* [PATCH 0/2] arm64/efi: adapt to UEFI 2.5 properties table changes @ 2015-06-30 10:17 ` Ard Biesheuvel 0 siblings, 0 replies; 10+ messages in thread From: Ard Biesheuvel @ 2015-06-30 10:17 UTC (permalink / raw) To: linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r, linux-efi-u79uwXL29TY76Z2rM5mHXA, matt.fleming-ral2JQCrhuEAvxtiuMwx3w, mark.rutland-5wv7dgnIgG8 Cc: leif.lindholm-QSEj5FYQhm4dnm+yROfE0A, roy.franz-QSEj5FYQhm4dnm+yROfE0A, msalter-H+wXaHxf7aLQT0dZR+AlfA, lersek-H+wXaHxf7aLQT0dZR+AlfA, Ard Biesheuvel First of all, I am aware that it is not customary to send non-trivial series during the merge window. However, since a parallel discussion is currently taking place on the edk2-devel mailing list, I think it makes sense to make an exception for this series. Version 2.5 of the UEFI spec introduces a new Properties Table feature that splits the memory regions covered by PE/COFF executable images into regions with the appropriate permissions for the underlying segment (i.e., RuntimeServicesCode/R-X for .text and RuntimeServiceData/rw- for .data) Unfortunately, this feature is built on the backwards incompatible assumption that the OS always maps all RuntimeServicesCode and RuntimeServiceData regions in a way that keeps adjacent code and data regions adjacent. Since this is not what we are currently doing for arm64, some changes are required. The first patch makes the mapping permission logic compliant with the spec, by mapping all RuntimeServicesCode *and* RuntimeServicesData regions RWX, (formerly, we were using RW- for data regions), unless any of the EFI_MEMORY_RO and EFI_MEMORY_XP attributes are set, and the region is fully aligned to the page size (which may not always be the case on 64k pages) Then, in patch #2, we change the virtual remapping logic to keep adjacent EFI_MEMORY_RUNTIME regions together. This requires us to sort the incoming memory map, since the UEFI spec does not guarantee that it is sorted (although it usually is). This series applies on top of the patch that introduces the EFI_MEMORY_RO region attribute, which can be found here: http://article.gmane.org/gmane.linux.kernel.efi/5819 Ard Biesheuvel (2): arm64/efi: base UEFI mapping permissions on region attributes arm64/efi: don't pad between EFI_MEMORY_RUNTIME regions arch/arm64/kernel/efi.c | 32 +++++++---- drivers/firmware/efi/libstub/arm-stub.c | 58 +++++++++++++++----- 2 files changed, 64 insertions(+), 26 deletions(-) -- 1.9.1 ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 0/2] arm64/efi: adapt to UEFI 2.5 properties table changes @ 2015-06-30 10:17 ` Ard Biesheuvel 0 siblings, 0 replies; 10+ messages in thread From: Ard Biesheuvel @ 2015-06-30 10:17 UTC (permalink / raw) To: linux-arm-kernel First of all, I am aware that it is not customary to send non-trivial series during the merge window. However, since a parallel discussion is currently taking place on the edk2-devel mailing list, I think it makes sense to make an exception for this series. Version 2.5 of the UEFI spec introduces a new Properties Table feature that splits the memory regions covered by PE/COFF executable images into regions with the appropriate permissions for the underlying segment (i.e., RuntimeServicesCode/R-X for .text and RuntimeServiceData/rw- for .data) Unfortunately, this feature is built on the backwards incompatible assumption that the OS always maps all RuntimeServicesCode and RuntimeServiceData regions in a way that keeps adjacent code and data regions adjacent. Since this is not what we are currently doing for arm64, some changes are required. The first patch makes the mapping permission logic compliant with the spec, by mapping all RuntimeServicesCode *and* RuntimeServicesData regions RWX, (formerly, we were using RW- for data regions), unless any of the EFI_MEMORY_RO and EFI_MEMORY_XP attributes are set, and the region is fully aligned to the page size (which may not always be the case on 64k pages) Then, in patch #2, we change the virtual remapping logic to keep adjacent EFI_MEMORY_RUNTIME regions together. This requires us to sort the incoming memory map, since the UEFI spec does not guarantee that it is sorted (although it usually is). This series applies on top of the patch that introduces the EFI_MEMORY_RO region attribute, which can be found here: http://article.gmane.org/gmane.linux.kernel.efi/5819 Ard Biesheuvel (2): arm64/efi: base UEFI mapping permissions on region attributes arm64/efi: don't pad between EFI_MEMORY_RUNTIME regions arch/arm64/kernel/efi.c | 32 +++++++---- drivers/firmware/efi/libstub/arm-stub.c | 58 +++++++++++++++----- 2 files changed, 64 insertions(+), 26 deletions(-) -- 1.9.1 ^ permalink raw reply [flat|nested] 10+ messages in thread
