[PATCH 0/2] arm64/efi: adapt to UEFI 2.5 properties table changes

[PATCH 0/2] arm64/efi: adapt to UEFI 2.5 properties table changes

[Ard Biesheuvel]

First of all, I am aware that it is not customary to send non-trivial series
during the merge window. However, since a parallel discussion is currently
taking place on the edk2-devel mailing list, I think it makes sense to make
an exception for this series.

Version 2.5 of the UEFI spec introduces a new Properties Table feature
that splits the memory regions covered by PE/COFF executable images
into regions with the appropriate permissions for the underlying segment
(i.e., RuntimeServicesCode/R-X for .text and RuntimeServiceData/rw- for
.data)

Unfortunately, this feature is built on the backwards incompatible assumption
that the OS always maps all RuntimeServicesCode and RuntimeServiceData regions
in a way that keeps adjacent code and data regions adjacent. Since this is
not what we are currently doing for arm64, some changes are required.

The first patch makes the mapping permission logic compliant with the spec,
by mapping all RuntimeServicesCode *and* RuntimeServicesData regions RWX,
(formerly, we were using RW- for data regions), unless any of the
EFI_MEMORY_RO and EFI_MEMORY_XP attributes are set, and the region is fully
aligned to the page size (which may not always be the case on 64k pages)

Then, in patch #2, we change the virtual remapping logic to keep adjacent
EFI_MEMORY_RUNTIME regions together. This requires us to sort the incoming
memory map, since the UEFI spec does not guarantee that it is sorted (although
it usually is).

This series applies on top of the patch that introduces the EFI_MEMORY_RO
region attribute, which can be found here:
http://article.gmane.org/gmane.linux.kernel.efi/5819

Ard Biesheuvel (2):
  arm64/efi: base UEFI mapping permissions on region attributes
  arm64/efi: don't pad between EFI_MEMORY_RUNTIME regions

 arch/arm64/kernel/efi.c                 | 32 +++++++----
 drivers/firmware/efi/libstub/arm-stub.c | 58 +++++++++++++++-----
 2 files changed, 64 insertions(+), 26 deletions(-)

-- 
1.9.1

[PATCH 0/2] arm64/efi: adapt to UEFI 2.5 properties table changes

[Ard Biesheuvel]

First of all, I am aware that it is not customary to send non-trivial series
during the merge window. However, since a parallel discussion is currently
taking place on the edk2-devel mailing list, I think it makes sense to make
an exception for this series.

Version 2.5 of the UEFI spec introduces a new Properties Table feature
that splits the memory regions covered by PE/COFF executable images
into regions with the appropriate permissions for the underlying segment
(i.e., RuntimeServicesCode/R-X for .text and RuntimeServiceData/rw- for
.data)

Unfortunately, this feature is built on the backwards incompatible assumption
that the OS always maps all RuntimeServicesCode and RuntimeServiceData regions
in a way that keeps adjacent code and data regions adjacent. Since this is
not what we are currently doing for arm64, some changes are required.

The first patch makes the mapping permission logic compliant with the spec,
by mapping all RuntimeServicesCode *and* RuntimeServicesData regions RWX,
(formerly, we were using RW- for data regions), unless any of the
EFI_MEMORY_RO and EFI_MEMORY_XP attributes are set, and the region is fully
aligned to the page size (which may not always be the case on 64k pages)

Then, in patch #2, we change the virtual remapping logic to keep adjacent
EFI_MEMORY_RUNTIME regions together. This requires us to sort the incoming
memory map, since the UEFI spec does not guarantee that it is sorted (although
it usually is).

This series applies on top of the patch that introduces the EFI_MEMORY_RO
region attribute, which can be found here:
http://article.gmane.org/gmane.linux.kernel.efi/5819

Ard Biesheuvel (2):
  arm64/efi: base UEFI mapping permissions on region attributes
  arm64/efi: don't pad between EFI_MEMORY_RUNTIME regions

 arch/arm64/kernel/efi.c                 | 32 +++++++----
 drivers/firmware/efi/libstub/arm-stub.c | 58 +++++++++++++++-----
 2 files changed, 64 insertions(+), 26 deletions(-)

-- 
1.9.1

[PATCH 1/2] arm64/efi: base UEFI mapping permissions on region attributes

[Ard Biesheuvel]

Currently, we infer the UEFI memory region mapping permissions
from the memory region type (i.e., runtime services code are
mapped RWX and runtime services data mapped RW-). This appears to
work fine but is not entirely UEFI spec compliant. So instead, use
the designated permission attributes to decide how these regions
should be mapped.

