From: Demi Marie Obenour <demi@invisiblethingslab.com>
To: Jan Beulich <jbeulich@suse.com>
Cc: "Juergen Gross" <jgross@suse.com>,
"Stefano Stabellini" <sstabellini@kernel.org>,
"Oleksandr Tyshchenko" <oleksandr_tyshchenko@epam.com>,
linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org,
xen-devel@lists.xenproject.org,
"Marek Marczykowski-Górecki" <marmarek@invisiblethingslab.com>,
"Ard Biesheuvel" <ardb@kernel.org>
Subject: Re: [PATCH v3] Support ESRT in Xen dom0
Date: Thu, 22 Sep 2022 10:55:40 -0400 [thread overview]
Message-ID: <Yyx3hlE/MDBeEdtu@itl-email> (raw)
In-Reply-To: <6f42a382-c5aa-ba16-f330-69a07476e2aa@suse.com>
[-- Attachment #1: Type: text/plain, Size: 3428 bytes --]
On Thu, Sep 22, 2022 at 08:12:14AM +0200, Jan Beulich wrote:
> On 22.09.2022 03:09, Demi Marie Obenour wrote:
> > On Wed, Sep 21, 2022 at 10:34:04PM +0200, Jan Beulich wrote:
> >> On 20.09.2022 18:09, Ard Biesheuvel wrote:
> >>> On Tue, 20 Sept 2022 at 17:54, Jan Beulich <jbeulich@suse.com> wrote:
> >>>>
> >>>> On 20.09.2022 17:36, Ard Biesheuvel wrote:
> >>>>> On Mon, 19 Sept 2022 at 21:33, Demi Marie Obenour
> >>>>> <demi@invisiblethingslab.com> wrote:
> >>>>>>
> >>>>>> fwupd requires access to the EFI System Resource Table (ESRT) to
> >>>>>> discover which firmware can be updated by the OS. Currently, Linux does
> >>>>>> not expose the ESRT when running as a Xen dom0. Therefore, it is not
> >>>>>> possible to use fwupd in a Xen dom0, which is a serious problem for e.g.
> >>>>>> Qubes OS.
> >>>>>>
> >>>>>> Before Xen 4.16, this was not fixable due to hypervisor limitations.
> >>>>>> The UEFI specification requires the ESRT to be in EfiBootServicesData
> >>>>>> memory, which Xen will use for whatever purposes it likes. Therefore,
> >>>>>> Linux cannot safely access the ESRT, as Xen may have overwritten it.
> >>>>>>
> >>>>>> Starting with Xen 4.17, Xen checks if the ESRT is in EfiBootServicesData
> >>>>>> or EfiRuntimeServicesData memory. If the ESRT is in EfiBootServicesData
> >>>>>> memory, Xen allocates some memory of type EfiRuntimeServicesData, copies
> >>>>>> the ESRT to it, and finally replaces the ESRT pointer with a pointer to
> >>>>>> the copy. Since Xen will not clobber EfiRuntimeServicesData memory,
> >>>>>> this ensures that the ESRT can safely be accessed by the OS. It is safe
> >>>>>> to access the ESRT under Xen if, and only if, it is in memory of type
> >>>>>> EfiRuntimeServicesData.
> >>>>>>
> >>>>>
> >>>>> Thanks for the elaborate explanation. This is really helpful.
> >>>>>
> >>>>> So here, you are explaining that the only way for Xen to prevent
> >>>>> itself from potentially clobbering the ESRT is by creating a
> >>>>> completely new allocation?
> >>>>
> >>>> There are surely other ways, e.g. preserving BootServices* regions
> >>>> alongside RuntimeServices* ones. But as the maintainer of the EFI
> >>>> code in Xen I don't view this as a reasonable approach.
> >>>
> >>> Why not?
> >>
> >> Because it's against the intentions the EFI has (or at least had)
> >> for this memory type. Much more than EfiAcpiReclaimMemory this
> >> type is intended for use as ordinary RAM post-boot.
> >
> > What about giving that memory to dom0? dom0’s balloon driver will give
> > anything dom0 doesn’t wind up using back to Xen.
>
> While perhaps in principle possible, this would require special casing
> in Xen. Except for the memory the initrd comes in, we don't directly
> hand memory to Dom0. Instead everything goes through the page allocator
> first. Plus if we really were convinced boot services memory needed
> retaining, then it would also need retaining across kexec (and hence
> shouldn't be left to Dom0 to decide what to do with it).
So how should dom0 handle the various EFI tables other than the ESRT?
Right now most uses of these tables in Linux are not guarded by any
checks for efi_enabled(EFI_MEMMAP) or similar. If some of them are in
EfiBootServicesData memory, they might be corrupted before Linux gets
them.
--
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2022-09-22 14:56 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-19 19:32 [PATCH v3] Support ESRT in Xen dom0 Demi Marie Obenour
2022-09-20 15:36 ` Ard Biesheuvel
2022-09-20 15:54 ` Jan Beulich
2022-09-20 16:09 ` Ard Biesheuvel
2022-09-21 20:34 ` Jan Beulich
2022-09-22 1:09 ` Demi Marie Obenour
2022-09-22 6:12 ` Jan Beulich
2022-09-22 14:55 ` Demi Marie Obenour [this message]
2022-09-22 15:05 ` Ard Biesheuvel
2022-09-22 18:11 ` Demi Marie Obenour
2022-09-22 22:14 ` Ard Biesheuvel
2022-09-22 23:25 ` Demi Marie Obenour
2022-09-23 6:45 ` Ard Biesheuvel
2022-09-22 1:53 ` Demi Marie Obenour
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Yyx3hlE/MDBeEdtu@itl-email \
--to=demi@invisiblethingslab.com \
--cc=ardb@kernel.org \
--cc=jbeulich@suse.com \
--cc=jgross@suse.com \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=marmarek@invisiblethingslab.com \
--cc=oleksandr_tyshchenko@epam.com \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).