[parent not found: <1435659443-17625-1-git-send-email-ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>]
* [PATCH 1/2] arm64/efi: base UEFI mapping permissions on region attributes 2015-06-30 10:17 ` Ard Biesheuvel @ 2015-06-30 10:17 ` Ard Biesheuvel -1 siblings, 0 replies; 10+ messages in thread From: Ard Biesheuvel @ 2015-06-30 10:17 UTC (permalink / raw) To: linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r, linux-efi-u79uwXL29TY76Z2rM5mHXA, matt.fleming-ral2JQCrhuEAvxtiuMwx3w, mark.rutland-5wv7dgnIgG8 Cc: leif.lindholm-QSEj5FYQhm4dnm+yROfE0A, roy.franz-QSEj5FYQhm4dnm+yROfE0A, msalter-H+wXaHxf7aLQT0dZR+AlfA, lersek-H+wXaHxf7aLQT0dZR+AlfA, Ard Biesheuvel Currently, we infer the UEFI memory region mapping permissions from the memory region type (i.e., runtime services code are mapped RWX and runtime services data mapped RW-). This appears to work fine but is not entirely UEFI spec compliant. So instead, use the designated permission attributes to decide how these regions should be mapped. Since UEFIv2.5 introduces a new EFI_MEMORY_RO permission attribute, and redefines EFI_MEMORY_WP as a cacheability attribute, use only the former as a read-only attribute. For setting the PXN bit, the corresponding EFI_MEMORY_XP attribute is used. Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org> --- arch/arm64/kernel/efi.c | 32 +++++++++++++------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c index ab21e0d58278..5dcab58d5d30 100644 --- a/arch/arm64/kernel/efi.c +++ b/arch/arm64/kernel/efi.c @@ -247,20 +247,30 @@ static bool __init efi_virtmap_init(void) memrange_efi_to_native(&paddr, &npages); size = npages << PAGE_SHIFT; - pr_info(" EFI remap 0x%016llx => %p\n", - md->phys_addr, (void *)md->virt_addr); - - /* - * Only regions of type EFI_RUNTIME_SERVICES_CODE need to be - * executable, everything else can be mapped with the XN bits - * set. - */ if (!is_normal_ram(md)) prot = __pgprot(PROT_DEVICE_nGnRE); - else if (md->type == EFI_RUNTIME_SERVICES_CODE) - prot = PAGE_KERNEL_EXEC; else - prot = PAGE_KERNEL; + prot = PAGE_KERNEL_EXEC; + + /* + * On 64 KB granule kernels, only use strict permissions when + * the region does not share a 64 KB page frame with another + * region at either end. + */ + if (!IS_ENABLED(CONFIG_ARM64_64K_PAGES) || + !(md->virt_addr % PAGE_SIZE || + (md->phys_addr + md->num_pages * EFI_PAGE_SIZE) % PAGE_SIZE)) { + + if (md->attribute & EFI_MEMORY_RO) + prot |= __pgprot(PTE_RDONLY); + if (md->attribute & EFI_MEMORY_XP) + prot |= __pgprot(PTE_PXN); + } + + pr_info(" EFI remap 0x%016llx => %p (R%c%c)\n", + md->phys_addr, (void *)md->virt_addr, + prot & __pgprot(PTE_RDONLY) ? '-' : 'W', + prot & __pgprot(PTE_PXN) ? '-' : 'X'); create_pgd_mapping(&efi_mm, paddr, md->virt_addr, size, prot); } -- 1.9.1 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 1/2] arm64/efi: base UEFI mapping permissions on region attributes @ 2015-06-30 10:17 ` Ard Biesheuvel 0 siblings, 0 replies; 10+ messages in thread From: Ard Biesheuvel @ 2015-06-30 10:17 UTC (permalink / raw) To: linux-arm-kernel Currently, we infer the UEFI memory region mapping permissions from the memory region type (i.e., runtime services code are mapped RWX and runtime services data mapped RW-). This appears to work fine but is not entirely UEFI spec compliant. So instead, use the designated permission attributes to decide how these regions should be mapped. Since UEFIv2.5 introduces a new EFI_MEMORY_RO permission attribute, and redefines EFI_MEMORY_WP as a cacheability attribute, use only the former as a read-only attribute. For setting the PXN bit, the corresponding EFI_MEMORY_XP attribute is used. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> --- arch/arm64/kernel/efi.c | 32 +++++++++++++------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c index ab21e0d58278..5dcab58d5d30 100644 --- a/arch/arm64/kernel/efi.c +++ b/arch/arm64/kernel/efi.c @@ -247,20 +247,30 @@ static bool __init efi_virtmap_init(void) memrange_efi_to_native(&paddr, &npages); size = npages << PAGE_SHIFT; - pr_info(" EFI remap 0x%016llx => %p\n", - md->phys_addr, (void *)md->virt_addr); - - /* - * Only regions of type EFI_RUNTIME_SERVICES_CODE need to be - * executable, everything else can be mapped with the XN bits - * set. - */ if (!is_normal_ram(md)) prot = __pgprot(PROT_DEVICE_nGnRE); - else if (md->type == EFI_RUNTIME_SERVICES_CODE) - prot = PAGE_KERNEL_EXEC; else - prot = PAGE_KERNEL; + prot = PAGE_KERNEL_EXEC; + + /* + * On 64 KB granule kernels, only use strict permissions when + * the region does not share a 64 KB page frame with another + * region at either end. + */ + if (!IS_ENABLED(CONFIG_ARM64_64K_PAGES) || + !(md->virt_addr % PAGE_SIZE || + (md->phys_addr + md->num_pages * EFI_PAGE_SIZE) % PAGE_SIZE)) { + + if (md->attribute & EFI_MEMORY_RO) + prot |= __pgprot(PTE_RDONLY); + if (md->attribute & EFI_MEMORY_XP) + prot |= __pgprot(PTE_PXN); + } + + pr_info(" EFI remap 0x%016llx => %p (R%c%c)\n", + md->phys_addr, (void *)md->virt_addr, + prot & __pgprot(PTE_RDONLY) ? '-' : 'W', + prot & __pgprot(PTE_PXN) ? '-' : 'X'); create_pgd_mapping(&efi_mm, paddr, md->virt_addr, size, prot); } -- 1.9.1 ^ permalink raw reply related [flat|nested] 10+ messages in thread
[parent not found: <1435659443-17625-2-git-send-email-ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>]
* Re: [PATCH 1/2] arm64/efi: base UEFI mapping permissions on region attributes 2015-06-30 10:17 ` Ard Biesheuvel @ 2015-06-30 14:50 ` Mark Salter -1 siblings, 0 replies; 10+ messages in thread From: Mark Salter @ 2015-06-30 14:50 UTC (permalink / raw) To: Ard Biesheuvel, linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r, linux-efi-u79uwXL29TY76Z2rM5mHXA, matt.fleming-ral2JQCrhuEAvxtiuMwx3w, mark.rutland-5wv7dgnIgG8 Cc: leif.lindholm-QSEj5FYQhm4dnm+yROfE0A, roy.franz-QSEj5FYQhm4dnm+yROfE0A, lersek-H+wXaHxf7aLQT0dZR+AlfA On Tue, 2015-06-30 at 12:17 +0200, Ard Biesheuvel wrote: > Currently, we infer the UEFI memory region mapping permissions > from the memory region type (i.e., runtime services code are > mapped RWX and runtime services data mapped RW-). This appears to > work fine but is not entirely UEFI spec compliant. So instead, use > the designated permission attributes to decide how these regions > should be mapped. > > Since UEFIv2.5 introduces a new EFI_MEMORY_RO permission attribute, > and redefines EFI_MEMORY_WP as a cacheability attribute, use only > the former as a read-only attribute. For setting the PXN bit, the > corresponding EFI_MEMORY_XP attribute is used. > > Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org> > --- > arch/arm64/kernel/efi.c | 32 +++++++++++++------- > 1 file changed, 21 insertions(+), 11 deletions(-) > > diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c > index ab21e0d58278..5dcab58d5d30 100644 > --- a/arch/arm64/kernel/efi.c > +++ b/arch/arm64/kernel/efi.c > @@ -247,20 +247,30 @@ static bool __init efi_virtmap_init(void) > memrange_efi_to_native(&paddr, &npages); > size = npages << PAGE_SHIFT; > > - pr_info(" EFI remap 0x%016llx => %p\n", > - md->phys_addr, (void *)md->virt_addr); > - > - /* > - * Only regions of type EFI_RUNTIME_SERVICES_CODE need to be > - * executable, everything else can be mapped with the XN bits > - * set. > - */ > if (!is_normal_ram(md)) > prot = __pgprot(PROT_DEVICE_nGnRE); > - else if (md->type == EFI_RUNTIME_SERVICES_CODE) > - prot = PAGE_KERNEL_EXEC; > else > - prot = PAGE_KERNEL; > + prot = PAGE_KERNEL_EXEC; > + > + /* > + * On 64 KB granule kernels, only use strict permissions when > + * the region does not share a 64 KB page frame with another > + * region at either end. > + */ > + if (!IS_ENABLED(CONFIG_ARM64_64K_PAGES) || > + !