Since UEFIv2.5 introduces a new EFI_MEMORY_RO permission attribute,
and redefines EFI_MEMORY_WP as a cacheability attribute, use only
the former as a read-only attribute. For setting the PXN bit, the
corresponding EFI_MEMORY_XP attribute is used.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
---
 arch/arm64/kernel/efi.c | 32 +++++++++++++-------
 1 file changed, 21 insertions(+), 11 deletions(-)

diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c
index ab21e0d58278..5dcab58d5d30 100644
--- a/arch/arm64/kernel/efi.c
+++ b/arch/arm64/kernel/efi.c
@@ -247,20 +247,30 @@ static bool __init efi_virtmap_init(void)
 		memrange_efi_to_native(&paddr, &npages);
 		size = npages << PAGE_SHIFT;
 
-		pr_info("  EFI remap 0x%016llx => %p\n",
-			md->phys_addr, (void *)md->virt_addr);
-
-		/*
-		 * Only regions of type EFI_RUNTIME_SERVICES_CODE need to be
-		 * executable, everything else can be mapped with the XN bits
-		 * set.
-		 */
 		if (!is_normal_ram(md))
 			prot = __pgprot(PROT_DEVICE_nGnRE);
-		else if (md->type == EFI_RUNTIME_SERVICES_CODE)
-			prot = PAGE_KERNEL_EXEC;
 		else
-			prot = PAGE_KERNEL;
+			prot = PAGE_KERNEL_EXEC;
+
+		/*
+		 * On 64 KB granule kernels, only use strict permissions when
+		 * the region does not share a 64 KB page frame with another
+		 * region at either end.
+		 */
+		if (!IS_ENABLED(CONFIG_ARM64_64K_PAGES) ||
+		    !(md->virt_addr % PAGE_SIZE ||
+		      (md->phys_addr + md->num_pages * EFI_PAGE_SIZE) % PAGE_SIZE)) {
+
+			if (md->attribute & EFI_MEMORY_RO)
+				prot |= __pgprot(PTE_RDONLY);
+			if (md->attribute & EFI_MEMORY_XP)
+				prot |= __pgprot(PTE_PXN);
+		}
+
+		pr_info("  EFI remap 0x%016llx => %p (R%c%c)\n",
+			md->phys_addr, (void *)md->virt_addr,
+			prot & __pgprot(PTE_RDONLY) ? '-' : 'W',
+			prot & __pgprot(PTE_PXN) ? '-' : 'X');
 
 		create_pgd_mapping(&efi_mm, paddr, md->virt_addr, size, prot);
 	}
-- 
1.9.1

[PATCH 1/2] arm64/efi: base UEFI mapping permissions on region attributes

[Ard Biesheuvel]

Currently, we infer the UEFI memory region mapping permissions
from the memory region type (i.e., runtime services code are
mapped RWX and runtime services data mapped RW-). This appears to
work fine but is not entirely UEFI spec compliant. So instead, use
the designated permission attributes to decide how these regions
should be mapped.

Since UEFIv2.5 introduces a new EFI_MEMORY_RO permission attribute,
and redefines EFI_MEMORY_WP as a cacheability attribute, use only
the former as a read-only attribute. For setting the PXN bit, the
corresponding EFI_MEMORY_XP attribute is used.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm64/kernel/efi.c | 32 +++++++++++++-------
 1 file changed, 21 insertions(+), 11 deletions(-)

diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c
index ab21e0d58278..5dcab58d5d30 100644
--- a/arch/arm64/kernel/efi.c
+++ b/arch/arm64/kernel/efi.c
@@ -247,20 +247,30 @@ static bool __init efi_virtmap_init(void)
 		memrange_efi_to_native(&paddr, &npages);
 		size = npages << PAGE_SHIFT;
 
-		pr_info("  EFI remap 0x%016llx => %p\n",
-			md->phys_addr, (void *)md->virt_addr);
-
-		/*
-		 * Only regions of type EFI_RUNTIME_SERVICES_CODE need to be
-		 * executable, everything else can be mapped with the XN bits
-		 * set.
-		 */
 		if (!is_normal_ram(md))
 			prot = __pgprot(PROT_DEVICE_nGnRE);
-		else if (md->type == EFI_RUNTIME_SERVICES_CODE)
-			prot = PAGE_KERNEL_EXEC;
 		else
-			prot = PAGE_KERNEL;
+			prot = PAGE_KERNEL_EXEC;
+
+		/*
+		 * On 64 KB granule kernels, only use strict permissions when
+		 * the region does not share a 64 KB page frame with another
+		 * region at either end.
+		 */
+		if (!IS_ENABLED(CONFIG_ARM64_64K_PAGES) ||
+		    !(md->virt_addr % PAGE_SIZE ||
+		      (md->phys_addr + md->num_pages * EFI_PAGE_SIZE) % PAGE_SIZE)) {
+
+			if (md->attribute & EFI_MEMORY_RO)
+				prot |= __pgprot(PTE_RDONLY);
+			if (md->attribute & EFI_MEMORY_XP)
+				prot |= __pgprot(PTE_PXN);
+		}
+
+		pr_info("  EFI remap 0x%016llx => %p (R%c%c)\n",
+			md->phys_addr, (void *)md->virt_addr,
+			prot & __pgprot(PTE_RDONLY) ? '-' : 'W',
+			prot & __pgprot(PTE_PXN) ? '-' : 'X');
 
