From: Leif Lindholm <leif.lindholm@linaro.org>
To: linux-arm-kernel@lists.infradead.org, linux-efi@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Leif Lindholm <leif.lindholm@linaro.org>,
Catalin Marinas <catalin.marinas@arm.com>,
Matt Fleming <matt.fleming@intel.com>
Subject: [PATCH v3 10/10] efi/arm64: ignore dtb= when UEFI SecureBoot is enabled
Date: Fri, 4 Apr 2014 19:45:13 +0100 [thread overview]
Message-ID: <1396637113-22790-11-git-send-email-leif.lindholm@linaro.org> (raw)
In-Reply-To: <1396637113-22790-1-git-send-email-leif.lindholm@linaro.org>
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Loading unauthenticated FDT blobs directly from storage is a security hazard,
so this should only be allowed when running with UEFI Secure Boot disabled.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Matt Fleming <matt.fleming@intel.com>
---
drivers/firmware/efi/arm-stub.c | 15 +++++++++++----
drivers/firmware/efi/efi-stub-helper.c | 24 ++++++++++++++++++++++++
2 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/drivers/firmware/efi/arm-stub.c b/drivers/firmware/efi/arm-stub.c
index b9b7c00..c8988b2 100644
--- a/drivers/firmware/efi/arm-stub.c
+++ b/drivers/firmware/efi/arm-stub.c
@@ -145,7 +145,7 @@ unsigned long __init efi_entry(void *handle, efi_system_table_t *sys_table,
/* addr/point and size pairs for memory management*/
unsigned long initrd_addr;
u64 initrd_size = 0;
- unsigned long fdt_addr; /* Original DTB */
+ unsigned long fdt_addr = 0; /* Original DTB */
u64 fdt_size = 0; /* We don't get size from configuration table */
char *cmdline_ptr = NULL;
int cmdline_size = 0;
@@ -197,9 +197,13 @@ unsigned long __init efi_entry(void *handle, efi_system_table_t *sys_table,
goto fail_free_image;
}
- /* Load a device tree from the configuration table, if present. */
- fdt_addr = (uintptr_t)get_fdt(sys_table);
- if (!fdt_addr) {
+ /*
+ * Unauthenticated device tree data is a security hazard, so
+ * ignore 'dtb=' unless UEFI Secure Boot is disabled.
+ */
+ if (efi_secureboot_enabled(sys_table)) {
+ pr_efi(sys_table, "UEFI Secure Boot is enabled.\n");
+ } else {
status = handle_cmdline_files(sys_table, image, cmdline_ptr,
"dtb=",
~0UL, (unsigned long *)&fdt_addr,
@@ -210,6 +214,9 @@ unsigned long __init efi_entry(void *handle, efi_system_table_t *sys_table,
goto fail_free_cmdline;
}
}
+ if (!fdt_addr)
+ /* Look for a device tree configuration table entry. */
+ fdt_addr = (uintptr_t)get_fdt(sys_table);
status = handle_cmdline_files(sys_table, image, cmdline_ptr,
"initrd=", dram_base + SZ_512M,
diff --git a/drivers/firmware/efi/efi-stub-helper.c b/drivers/firmware/efi/efi-stub-helper.c
index 998b884..8f8b538 100644
--- a/drivers/firmware/efi/efi-stub-helper.c
+++ b/drivers/firmware/efi/efi-stub-helper.c
@@ -632,3 +632,27 @@ static char *efi_convert_cmdline(efi_system_table_t *sys_table_arg,
*cmd_line_len = options_bytes;
return (char *)cmdline_addr;
}
+
+static int __init efi_secureboot_enabled(efi_system_table_t *sys_table_arg)
+{
+ static efi_guid_t const var_guid __initconst = EFI_GLOBAL_VARIABLE_GUID;
+ static efi_char16_t const var_name[] __initconst = {
+ 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 };
+
+ efi_get_variable_t *f_getvar = sys_table_arg->runtime->get_variable;
+ unsigned long size = sizeof(u8);
+ efi_status_t status;