(md->virt_addr % PAGE_SIZE || > + (md->phys_addr + md->num_pages * EFI_PAGE_SIZE) % PAGE_SIZE)) { I think this would read easier with: (PAGE_ALIGNED(md->virt_addr) && PAGE_ALIGNED(md->phys_addr + md->num_pages * EFI_PAGE_SIZE))) { > + > + if (md->attribute & EFI_MEMORY_RO) > + prot |= __pgprot(PTE_RDONLY); > + if (md->attribute & EFI_MEMORY_XP) > + prot |= __pgprot(PTE_PXN); > + } > + > + pr_info(" EFI remap 0x%016llx => %p (R%c%c)\n", > + md->phys_addr, (void *)md->virt_addr, > + prot & __pgprot(PTE_RDONLY) ? '-' : 'W', > + prot & __pgprot(PTE_PXN) ? '-' : 'X'); You can't maninulate pgprot_t directly like that. It will break STRICT_MM_TYPECHECKS. You need to use __pgprot_modify() and/or pgprot_val(). arch/arm64/kernel/efi.c: In function ‘efi_virtmap_init’: arch/arm64/kernel/efi.c:266:10: error: invalid operands to binary | (have ‘pgprot_t’ and ‘pgprot_t’) prot |= __pgprot(PTE_RDONLY); ^ ... (In trying that, I see there are a number of other places which need some STRICT_MM_TYPECHECKS fixing) > > create_pgd_mapping(&efi_mm, paddr, md->virt_addr, size, prot); > } ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 1/2] arm64/efi: base UEFI mapping permissions on region attributes @ 2015-06-30 14:50 ` Mark Salter 0 siblings, 0 replies; 10+ messages in thread From: Mark Salter @ 2015-06-30 14:50 UTC (permalink / raw) To: linux-arm-kernel On Tue, 2015-06-30 at 12:17 +0200, Ard Biesheuvel wrote: > Currently, we infer the UEFI memory region mapping permissions > from the memory region type (i.e., runtime services code are > mapped RWX and runtime services data mapped RW-). This appears to > work fine but is not entirely UEFI spec compliant. So instead, use > the designated permission attributes to decide how these regions > should be mapped. > > Since UEFIv2.5 introduces a new EFI_MEMORY_RO permission attribute, > and redefines EFI_MEMORY_WP as a cacheability attribute, use only > the former as a read-only attribute. For setting the PXN bit, the > corresponding EFI_MEMORY_XP attribute is used. > > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> > --- > arch/arm64/kernel/efi.c | 32 +++++++++++++------- > 1 file changed, 21 insertions(+), 11 deletions(-) > > diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c > index ab21e0d58278..5dcab58d5d30 100644 > --- a/arch/arm64/kernel/efi.c > +++ b/arch/arm64/kernel/efi.c > @@ -247,20 +247,30 @@ static bool __init efi_virtmap_init(void) > memrange_efi_to_native(&paddr, &npages); > size = npages << PAGE_SHIFT; > > - pr_info(" EFI remap 0x%016llx => %p\n", > - md->phys_addr, (void *)md->virt_addr); > - > - /* > - * Only regions of type EFI_RUNTIME_SERVICES_CODE need to be > - * executable, everything else can be mapped with the XN bits > - * set. > - */ > if (!is_normal_ram(md)) > prot = __pgprot(PROT_DEVICE_nGnRE); > - else if (md->type == EFI_RUNTIME_SERVICES_CODE) > - prot = PAGE_KERNEL_EXEC; > else > - prot = PAGE_KERNEL; > + prot = PAGE_KERNEL_EXEC; > + > + /* > + * On 64 KB granule kernels, only use strict permissions when > + * the region does not share a 64 KB page frame with another > + * region at either end. > + */ > + if (!IS_ENABLED(CONFIG_ARM64_64K_PAGES) || > + !(md->virt_addr % PAGE_SIZE || > + (md->phys_addr + md->num_pages * EFI_PAGE_SIZE) % PAGE_SIZE)) { I think this would read easier with: (PAGE_ALIGNED(md->virt_addr) && PAGE_ALIGNED(md->phys_addr + md->num_pages * EFI_PAGE_SIZE))) { > + > + if (md->attribute & EFI_MEMORY_RO) > + prot |= __pgprot(PTE_RDONLY); > + if (md->attribute & EFI_MEMORY_XP) > + prot |= __pgprot(PTE_PXN); > + } > + > + pr_info(" EFI remap 0x%016llx => %p (R%c%c)\n", > + md->phys_addr, (void *)md->virt_addr, > + prot & __pgprot(PTE_RDONLY) ? '-' : 'W', > + prot & __pgprot(PTE_PXN) ? '-' : 'X'); You can't maninulate pgprot_t directly like that. It will break STRICT_MM_TYPECHECKS. You need to use __pgprot_modify() and/or pgprot_val(). arch/arm64/kernel/efi.c: In function ?efi_virtmap_init?: arch/arm64/kernel/efi.c:266:10: error: invalid operands to binary | (have ?pgprot_t? and ?pgprot_t?) prot |= __pgprot(PTE_RDONLY); ^ ... (In trying that, I see there are a number of other places which need some STRICT_MM_TYPECHECKS fixing) > > create_pgd_mapping(&efi_mm, paddr, md->virt_addr, size, prot); > } ^ permalink raw reply [flat|nested] 10+ messages in thread
[parent not found: <1435675848.21009.10.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>]