 		create_pgd_mapping(&efi_mm, paddr, md->virt_addr, size, prot);
 	}
-- 
1.9.1

[PATCH 2/2] arm64/efi: don't pad between EFI_MEMORY_RUNTIME regions

[Ard Biesheuvel]

The new Properties Table feature introduced in UEFIv2.5 may split
memory regions that cover PE/COFF memory images into separate code
and data regions.

Since the relative offset of PE/COFF .text and .data segments cannot
be changed on the fly, this means that we can no longer pad out those
regions to be mappable using 64 KB pages.
Unfortunately, there is no annotation in the UEFI memory map that
identifies data regions that were split off from a code region, so we
must apply this logic to all runtime code and data regions.

So instead of rounding each memory region to 64 KB alignment at both
ends, only round down regions that are not directly preceded by another
runtime region. Since the UEFI spec does not mandate that the memory map
be sorted, this means we also need to sort it first.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
---
 drivers/firmware/efi/libstub/arm-stub.c | 58 +++++++++++++++-----
 1 file changed, 43 insertions(+), 15 deletions(-)

diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c
index e29560e6b40b..dd9e2addc9fb 100644
--- a/drivers/firmware/efi/libstub/arm-stub.c
+++ b/drivers/firmware/efi/libstub/arm-stub.c
@@ -13,6 +13,7 @@
  */
 
 #include <linux/efi.h>
+#include <linux/sort.h>
 #include <asm/efi.h>
 
 #include "efistub.h"
@@ -305,6 +306,13 @@ fail:
  */
 #define EFI_RT_VIRTUAL_BASE	0x40000000
 
+static int cmp_mem_desc(const void *a, const void *b)
+{
+	efi_memory_desc_t const *left = a, *right = b;
+
+	return (left->phys_addr > right->phys_addr) ? 1 : -1;
+}
+
 /*
  * efi_get_virtmap() - create a virtual mapping for the EFI memory map
  *
@@ -317,33 +325,53 @@ void efi_get_virtmap(efi_memory_desc_t *memory_map, unsigned long map_size,
 		     int *count)
 {
 	u64 efi_virt_base = EFI_RT_VIRTUAL_BASE;
-	efi_memory_desc_t *out = runtime_map;
+	efi_memory_desc_t *in, *prev = NULL, *out = runtime_map;
 	int l;
 
-	for (l = 0; l < map_size; l += desc_size) {
-		efi_memory_desc_t *in = (void *)memory_map + l;
+	/*
+	 * To work around potential issues with the Properties Table feature
+	 * introduced in UEFI 2.5 (which may split PE/COFF memory images
+	 * into several RuntimeServicesCode and RuntimeServicesData regions
+	 * whose relative offset in memory needs to be retained), we need to
+	 * sort the memory map before traversing it, and avoid padding out those
+	 * regions to 64 KB granularity.
+	 */
+	sort(memory_map, map_size / desc_size, desc_size, cmp_mem_desc, NULL);
+
+	for (l = 0; l < map_size; l += desc_size, prev = in) {
 		u64 paddr, size;
 
+		in = (void *)memory_map + l;
 		if (!(in->attribute & EFI_MEMORY_RUNTIME))
 			continue;
 
