->type != EFI_RUNTIME_SERVICES_CODE && |
125 | md->type != EFI_RUNTIME_SERVICES_DATA); |
126 | |
127 | if (region_is_misaligned(md)) |
128 | return 0; |
129 | |
130 | /* |
131 | * Calling apply_to_page_range() is only safe on regions that are |
132 | * guaranteed to be mapped down to pages. Since we are only called |
133 | * for regions that have been mapped using efi_create_mapping() above |
134 | * (and this is checked by the generic Memory Attributes table parsing |
135 | * routines), there is no need to check that again here. |
136 | */ |
137 | return apply_to_page_range(mm, address: md->virt_addr, |
138 | size: md->num_pages << EFI_PAGE_SHIFT, |
139 | fn: set_permissions, data: &data); |
140 | } |
141 | |
142 | /* |
143 | * UpdateCapsule() depends on the system being shutdown via |
144 | * ResetSystem(). |
145 | */ |
146 | bool efi_poweroff_required(void) |
147 | { |
148 | return efi_enabled(EFI_RUNTIME_SERVICES); |
149 | } |
150 | |
151 | asmlinkage efi_status_t efi_handle_corrupted_x18(efi_status_t s, const char *f) |
152 | { |
153 | pr_err_ratelimited(FW_BUG "register x18 corrupted by EFI %s\n" , f); |
154 | return s; |
155 | } |
156 | |
157 | static DEFINE_RAW_SPINLOCK(efi_rt_lock); |
158 | |
159 | void arch_efi_call_virt_setup(void) |
160 | { |
161 | efi_virtmap_load(); |
162 | __efi_fpsimd_begin(); |
163 | raw_spin_lock(&efi_rt_lock); |
164 | } |
165 | |
166 | void arch_efi_call_virt_teardown(void) |
167 | { |
168 | raw_spin_unlock(&efi_rt_lock); |
169 | __efi_fpsimd_end(); |
170 | efi_virtmap_unload(); |
171 | } |
172 | |
173 | asmlinkage u64 *efi_rt_stack_top __ro_after_init; |
174 | |
175 | asmlinkage efi_status_t __efi_rt_asm_recover(void); |
176 | |
177 | bool efi_runtime_fixup_exception(struct pt_regs *regs, const char *msg) |
178 | { |
179 | /* Check whether the exception occurred while running the firmware */ |
180 | if (!current_in_efi() || regs->pc >= TASK_SIZE_64) |
181 | return false; |
182 | |
183 | pr_err(FW_BUG "Unable to handle %s in EFI runtime service\n" , msg); |
184 | add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK); |
185 | clear_bit(EFI_RUNTIME_SERVICES, addr: &efi.flags); |
186 | |
187 | regs->regs[0] = EFI_ABORTED; |
188 | regs->regs[30] = efi_rt_stack_top[-1]; |
189 | regs->pc = (u64)__efi_rt_asm_recover; |
190 | |
191 | if (IS_ENABLED(CONFIG_SHADOW_CALL_STACK)) |
192 | regs->regs[18] = efi_rt_stack_top[-2]; |
193 | |
194 | return true; |
195 | } |
196 | |
197 | /* EFI requires 8 KiB of stack space for runtime services */ |
198 | static_assert(THREAD_SIZE >= SZ_8K); |
199 | |
200 | static int __init arm64_efi_rt_init(void) |
201 | { |
202 | void *p; |
203 | |
204 | if (!efi_enabled(EFI_RUNTIME_SERVICES)) |
205 | return 0; |
206 | |
207 | p = __vmalloc_node(THREAD_SIZE, THREAD_ALIGN, GFP_KERNEL, |
208 | NUMA_NO_NODE, &&l); |
209 | l: if (!p) { |
210 | pr_warn("Failed to allocate EFI runtime stack\n" ); |
211 | clear_bit(EFI_RUNTIME_SERVICES, addr: &efi.flags); |
212 | return -ENOMEM; |
213 | } |
214 | |
215 | efi_rt_stack_top = p + THREAD_SIZE; |
216 | return 0; |
217 | } |
218 | core_initcall(arm64_efi_rt_init); |
219 | |