* Re: [PATCH 1/2] arm64/efi: base UEFI mapping permissions on region attributes 2015-06-30 14:50 ` Mark Salter @ 2015-06-30 14:53 ` Ard Biesheuvel -1 siblings, 0 replies; 10+ messages in thread From: Ard Biesheuvel @ 2015-06-30 14:53 UTC (permalink / raw) To: Mark Salter Cc: linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r, linux-efi-u79uwXL29TY76Z2rM5mHXA, Matt Fleming, Mark Rutland, Leif Lindholm, Roy Franz, Laszlo Ersek On 30 June 2015 at 16:50, Mark Salter <msalter-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote: > On Tue, 2015-06-30 at 12:17 +0200, Ard Biesheuvel wrote: > >> Currently, we infer the UEFI memory region mapping permissions >> from the memory region type (i.e., runtime services code are >> mapped RWX and runtime services data mapped RW-). This appears to >> work fine but is not entirely UEFI spec compliant. So instead, use >> the designated permission attributes to decide how these regions >> should be mapped. >> >> Since UEFIv2.5 introduces a new EFI_MEMORY_RO permission attribute, >> and redefines EFI_MEMORY_WP as a cacheability attribute, use only >> the former as a read-only attribute. For setting the PXN bit, the >> corresponding EFI_MEMORY_XP attribute is used. >> >> Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org> >> --- >> arch/arm64/kernel/efi.c | 32 +++++++++++++------- >> 1 file changed, 21 insertions(+), 11 deletions(-) >> >> diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c >> index ab21e0d58278..5dcab58d5d30 100644 >> --- a/arch/arm64/kernel/efi.c >> +++ b/arch/arm64/kernel/efi.c >> @@ -247,20 +247,30 @@ static bool __init efi_virtmap_init(void) >> memrange_efi_to_native(&paddr, &npages); >> size = npages << PAGE_SHIFT; >> >> - pr_info(" EFI remap 0x%016llx => %p\n", >> - md->phys_addr, (void *)md->virt_addr); >> - >> - /* >> - * Only regions of type EFI_RUNTIME_SERVICES_CODE need to be >> - * executable, everything else can be mapped with the XN bits >> - * set. >> - */ >> if (!is_normal_ram(md)) >> prot = __pgprot(PROT_DEVICE_nGnRE); >> - else if (md->type == EFI_RUNTIME_SERVICES_CODE) >> - prot = PAGE_KERNEL_EXEC; >> else >> - prot = PAGE_KERNEL; >> + prot = PAGE_KERNEL_EXEC; >> + >> + /* >> + * On 64 KB granule kernels, only use strict permissions when >> + * the region does not share a 64 KB page frame with another >> + * region at either end. >> + */ >> + if (!IS_ENABLED(CONFIG_ARM64_64K_PAGES) || >> + !(md->virt_addr % PAGE_SIZE || >> + (md->phys_addr + md->num_pages * EFI_PAGE_SIZE) % PAGE_SIZE)) { > > I think this would read easier with: > > (PAGE_ALIGNED(md->virt_addr) && > PAGE_ALIGNED(md->phys_addr + md->num_pages * EFI_PAGE_SIZE))) { > Yes, good point, I will change that. >> + >> + if (md->attribute & EFI_MEMORY_RO) >> + prot |= __pgprot(PTE_RDONLY); >> + if (md->attribute & EFI_MEMORY_XP) >> + prot |= __pgprot(PTE_PXN); >> + } >> + >> + pr_info(" EFI remap 0x%016llx => %p (R%c%c)\n", >> + md->phys_addr, (void *)md->virt_addr, >> + prot & __pgprot(PTE_RDONLY) ? '-' : 'W', >> + prot & __pgprot(PTE_PXN) ? '-' : 'X'); > > You can't maninulate pgprot_t directly like that. It will > break STRICT_MM_TYPECHECKS. You need to use __pgprot_modify() > and/or pgprot_val(). > > arch/arm64/kernel/efi.c: In function ‘efi_virtmap_init’: > arch/arm64/kernel/efi.c:266:10: error: invalid operands to binary | (have ‘pgprot_t’ and ‘pgprot_t’) > prot |= __pgprot(PTE_RDONLY); > ^ > ... > > (In trying that, I see there are a number of other places which > need some STRICT_MM_TYPECHECKS fixing) > Actually, I had 'prot |= PTE_RDONLY' but then changed it to the above thinking that it would pass the strict type checks, but apparently not :-) I will fix that up as well. Thanks, Ard. >> >> create_pgd_mapping(&efi_mm, paddr, md->virt_addr, size, prot); >> } > ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 1/2] arm64/efi: base UEFI mapping permissions on region attributes @ 2015-06-30 14:53 ` Ard Biesheuvel 0 siblings, 0 replies; 10+ messages in thread From: Ard Biesheuvel @ 2015-06-30 14:53 UTC (permalink / raw) To: linux-arm-kernel On 30 June 2015 at 16:50, Mark Salter <msalter@redhat.com> wrote: > On Tue, 2015-06-30 at 12:17 +0200, Ard Biesheuvel wrote: > >> Currently, we infer the UEFI memory region mapping permissions >> from the memory region type (i.e., runtime services code are >> mapped RWX and runtime services data mapped RW-). This appears to >> work fine but is not