+		paddr = in->phys_addr;
+		size = in->num_pages * EFI_PAGE_SIZE;
+
 		/*
 		 * Make the mapping compatible with 64k pages: this allows
 		 * a 4k page size kernel to kexec a 64k page size kernel and
 		 * vice versa.
 		 */
-		paddr = round_down(in->phys_addr, SZ_64K);
-		size = round_up(in->num_pages * EFI_PAGE_SIZE +
-				in->phys_addr - paddr, SZ_64K);
-
-		/*
-		 * Avoid wasting memory on PTEs by choosing a virtual base that
-		 * is compatible with section mappings if this region has the
-		 * appropriate size and physical alignment. (Sections are 2 MB
-		 * on 4k granule kernels)
-		 */
-		if (IS_ALIGNED(in->phys_addr, SZ_2M) && size >= SZ_2M)
-			efi_virt_base = round_up(efi_virt_base, SZ_2M);
+		if (!prev ||
+		    !(paddr == (prev->phys_addr +
+				prev->num_pages * EFI_PAGE_SIZE) &&
+		      (prev->attribute & EFI_MEMORY_RUNTIME))) {
+
+			paddr = round_down(in->phys_addr, SZ_64K);
+			size += in->phys_addr - paddr;
+
+			/*
+			 * Avoid wasting memory on PTEs by choosing a virtual
+			 * base that is compatible with section mappings if this
+			 * region has the appropriate size and physical
+			 * alignment. (Sections are 2 MB on 4k granule kernels)
+			 */
+			if (IS_ALIGNED(in->phys_addr, SZ_2M) && size >= SZ_2M)
+				efi_virt_base = round_up(efi_virt_base, SZ_2M);
+			else
+				efi_virt_base = round_up(efi_virt_base, SZ_64K);
+		}
 
 		in->virt_addr = efi_virt_base + in->phys_addr - paddr;
 		efi_virt_base += size;
-- 
1.9.1

[PATCH 2/2] arm64/efi: don't pad between EFI_MEMORY_RUNTIME regions

[Ard Biesheuvel]

The new Properties Table feature introduced in UEFIv2.5 may split
memory regions that cover PE/COFF memory images into separate code
and data regions.

Since the relative offset of PE/COFF .text and .data segments cannot
be changed on the fly, this means that we can no longer pad out those
regions to be mappable using 64 KB pages.
Unfortunately, there is no annotation in the UEFI memory map that
identifies data regions that were split off from a code region, so we
must apply this logic to all runtime code and data regions.

So instead of rounding each memory region to 64 KB alignment at both
ends, only round down regions that are not directly preceded by another
runtime region. Since the UEFI spec does not mandate that the memory map
be sorted, this means we also need to sort it first.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 drivers/firmware/efi/libstub/arm-stub.c | 58 +++++++++++++++-----
 1 file changed, 43 insertions(+), 15 deletions(-)

diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c
index e29560e6b40b..dd9e2addc9fb 100644
--- a/drivers/firmware/efi/libstub/arm-stub.c
+++ b/drivers/firmware/efi/libstub/arm-stub.c
@@ -13,6 +13,7 @@
  */
 
 #include <linux/efi.h>
+#include <linux/sort.h>
 #include <asm/efi.h>
 
 #include "efistub.h"
@@ -305,6 +306,13 @@ fail:
  */
 #define EFI_RT_VIRTUAL_BASE	0x40000000
 
+static int cmp_mem_desc(const void *a, const void *b)
+{
+	efi_memory_desc_t const *left = a, *right = b;
+
+	return (left->phys_addr > right->phys_addr) ? 1 : -1;
+}
+
 /*
  * efi_get_virtmap() - create a virtual mapping for the EFI memory map
  *
@@ -317,33 +325,53 @@ void efi_get_virtmap(efi_memory_desc_t *memory_map, unsigned long map_size,
 		     int *count)
 {
 	u64 efi_virt_base = EFI_RT_VIRTUAL_BASE;
-	efi_memory_desc_t *out = runtime_map;
+	efi_memory_desc_t *in, *prev = NULL, *out = runtime_map;
 	int l;
 
-	for (l = 0; l < map_size; l += desc_size) {
-		efi_memory_desc_t *in = (void *)memory_map + l;
+	/*
+	 * To work around potential issues with the Properties Table feature
+	 * introduced in UEFI 2.5 (which may split PE/COFF memory images
+	 * into several RuntimeServicesCode and RuntimeServicesData regions
+	 * whose relative offset in memory needs to be retained), we need to
+	 * sort the memory map before traversing it, and avoid padding out those
+	 * regions to 64 KB granularity.
+	 */
+	sort(memory_map, map_size / desc_size, desc_size, cmp_mem_desc, NULL);
+
+	for (l = 0; l < map_size; l += desc_size, prev = in) {
 		u64 paddr, size;
 
+		in = (void *)memory_map + l;
 		if (!(in->attribute & EFI_MEMORY_RUNTIME))
 			continue;
 