+ u8 val;
+
+ status = efi_call_phys5(f_getvar, (efi_char16_t *)var_name,
+ (efi_guid_t *)&var_guid, NULL, &size, &val);
+
+ switch (status) {
+ case EFI_SUCCESS:
+ return val;
+ case EFI_NOT_FOUND:
+ return 0;
+ default:
+ return 1;
+ }
+}
--
1.7.10.4
WARNING: multiple messages have this Message-ID (diff)
From: leif.lindholm@linaro.org (Leif Lindholm)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v3 10/10] efi/arm64: ignore dtb= when UEFI SecureBoot is enabled
Date: Fri, 4 Apr 2014 19:45:13 +0100 [thread overview]
Message-ID: <1396637113-22790-11-git-send-email-leif.lindholm@linaro.org> (raw)
In-Reply-To: <1396637113-22790-1-git-send-email-leif.lindholm@linaro.org>
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Loading unauthenticated FDT blobs directly from storage is a security hazard,
so this should only be allowed when running with UEFI Secure Boot disabled.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Leif Lindholm <leif.lindholm@linaro.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Matt Fleming <matt.fleming@intel.com>
---
drivers/firmware/efi/arm-stub.c | 15 +++++++++++----
drivers/firmware/efi/efi-stub-helper.c | 24 ++++++++++++++++++++++++
2 files changed, 35 insertions(+), 4 deletions(-)
diff --git a/drivers/firmware/efi/arm-stub.c b/drivers/firmware/efi/arm-stub.c
index b9b7c00..c8988b2 100644
--- a/drivers/firmware/efi/arm-stub.c
+++ b/drivers/firmware/efi/arm-stub.c
@@ -145,7 +145,7 @@ unsigned long __init efi_entry(void *handle, efi_system_table_t *sys_table,
/* addr/point and size pairs for memory management*/
unsigned long initrd_addr;
u64 initrd_size = 0;
- unsigned long fdt_addr; /* Original DTB */
+ unsigned long fdt_addr = 0; /* Original DTB */
u64 fdt_size = 0; /* We don't get size from configuration table */
char *cmdline_ptr = NULL;
int cmdline_size = 0;
@@ -197,9 +197,13 @@ unsigned long __init efi_entry(void *handle, efi_system_table_t *sys_table,
goto fail_free_image;
}
- /* Load a device tree from the configuration table, if present. */
- fdt_addr = (uintptr_t)get_fdt(sys_table);
- if (!fdt_addr) {
+ /*
+ * Unauthenticated device tree data is a security hazard, so
+ * ignore 'dtb=' unless UEFI Secure Boot is disabled.
+ */
+ if (efi_secureboot_enabled(sys_table)) {
+ pr_efi(sys_table, "UEFI Secure Boot is enabled.\n");
+ } else {
status = handle_cmdline_files(sys_table, image, cmdline_ptr,
"dtb=",
~0UL, (unsigned long *)&fdt_addr,
@@ -210,6 +214,9 @@ unsigned long __init efi_entry(void *handle, efi_system_table_t *sys_table,
goto fail_free_cmdline;
}
}
+ if (!fdt_addr)
+ /* Look for a device tree configuration table entry. */
+ fdt_addr = (uintptr_t)get_fdt(sys_table);
status = handle_cmdline_files(sys_table, image, cmdline_ptr,
"initrd=", dram_base + SZ_512M,
diff --git a/drivers/firmware/efi/efi-stub-helper.c b/drivers/firmware/efi/efi-stub-helper.c
index 998b884..8f8b538 100644
--- a/drivers/firmware/efi/efi-stub-helper.c
+++ b/drivers/firmware/efi/efi-stub-helper.c
@@ -632,3 +632,27 @@ static char *efi_convert_cmdline(efi_system_table_t *sys_table_arg,
*cmd_line_len = options_bytes;
return (char *)cmdline_addr;
}
+
+static int __init efi_secureboot_enabled(efi_system_table_t *sys_table_arg)
+{
+ static efi_guid_t const var_guid __initconst = EFI_GLOBAL_VARIABLE_GUID;
+ static efi_char16_t const var_name[] __initconst = {