entirely UEFI spec compliant. So instead, use >> the designated permission attributes to decide how these regions >> should be mapped. >> >> Since UEFIv2.5 introduces a new EFI_MEMORY_RO permission attribute, >> and redefines EFI_MEMORY_WP as a cacheability attribute, use only >> the former as a read-only attribute. For setting the PXN bit, the >> corresponding EFI_MEMORY_XP attribute is used. >> >> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> >> --- >> arch/arm64/kernel/efi.c | 32 +++++++++++++------- >> 1 file changed, 21 insertions(+), 11 deletions(-) >> >> diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c >> index ab21e0d58278..5dcab58d5d30 100644 >> --- a/arch/arm64/kernel/efi.c >> +++ b/arch/arm64/kernel/efi.c >> @@ -247,20 +247,30 @@ static bool __init efi_virtmap_init(void) >> memrange_efi_to_native(&paddr, &npages); >> size = npages << PAGE_SHIFT; >> >> - pr_info(" EFI remap 0x%016llx => %p\n", >> - md->phys_addr, (void *)md->virt_addr); >> - >> - /* >> - * Only regions of type EFI_RUNTIME_SERVICES_CODE need to be >> - * executable, everything else can be mapped with the XN bits >> - * set. >> - */ >> if (!is_normal_ram(md)) >> prot = __pgprot(PROT_DEVICE_nGnRE); >> - else if (md->type == EFI_RUNTIME_SERVICES_CODE) >> - prot = PAGE_KERNEL_EXEC; >> else >> - prot = PAGE_KERNEL; >> + prot = PAGE_KERNEL_EXEC; >> + >> + /* >> + * On 64 KB granule kernels, only use strict permissions when >> + * the region does not share a 64 KB page frame with another >> + * region at either end. >> + */ >> + if (!IS_ENABLED(CONFIG_ARM64_64K_PAGES) || >> + !(md->virt_addr % PAGE_SIZE || >> + (md->phys_addr + md->num_pages * EFI_PAGE_SIZE) % PAGE_SIZE)) { > > I think this would read easier with: > > (PAGE_ALIGNED(md->virt_addr) && > PAGE_ALIGNED(md->phys_addr + md->num_pages * EFI_PAGE_SIZE))) { > Yes, good point, I will change that. >> + >> + if (md->attribute & EFI_MEMORY_RO) >> + prot |= __pgprot(PTE_RDONLY); >> + if (md->attribute & EFI_MEMORY_XP) >> + prot |= __pgprot(PTE_PXN); >> + } >> + >> + pr_info(" EFI remap 0x%016llx => %p (R%c%c)\n", >> + md->phys_addr, (void *)md->virt_addr, >> + prot & __pgprot(PTE_RDONLY) ? '-' : 'W', >> + prot & __pgprot(PTE_PXN) ? '-' : 'X'); > > You can't maninulate pgprot_t directly like that. It will > break STRICT_MM_TYPECHECKS. You need to use __pgprot_modify() > and/or pgprot_val(). > > arch/arm64/kernel/efi.c: In function ?efi_virtmap_init?: > arch/arm64/kernel/efi.c:266:10: error: invalid operands to binary | (have ?pgprot_t? and ?pgprot_t?) > prot |= __pgprot(PTE_RDONLY); > ^ > ... > > (In trying that, I see there are a number of other places which > need some STRICT_MM_TYPECHECKS fixing) > Actually, I had 'prot |= PTE_RDONLY' but then changed it to the above thinking that it would pass the strict type checks, but apparently not :-) I will fix that up as well. Thanks, Ard. >> >> create_pgd_mapping(&efi_mm, paddr, md->virt_addr, size, prot); >> } > ^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH 2/2] arm64/efi: don't pad between EFI_MEMORY_RUNTIME regions 2015-06-30 10:17 ` Ard Biesheuvel @ 2015-06-30 10:17 ` Ard Biesheuvel -1 siblings, 0 replies; 10+ messages in thread From: Ard Biesheuvel @ 2015-06-30 10:17 UTC (permalink / raw) To: linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r, linux-efi-u79uwXL29TY76Z2rM5mHXA, matt.fleming-ral2JQCrhuEAvxtiuMwx3w, mark.rutland-5wv7dgnIgG8 Cc: leif.lindholm-QSEj5FYQhm4dnm+yROfE0A, roy.franz-QSEj5FYQhm4dnm+yROfE0A, msalter-H+wXaHxf7aLQT0dZR+AlfA, lersek-H+wXaHxf7aLQT0dZR+AlfA, Ard Biesheuvel The new Properties Table feature introduced in UEFIv2.5 may split memory regions that cover PE/COFF memory images into separate code and data regions. Since the relative offset of PE/COFF .text and .data segments cannot be changed on the fly, this means that we can no longer pad out those regions to be mappable using 64 KB pages. Unfortunately, there is no annotation in the UEFI memory map that identifies data regions that were split off from a code region, so we must apply this logic to all runtime code and data regions. So instead of rounding each memory region to 64 KB alignment at both ends, only round down regions that are not directly preceded by another runtime region. Since the UEFI spec does not mandate that the memory map be sorted, this means we also need to sort it first. Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org> --- drivers/firmware/efi/libstub/arm-stub.c | 58 +++++++++++++++----- 1 file changed, 43 insertions(+), 15 deletions(-) diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c index e29560e6b40b..dd9e2addc9fb 100644 --- a/drivers/firmware/efi/libstub/arm-stub.c +++ b/drivers/firmware/efi/libstub/arm-stub.c @@ -13,6 +13,7 @@ */ #include <linux/efi.h> +#include <linux/sort.h> #include <asm/efi.h> #include "efistub.h" @@ -305,6 +306,13 @@ fail: */ #define EFI_RT_VIRTUAL_BASE 0x40000000 +static int cmp_mem_desc(const void *a, const void *b) +{ + efi_memory_desc_t const *left = a, *right = b; + + return (left->phys_addr > right->phys_addr) ? 1 : -1; +} + /* * efi_get_virtmap() - create a virtual mapping for the EFI memory map * @@ -317,33 +325,53 @@ void efi_get_virtmap(efi_memory_desc_t *memory_map, unsigned long map_size, int *count) { u64 efi_virt_base = EFI_RT_VIRTUAL_BASE; - efi_memory_desc_t *out = runtime_map; + efi_memory_desc_t *in, *prev = NULL, *out = runtime_map; int l; - for (l = 0; l < map_size; l += desc_size) { - efi_memory_desc_t *in = (void *)memory_map + l; + /* + * To work around potential issues with the Properties Table feature + * introduced in UEFI 2.5 (which may split PE/COFF memory images + * into several RuntimeServicesCode and RuntimeServicesData regions + * whose relative offset in memory needs to be retained), we need to + * sort the memory map before traversing it, and avoid padding out those + * regions to 64 KB granularity. + */ + sort(memory_map, map_size / desc_size, desc_size, cmp_mem_desc, NULL); + + for (l = 0; l < map_size; l += desc_size, prev = in) { u64 paddr, size; + in = (void *)memory_map + l; if (!(in->attribute & EFI_MEMORY_RUNTIME)) continue; + paddr = in->phys_addr; + size = in->num_pages * EFI_PAGE_SIZE; + /* * Make the mapping compatible with 64k pages: this allows * a 4k page size kernel to kexec a 64k page size kernel and * vice versa. */ - paddr = round_down(in->phys_addr, SZ_64K); - size = round_up(in->num_pages * EFI_PAGE_SIZE + - in->phys_addr - paddr, SZ_64K); - - /* - * Avoid wasting memory on PTEs by choosing a virtual base that - * is compatible with section mappings if this region has the - * appropriate size and physical alignment. (Sections are 2 MB - * on 4k granule kernels) - */ - if (IS_ALIGNED(in->phys_addr, SZ_2M) && size >= SZ_2M) - efi_virt_base = round_up(efi_virt_base, SZ_2M); + if (!prev || + !(paddr == (prev->phys_addr + + prev->num_pages * EFI_PAGE_SIZE) && + (prev->attribute & EFI_MEMORY_RUNTIME))) { + + paddr = round_down(in->phys_addr, SZ_64K); + size += in->phys_addr - paddr; + + /* + * Avoid wasting memory on PTEs by choosing a virtual + * base that is compatible with section mappings if this + * region has the appropriate size and physical + * alignment. (Sections are 2 MB on 4k granule kernels) + */ + if (IS_ALIGNED(in->phys_addr, SZ_2M) && size >= SZ_2M) + efi_virt_base = round_up(efi_virt_base, SZ_2M); + else + efi_virt_base = round_up(efi_virt_base, SZ_64K); + } in->virt_addr = efi_virt_base + in->phys_addr - paddr; efi_virt_base += size; -- 1.9.1 ^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH 2/2] arm64/efi: don't pad between EFI_MEMORY_RUNTIME regions @ 2015-06-30 10:17 ` Ard Biesheuvel 0 siblings, 0 replies; 10+ messages in thread From: Ard Biesheuvel @ 2015-06-30 10:17 UTC (permalink / raw) To: linux-arm-kernel The new Properties Table feature introduced in UEFIv2.5 may split memory regions that cover PE/COFF memory images into separate code and data regions. Since the relative offset of PE/COFF .text and .data segments cannot be changed on the fly, this means that we can no longer pad out those regions to be mappable using 64 KB pages. Unfortunately, there is no annotation in the UEFI memory map that identifies data regions that were split off from a code region, so we must apply this logic to all runtime code and data regions. So instead of rounding each memory region to 64 KB alignment at both ends, only round down regions that are not directly preceded by another runtime region. Since the UEFI spec does not mandate that the memory map be sorted, this means we also need to sort it first. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> --- drivers/firmware/efi/libstub/arm-stub.c | 58 +++++++++++++++----- 1 file changed, 43 insertions(+), 15 deletions(-) diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c index e29560e6b40b..dd9e2addc9fb 100644 --- a/drivers/firmware/efi/libstub/arm-stub.c +++ b/drivers/firmware/efi/libstub/arm-stub.c @@ -13,6 +13,7 @@ */ #include <linux/efi.h> +#include <linux/sort.h> #include <asm/efi.h> #include "efistub.h" @@ -305,6 +306,13 @@ fail: */ #define EFI_RT_VIRTUAL_BASE 0x40000000 +static int cmp_mem_desc(const void *a, const void *b) +{ + efi_memory_desc_t const *left = a, *right = b; + + return (left->phys_addr > right->phys_addr) ? 1 : -1; +} + /* * efi_get_virtmap() - create a virtual mapping for the EFI memory map * @@ -317,33 +325,53 @@ void efi_get_virtmap(efi_memory_desc_t *memory_map, unsigned long map_size, int *count) { u64 efi_virt_base = EFI_RT_VIRTUAL_BASE; - efi_memory_desc_t *out = runtime_map; + efi_memory_desc_t *in, *prev = NULL, *out = runtime_map; int l; - for (l = 0; l < map_size; l += desc_size) { - efi_memory_desc_t *in = (void *)memory_map + l; + /* + * To work around potential issues with the Properties Table feature + * introduced in UEFI 2.5 (which may split PE/COFF memory images + * into several RuntimeServicesCode and RuntimeServicesData regions + * whose relative offset in memory needs to be retained), we need to + * sort the memory map before traversing it, and avoid padding out those + * regions to 64 KB granularity. + */ + sort(memory_map, map_size / desc_size, desc_size, cmp_mem_desc, NULL); + + for (l = 0; l < map_size; l += desc_size, prev = in) { u64 paddr, size; + in = (void *)memory_map + l; if (!(in->attribute & EFI_MEMORY_RUNTIME)) continue; + paddr = in->phys_addr; + size = in->num_pages * EFI_PAGE_SIZE; + /* * Make the mapping compatible with 64k pages: this allows * a 4k page size kernel to kexec a 64k page size kernel and * vice versa. */ - paddr = round_down(in->phys_addr, SZ_64K); - size = round_up(in->num_pages * EFI_PAGE_SIZE + - in->phys_addr - paddr, SZ_64K); - - /* - * Avoid wasting memory on PTEs by choosing a virtual base that - * is compatible with section mappings if this region has the - * appropriate size and physical alignment. (Sections are 2 MB - * on 4k granule kernels) - */ - if (IS_ALIGNED(in->phys_addr, SZ_2M) && size >= SZ_2M) - efi_virt_base = round_up(efi_virt_base, SZ_2M); + if (!prev || + !(paddr == (prev->phys_addr + + prev->num_pages * EFI_PAGE_SIZE) && + (prev->attribute & EFI_MEMORY_RUNTIME))) { + + paddr = round_down(in->phys_addr, SZ_64K); + size += in->phys_addr - paddr; + + /* + * Avoid wasting memory on PTEs by choosing a virtual + * base that is compatible with section mappings if this + * region has the appropriate size and physical + * alignment. (Sections are 2 MB on 4k granule kernels) + */ + if (IS_ALIGNED(in->phys_addr, SZ_2M) && size >= SZ_2M) + efi_virt_base = round_up(efi_virt_base, SZ_2M); + else + efi_virt_base = round_up(efi_virt_base, SZ_64K); + } in->virt_addr = efi_virt_base + in->phys_addr - paddr; efi_virt_base += size; -- 1.9.1 ^ permalink raw reply related [flat|nested] 10+ messages in thread
end of thread, other threads:[~2015-06-30 14:53 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-06-30 10:17 [PATCH 0/2] arm64/efi: adapt to UEFI 2.5 properties table changes Ard Biesheuvel
2015-06-30 10:17 ` Ard Biesheuvel
[not found] ` <1435659443-17625-1-git-send-email-ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2015-06-30 10:17 ` [PATCH 1/2] arm64/efi: base UEFI mapping permissions on region attributes Ard Biesheuvel
2015-06-30 10:17 ` Ard Biesheuvel
[not found] ` <1435659443-17625-2-git-send-email-ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2015-06-30 14:50 ` Mark Salter
2015-06-30 14:50 ` Mark Salter
[not found] ` <1435675848.21009.10.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-06-30 14:53 ` Ard Biesheuvel
2015-06-30 14:53 ` Ard Biesheuvel
2015-06-30 10:17 ` [PATCH 2/2] arm64/efi: don't pad between EFI_MEMORY_RUNTIME regions Ard Biesheuvel
2015-06-30 10:17 ` Ard Biesheuvel
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.