+		paddr = in->phys_addr;
+		size = in->num_pages * EFI_PAGE_SIZE;
+
 		/*
 		 * Make the mapping compatible with 64k pages: this allows
 		 * a 4k page size kernel to kexec a 64k page size kernel and
 		 * vice versa.
 		 */
-		paddr = round_down(in->phys_addr, SZ_64K);
-		size = round_up(in->num_pages * EFI_PAGE_SIZE +
-				in->phys_addr - paddr, SZ_64K);
-
-		/*
-		 * Avoid wasting memory on PTEs by choosing a virtual base that
-		 * is compatible with section mappings if this region has the
-		 * appropriate size and physical alignment. (Sections are 2 MB
-		 * on 4k granule kernels)
-		 */
-		if (IS_ALIGNED(in->phys_addr, SZ_2M) && size >= SZ_2M)
-			efi_virt_base = round_up(efi_virt_base, SZ_2M);
+		if (!prev ||
+		    !(paddr == (prev->phys_addr +
+				prev->num_pages * EFI_PAGE_SIZE) &&
+		      (prev->attribute & EFI_MEMORY_RUNTIME))) {
+
+			paddr = round_down(in->phys_addr, SZ_64K);
+			size += in->phys_addr - paddr;
+
+			/*
+			 * Avoid wasting memory on PTEs by choosing a virtual
+			 * base that is compatible with section mappings if this
+			 * region has the appropriate size and physical
+			 * alignment. (Sections are 2 MB on 4k granule kernels)
+			 */
+			if (IS_ALIGNED(in->phys_addr, SZ_2M) && size >= SZ_2M)
+				efi_virt_base = round_up(efi_virt_base, SZ_2M);
+			else
+				efi_virt_base = round_up(efi_virt_base, SZ_64K);
+		}
 
 		in->virt_addr = efi_virt_base + in->phys_addr - paddr;
 		efi_virt_base += size;
-- 
1.9.1

Re: [PATCH 1/2] arm64/efi: base UEFI mapping permissions on region attributes

[Mark Salter]

On Tue, 2015-06-30 at 12:17 +0200, Ard Biesheuvel wrote:

> Currently, we infer the UEFI memory region mapping permissions
> from the memory region type (i.e., runtime services code are
> mapped RWX and runtime services data mapped RW-). This appears to
> work fine but is not entirely UEFI spec compliant. So instead, use
> the designated permission attributes to decide how these regions
> should be mapped.
> 
> Since UEFIv2.5 introduces a new EFI_MEMORY_RO permission attribute,
> and redefines EFI_MEMORY_WP as a cacheability attribute, use only
> the former as a read-only attribute. For setting the PXN bit, the
> corresponding EFI_MEMORY_XP attribute is used.
> 
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
> ---
>  arch/arm64/kernel/efi.c | 32 +++++++++++++-------
>  1 file changed, 21 insertions(+), 11 deletions(-)
> 
> diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c
> index ab21e0d58278..5dcab58d5d30 100644
> --- a/arch/arm64/kernel/efi.c
> +++ b/arch/arm64/kernel/efi.c
> @@ -247,20 +247,30 @@ static bool __init efi_virtmap_init(void)
>  		memrange_efi_to_native(&paddr, &npages);
>  		size = npages << PAGE_SHIFT;
>  
> -		pr_info("  EFI remap 0x%016llx => %p\n",
> -			md->phys_addr, (void *)md->virt_addr);
> -
> -		/*
> -		 * Only regions of type EFI_RUNTIME_SERVICES_CODE need to be
> -		 * executable, everything else can be mapped with the XN bits
> -		 * set.
> -		 */
>  		if (!is_normal_ram(md))
>  			prot = __pgprot(PROT_DEVICE_nGnRE);
> -		else if (md->type == EFI_RUNTIME_SERVICES_CODE)
> -			prot = PAGE_KERNEL_EXEC;
>  		else
> -			prot = PAGE_KERNEL;
> +			prot = PAGE_KERNEL_EXEC;
> +
> +		/*
> +		 * On 64 KB granule kernels, only use strict permissions when
> +		 * the region does not share a 64 KB page frame with another
> +		 * region at either end.
> +		 */
> +		if (!IS_ENABLED(CONFIG_ARM64_64K_PAGES) ||
> +		    !(md->virt_addr % PAGE_SIZE ||
> +		      (md->phys_addr + md->num_pages * EFI_PAGE_SIZE) % PAGE_SIZE)) {

I think this would read easier with:

		    (PAGE_ALIGNED(md->virt_addr) &&
		      PAGE_ALIGNED(md->phys_addr + md->num_pages * EFI_PAGE_SIZE))) {

> +
> +			if (md->attribute & EFI_MEMORY_RO)
> +				prot |= __pgprot(PTE_RDONLY);
> +			if (md->attribute & EFI_MEMORY_XP)
> +				prot |= __pgprot(PTE_PXN);
> +		}
> +
> +		pr_info("  EFI remap 0x%016llx => %p (R%c%c)\n",
> +			md->phys_addr, (void *)md->virt_addr,
> +			prot & __pgprot(PTE_RDONLY) ? '-' : 'W',
> +			prot & __pgprot(PTE_PXN) ? '-' : 'X');

You can't maninulate pgprot_t directly like that. It will
break STRICT_MM_TYPECHECKS. You need to use __pgprot_modify()
and/or pgprot_val().

arch/arm64/kernel/efi.c: In function ‘efi_virtmap_init’:
arch/arm64/kernel/efi.c:266:10: error: invalid operands to binary | (have ‘pgprot_t’ and ‘pgprot_t’)
     prot |= __pgprot(PTE_RDONLY);
          ^
   ...
   