+ 'S', 'e', 'c', 'u', 'r', 'e', 'B', 'o', 'o', 't', 0 };
+
+ efi_get_variable_t *f_getvar = sys_table_arg->runtime->get_variable;
+ unsigned long size = sizeof(u8);
+ efi_status_t status;
+ u8 val;
+
+ status = efi_call_phys5(f_getvar, (efi_char16_t *)var_name,
+ (efi_guid_t *)&var_guid, NULL, &size, &val);
+
+ switch (status) {
+ case EFI_SUCCESS:
+ return val;
+ case EFI_NOT_FOUND:
+ return 0;
+ default:
+ return 1;
+ }
+}
--
1.7.10.4
next prev parent reply other threads:[~2014-04-04 18:46 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-04-04 18:45 [PATCH v3 00/10] arm64: UEFI support Leif Lindholm
2014-04-04 18:45 ` Leif Lindholm
2014-04-04 18:45 ` Leif Lindholm
2014-04-04 18:45 ` [PATCH v3 01/10] lib: add fdt_empty_tree.c Leif Lindholm
2014-04-04 18:45 ` Leif Lindholm
2014-04-04 18:45 ` [PATCH v3 02/10] doc: efi-stub.txt updates for ARM Leif Lindholm
2014-04-04 18:45 ` Leif Lindholm
2014-04-04 18:45 ` Leif Lindholm
2014-04-04 18:45 ` [PATCH v3 03/10] efi: add helper function to get UEFI params from FDT Leif Lindholm
2014-04-04 18:45 ` Leif Lindholm
2014-04-04 18:45 ` [PATCH v3 04/10] arm64: Add function to create identity mappings Leif Lindholm
2014-04-04 18:45 ` Leif Lindholm
2014-04-04 18:45 ` [PATCH v3 05/10] efi: Add shared FDT related functions for ARM/ARM64 Leif Lindholm
2014-04-04 18:45 ` Leif Lindholm
2014-04-04 18:45 ` Leif Lindholm
2014-04-04 18:45 ` [PATCH v3 06/10] arm64: efi: add EFI stub Leif Lindholm
2014-04-04 18:45 ` Leif Lindholm
2014-04-09 14:20 ` Mark Rutland
2014-04-09 14:20 ` Mark Rutland
2014-04-09 14:20 ` Mark Rutland
2014-04-10 12:54 ` Mark Salter
2014-04-10 12:54 ` Mark Salter
2014-04-10 12:54 ` Mark Salter
2017-02-08 16:28 ` Timur Tabi
2017-02-08 16:28 ` Timur Tabi
2017-02-08 16:28 ` Timur Tabi
2017-02-08 16:29 ` Ard Biesheuvel
2017-02-08 16:29 ` Ard Biesheuvel
2017-02-08 16:29 ` Ard Biesheuvel
2017-02-08 16:35 ` Timur Tabi
2017-02-08 16:35 ` Timur Tabi
2017-02-08 16:35 ` Timur Tabi
2017-02-08 17:03 ` Mark Rutland
2017-02-08 17:03 ` Mark Rutland
2017-02-08 17:03 ` Mark Rutland
2017-02-08 17:22 ` Jeffrey Hugo
2017-02-08 17:22 ` Jeffrey Hugo
2017-02-08 17:22 ` Jeffrey Hugo
2017-02-08 17:30 ` Jeffrey Hugo
2017-02-08 17:30 ` Jeffrey Hugo
2017-02-08 17:30 ` Jeffrey Hugo
2017-02-08 17:34 ` Mark Rutland
2017-02-08 17:34 ` Mark Rutland
2017-02-08 17:34 ` Mark Rutland
2017-02-08 17:40 ` Ard Biesheuvel
2017-02-08 17:40 ` Ard Biesheuvel
2017-02-08 17:40 ` Ard Biesheuvel
2014-04-04 18:45 ` [PATCH v3 07/10] doc: arm64: add description of EFI stub support Leif Lindholm
2014-04-04 18:45 ` Leif Lindholm
2014-04-04 18:45 ` [PATCH v3 08/10] arm64: add EFI runtime services Leif Lindholm
2014-04-04 18:45 ` Leif Lindholm
2014-04-04 18:45 ` [PATCH v3 09/10] doc: arm: add UEFI support documentation Leif Lindholm
2014-04-04 18:45 ` Leif Lindholm
2014-04-04 18:45 ` Leif Lindholm [this message]
2014-04-04 18:45 ` [PATCH v3 10/10] efi/arm64: ignore dtb= when UEFI SecureBoot is enabled Leif Lindholm
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1396637113-22790-11-git-send-email-leif.lindholm@linaro.org \
--to=leif.lindholm@linaro.org \
--cc=ard.biesheuvel@linaro.org \
--cc=catalin.marinas@arm.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=matt.fleming@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.