(In trying that, I see there are a number of other places which
need some STRICT_MM_TYPECHECKS fixing)

>  
>  		create_pgd_mapping(&efi_mm, paddr, md->virt_addr, size, prot);
>  	}

[PATCH 1/2] arm64/efi: base UEFI mapping permissions on region attributes

[Mark Salter]

On Tue, 2015-06-30 at 12:17 +0200, Ard Biesheuvel wrote:

> Currently, we infer the UEFI memory region mapping permissions
> from the memory region type (i.e., runtime services code are
> mapped RWX and runtime services data mapped RW-). This appears to
> work fine but is not entirely UEFI spec compliant. So instead, use
> the designated permission attributes to decide how these regions
> should be mapped.
> 
> Since UEFIv2.5 introduces a new EFI_MEMORY_RO permission attribute,
> and redefines EFI_MEMORY_WP as a cacheability attribute, use only
> the former as a read-only attribute. For setting the PXN bit, the
> corresponding EFI_MEMORY_XP attribute is used.
> 
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
>  arch/arm64/kernel/efi.c | 32 +++++++++++++-------
>  1 file changed, 21 insertions(+), 11 deletions(-)
> 
> diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c
> index ab21e0d58278..5dcab58d5d30 100644
> --- a/arch/arm64/kernel/efi.c
> +++ b/arch/arm64/kernel/efi.c
> @@ -247,20 +247,30 @@ static bool __init efi_virtmap_init(void)
>  		memrange_efi_to_native(&paddr, &npages);
>  		size = npages << PAGE_SHIFT;
>  
> -		pr_info("  EFI remap 0x%016llx => %p\n",
> -			md->phys_addr, (void *)md->virt_addr);
> -
> -		/*
> -		 * Only regions of type EFI_RUNTIME_SERVICES_CODE need to be
> -		 * executable, everything else can be mapped with the XN bits
> -		 * set.
> -		 */
>  		if (!is_normal_ram(md))
>  			prot = __pgprot(PROT_DEVICE_nGnRE);
> -		else if (md->type == EFI_RUNTIME_SERVICES_CODE)
> -			prot = PAGE_KERNEL_EXEC;
>  		else
> -			prot = PAGE_KERNEL;
> +			prot = PAGE_KERNEL_EXEC;
> +
> +		/*
> +		 * On 64 KB granule kernels, only use strict permissions when
> +		 * the region does not share a 64 KB page frame with another
> +		 * region at either end.
> +		 */
> +		if (!IS_ENABLED(CONFIG_ARM64_64K_PAGES) ||
> +		    !(md->virt_addr % PAGE_SIZE ||
> +		      (md->phys_addr + md->num_pages * EFI_PAGE_SIZE) % PAGE_SIZE)) {

I think this would read easier with:

		    (PAGE_ALIGNED(md->virt_addr) &&
		      PAGE_ALIGNED(md->phys_addr + md->num_pages * EFI_PAGE_SIZE))) {

> +
> +			if (md->attribute & EFI_MEMORY_RO)
> +				prot |= __pgprot(PTE_RDONLY);
> +			if (md->attribute & EFI_MEMORY_XP)
> +				prot |= __pgprot(PTE_PXN);
> +		}
> +
> +		pr_info("  EFI remap 0x%016llx => %p (R%c%c)\n",
> +			md->phys_addr, (void *)md->virt_addr,
> +			prot & __pgprot(PTE_RDONLY) ? '-' : 'W',
> +			prot & __pgprot(PTE_PXN) ? '-' : 'X');

You can't maninulate pgprot_t directly like that. It will
break STRICT_MM_TYPECHECKS. You need to use __pgprot_modify()
and/or pgprot_val().

arch/arm64/kernel/efi.c: In function ?efi_virtmap_init?:
arch/arm64/kernel/efi.c:266:10: error: invalid operands to binary | (have ?pgprot_t? and ?pgprot_t?)
     prot |= __pgprot(PTE_RDONLY);
          ^
   ...
   
(In trying that, I see there are a number of other places which
need some STRICT_MM_TYPECHECKS fixing)

>  
>  		create_pgd_mapping(&efi_mm, paddr, md->virt_addr, size, prot);
>  	}

Re: [PATCH 1/2] arm64/efi: base UEFI mapping permissions on region attributes

[Ard Biesheuvel]

On 30 June 2015 at 16:50, Mark Salter <msalter-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
> On Tue, 2015-06-30 at 12:17 +0200, Ard Biesheuvel wrote:
>
>> Currently, we infer the UEFI memory region mapping permissions
>> from the memory region type (i.e., runtime services code are
>> mapped RWX and runtime services data mapped RW-). This appears to
>> work fine but is not entirely UEFI spec compliant. So instead, use
>> the designated permission attributes to decide how these regions
>> should be mapped.
>>
>> Since UEFIv2.5 introduces a new EFI_MEMORY_RO permission attribute,
>> and redefines EFI_MEMORY_WP as a cacheability attribute, use only
>> the former as a read-only attribute. For setting the PXN bit, the
>> corresponding EFI_MEMORY_XP attribute is used.
>>
>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
>> ---
>>  arch/arm64/kernel/efi.c | 32 +++++++++++++-------
>>  1 file changed, 21 insertions(+), 11 deletions(-)
>>
>> diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c
>> index ab21e0d58278..5dcab58d5d30 100644
>> --- a/arch/arm64/kernel/efi.c
>> +++ b/arch/arm64/kernel/efi.c
>> @@ -247,20 +247,30 @@ static bool __init efi_virtmap_init(void)
>>               memrange_efi_to_native(&paddr, &npages);
>>               size = npages << PAGE_SHIFT;
>>
>> -             pr_info("  EFI remap 0x%016llx => %p\n",
>> -                     md->phys_addr, (void *)md->virt_addr);
>> -
>> -             /*
>> -              * Only regions of type EFI_RUNTIME_SERVICES_CODE need to be
>> -              * executable, everything else can be mapped with the XN bits
>> -              * set.
>> -              */
>>               if (!is_normal_ram(md))
>>                       prot = __pgprot(PROT_DEVICE_nGnRE);
>> -             else if (md->type == EFI_RUNTIME_SERVICES_CODE)
>> -                     prot = PAGE_KERNEL_EXEC;
>>               else
>> -                     prot = PAGE_KERNEL;
>> +                     prot = PAGE_KERNEL_EXEC;
>> +
>> +             /*
>> +              * On 64 KB granule kernels, only use strict permissions when
>> +              * the region does not share a 64 KB page frame with another
>> +              * region at either end.
>> +              */
>> +             if (!IS_ENABLED(CONFIG_ARM64_64K_PAGES) ||
>> +                 !(md->virt_addr % PAGE_SIZE ||
>> +                   (md->phys_addr + md->num_pages * EFI_PAGE_SIZE) % PAGE_SIZE)) {
>
> I think this would read easier with:
>
>                     (PAGE_ALIGNED(md->virt_addr) &&
>                       PAGE_ALIGNED(md->phys_addr + md->num_pages * EFI_PAGE_SIZE))) {
>

Yes, good point, I will change that.

>> +
>> +                     if (md->attribute & EFI_MEMORY_RO)
>> +                             prot |= __pgprot(PTE_RDONLY);
>> +                     if (md->attribute & EFI_MEMORY_XP)
>> +                             prot |= __pgprot(PTE_PXN);
>> +             }
>> +
>> +             pr_info("  EFI remap 0x%016llx => %p (R%c%c)\n",
>> +                     md->phys_addr, (void *)md->virt_addr,
>> +                     prot & __pgprot(PTE_RDONLY) ? '-' : 'W',
>> +                     prot & __pgprot(PTE_PXN) ? '-' : 'X');
>
> You can't maninulate pgprot_t directly like that. It will
> break STRICT_MM_TYPECHECKS. You need to use __pgprot_modify()
> and/or pgprot_val().
>
> arch/arm64/kernel/efi.c: In function ‘efi_virtmap_init’:
> arch/arm64/kernel/efi.c:266:10: error: invalid operands to binary | (have ‘pgprot_t’ and ‘pgprot_t’)
>      prot |= __pgprot(PTE_RDONLY);
>           ^
>    ...
>
> (In trying that, I see there are a number of other places which
> need some STRICT_MM_TYPECHECKS fixing)
>

Actually, I had 'prot |= PTE_RDONLY' but then changed it to the above
thinking that it would pass the strict type checks, but apparently not
:-)

I will fix that up as well.

Thanks,
Ard.


>>
>>               create_pgd_mapping(&efi_mm, paddr, md->virt_addr, size, prot);
>>       }
>

[PATCH 1/2] arm64/efi: base UEFI mapping permissions on region attributes

[Ard Biesheuvel]

On 30 June 2015 at 16:50, Mark Salter <msalter@redhat.com> wrote:
> On Tue, 2015-06-30 at 12:17 +0200, Ard Biesheuvel wrote:
>
>> Currently, we infer the UEFI memory region mapping permissions
>> from the memory region type (i.e., runtime services code are
>> mapped RWX and runtime services data mapped RW-). This appears to
>> work fine but is not entirely UEFI spec compliant. So instead, use
>> the designated permission attributes to decide how these regions
>> should be mapped.
>>
>> Since UEFIv2.5 introduces a new EFI_MEMORY_RO permission attribute,
>> and redefines EFI_MEMORY_WP as a cacheability attribute, use only
>> the former as a read-only attribute. For setting the PXN bit, the
>> corresponding EFI_MEMORY_XP attribute is used.
>>
>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>> ---
>>  arch/arm64/kernel/efi.c | 32 +++++++++++++-------
>>  1 file changed, 21 insertions(+), 11 deletions(-)
>>
>> diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c
>> index ab21e0d58278..5dcab58d5d30 100644
>> --- a/arch/arm64/kernel/efi.c
>> +++ b/arch/arm64/kernel/efi.c
>> @@ -247,20 +247,30 @@ static bool __init efi_virtmap_init(void)
>>               memrange_efi_to_native(&paddr, &npages);
>>               size = npages << PAGE_SHIFT;
>>
>> -             pr_info("  EFI remap 0x%016llx => %p\n",
>> -                     md->phys_addr, (void *)md->virt_addr);
>> -
>> -             /*
>> -              * Only regions of type EFI_RUNTIME_SERVICES_CODE need to be
>> -              * executable, everything else can be mapped with the XN bits
>> -              * set.
>> -              */
>>               if (!is_normal_ram(md))
>>                       prot = __pgprot(PROT_DEVICE_nGnRE);
>> -             else if (md->type == EFI_RUNTIME_SERVICES_CODE)
>> -                     prot = PAGE_KERNEL_EXEC;
>>               else
>> -                     prot = PAGE_KERNEL;
>> +                     prot = PAGE_KERNEL_EXEC;
>> +
>> +             /*
>> +              * On 64 KB granule kernels, only use strict permissions when
>> +              * the region does not share a 64 KB page frame with another
>> +              * region at either end.
>> +              */
>> +             if (!IS_ENABLED(CONFIG_ARM64_64K_PAGES) ||
>> +                 !(md->virt_addr % PAGE_SIZE ||
>> +                   (md->phys_addr + md->num_pages * EFI_PAGE_SIZE) % PAGE_SIZE)) {
>
> I think this would read easier with:
>
>                     (PAGE_ALIGNED(md->virt_addr) &&
>                       PAGE_ALIGNED(md->phys_addr + md->num_pages * EFI_PAGE_SIZE))) {
>

Yes, good point, I will change that.

>> +
>> +                     if (md->attribute & EFI_MEMORY_RO)
>> +                             prot |= __pgprot(PTE_RDONLY);
>> +                     if (md->attribute & EFI_MEMORY_XP)
>> +                             prot |= __pgprot(PTE_PXN);
>> +             }
>> +
>> +             pr_info("  EFI remap 0x%016llx => %p (R%c%c)\n",
>> +                     md->phys_addr, (void *)md->virt_addr,
>> +                     prot & __pgprot(PTE_RDONLY) ? '-' : 'W',
>> +                     prot & __pgprot(PTE_PXN) ? '-' : 'X');
>
> You can't maninulate pgprot_t directly like that. It will
> break STRICT_MM_TYPECHECKS. You need to use __pgprot_modify()
> and/or pgprot_val().
>
> arch/arm64/kernel/efi.c: In function ?efi_virtmap_init?:
> arch/arm64/kernel/efi.c:266:10: error: invalid operands to binary | (have ?pgprot_t? and ?pgprot_t?)
>      prot |= __pgprot(PTE_RDONLY);
>           ^
>    ...
>
> (In trying that, I see there are a number of other places which
> need some STRICT_MM_TYPECHECKS fixing)
>

Actually, I had 'prot |= PTE_RDONLY' but then changed it to the above
thinking that it would pass the strict type checks, but apparently not
:-)

I will fix that up as well.

Thanks,
Ard.


>>
>>               create_pgd_mapping(&efi_mm, paddr, md->virt_addr, size, prot);
>>       }
>