From: Ard Biesheuvel <ardb@kernel.org>
To: linux-efi@vger.kernel.org, Ingo Molnar <mingo@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>
Cc: Ard Biesheuvel <ardb@kernel.org>,
linux-kernel@vger.kernel.org,
Arvind Sankar <nivedita@alum.mit.edu>,
Christoph Hellwig <hch@lst.de>,
David Hildenbrand <david@redhat.com>,
Davidlohr Bueso <dave@stgolabs.net>,
Guenter Roeck <linux@roeck-us.net>,
Heinrich Schuchardt <xypron.glpk@gmx.de>,
Jonathan Corbet <corbet@lwn.net>,
Lukas Bulwahn <lukas.bulwahn@gmail.com>,
Masahiro Yamada <masahiroy@kernel.org>,
Nikolai Merinov <n.merinov@inango-systems.com>,
Tom Lendacky <thomas.lendacky@amd.com>,
Vladis Dronov <vdronov@redhat.com>
Subject: [PATCH 02/28] efi/x86: Add RNG seed EFI table to unencrypted mapping check
Date: Sun, 8 Mar 2020 09:08:33 +0100 [thread overview]
Message-ID: <20200308080859.21568-3-ardb@kernel.org> (raw)
In-Reply-To: <20200308080859.21568-1-ardb@kernel.org>
From: Tom Lendacky <thomas.lendacky@amd.com>
When booting with SME active, EFI tables must be mapped unencrypted since
they were built by UEFI in unencrypted memory. Update the list of tables
to be checked during early_memremap() processing to account for the EFI
RNG seed table.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Link: https://lore.kernel.org/r/b64385fc13e5d7ad4b459216524f138e7879234f.1582662842.git.thomas.lendacky@amd.com
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
arch/x86/platform/efi/efi.c | 1 +
drivers/firmware/efi/efi.c | 18 ++++++++++--------
include/linux/efi.h | 2 ++
3 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
index 3ce695501681..1aae5302501d 100644
--- a/arch/x86/platform/efi/efi.c
+++ b/arch/x86/platform/efi/efi.c
@@ -90,6 +90,7 @@ static const unsigned long * const efi_tables[] = {
#endif
&efi.tpm_log,
&efi.tpm_final_log,
+ &efi_rng_seed,
};
u64 efi_setup; /* efi setup_data physical address */
diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index f3dda0c82187..5f77cb8756ef 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -46,7 +46,7 @@ struct efi __read_mostly efi = {
};
EXPORT_SYMBOL(efi);
-static unsigned long __ro_after_init rng_seed = EFI_INVALID_TABLE_ADDR;
+unsigned long __ro_after_init efi_rng_seed = EFI_INVALID_TABLE_ADDR;
static unsigned long __initdata mem_reserve = EFI_INVALID_TABLE_ADDR;
static unsigned long __initdata rt_prop = EFI_INVALID_TABLE_ADDR;
@@ -508,7 +508,7 @@ static const efi_config_table_type_t common_tables[] __initconst = {
{SMBIOS3_TABLE_GUID, "SMBIOS 3.0", &efi.smbios3},
{EFI_SYSTEM_RESOURCE_TABLE_GUID, "ESRT", &efi.esrt},
{EFI_MEMORY_ATTRIBUTES_TABLE_GUID, "MEMATTR", &efi_mem_attr_table},
- {LINUX_EFI_RANDOM_SEED_TABLE_GUID, "RNG", &rng_seed},
+ {LINUX_EFI_RANDOM_SEED_TABLE_GUID, "RNG", &efi_rng_seed},
{LINUX_EFI_TPM_EVENT_LOG_GUID, "TPMEventLog", &efi.tpm_log},
{LINUX_EFI_TPM_FINAL_LOG_GUID, "TPMFinalLog", &efi.tpm_final_log},
{LINUX_EFI_MEMRESERVE_TABLE_GUID, "MEMRESERVE", &mem_reserve},
@@ -576,11 +576,11 @@ int __init efi_config_parse_tables(const efi_config_table_t *config_tables,
pr_cont("\n");
set_bit(EFI_CONFIG_TABLES, &efi.flags);
- if (rng_seed != EFI_INVALID_TABLE_ADDR) {
+ if (efi_rng_seed != EFI_INVALID_TABLE_ADDR) {
struct linux_efi_random_seed *seed;
u32 size = 0;
- seed = early_memremap(rng_seed, sizeof(*seed));
+ seed = early_memremap(efi_rng_seed, sizeof(*seed));
if (seed != NULL) {
size = seed->size;
early_memunmap(seed, sizeof(*seed));
@@ -588,7 +588,8 @@ int __init efi_config_parse_tables(const efi_config_table_t *config_tables,
pr_err("Could not map UEFI random seed!\n");
}
if (size > 0) {
- seed = early_memremap(rng_seed, sizeof(*seed) + size);
+ seed = early_memremap(efi_rng_seed,
+ sizeof(*seed) + size);
if (seed != NULL) {
pr_notice("seeding entropy pool\n");
add_bootloader_randomness(seed->bits, seed->size);
@@ -980,7 +981,7 @@ static int update_efi_random_seed(struct notifier_block *nb,
if (!kexec_in_progress)
return NOTIFY_DONE;
- seed = memremap(rng_seed, sizeof(*seed), MEMREMAP_WB);
+ seed = memremap(efi_rng_seed, sizeof(*seed), MEMREMAP_WB);
if (seed != NULL) {
size = min(seed->size, EFI_RANDOM_SEED_SIZE);
memunmap(seed);
@@ -988,7 +989,8 @@ static int update_efi_random_seed(struct notifier_block *nb,
pr_err("Could not map UEFI random seed!\n");
}
if (size > 0) {
- seed = memremap(rng_seed, sizeof(*seed) + size, MEMREMAP_WB);
+ seed = memremap(efi_rng_seed, sizeof(*seed) + size,
+ MEMREMAP_WB);
if (seed != NULL) {
seed->size = size;
get_random_bytes(seed->bits, seed->size);
@@ -1006,7 +1008,7 @@ static struct notifier_block efi_random_seed_nb = {
static int __init register_update_efi_random_seed(void)
{
- if (rng_seed == EFI_INVALID_TABLE_ADDR)
+ if (efi_rng_seed == EFI_INVALID_TABLE_ADDR)
return 0;
return register_reboot_notifier(&efi_random_seed_nb);
}
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 08186e0f98f1..abfc98e4dfe1 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -526,6 +526,8 @@ typedef struct {
efi_time_t time_of_revocation;
} efi_cert_x509_sha256_t;
+extern unsigned long __ro_after_init efi_rng_seed; /* RNG Seed table */
+
/*
* All runtime access to EFI goes through this structure:
*/
--
2.17.1
next prev parent reply other threads:[~2020-03-08 8:09 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-08 8:08 [GIT PULL 00/28] More EFI fixes for v5.7 Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 01/28] efi/x86: Add TPM related EFI tables to unencrypted mapping checks Ard Biesheuvel
2020-03-08 8:08 ` Ard Biesheuvel [this message]
2020-03-08 8:08 ` [PATCH 03/28] efi: don't shadow i in efi_config_parse_tables() Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 04/28] efi/arm: clean EFI stub exit code from cache instead of avoiding it Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 05/28] efi/arm64: " Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 06/28] efi: mark all EFI runtime services as unsupported on non-EFI boot Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 07/28] MAINTAINERS: adjust EFI entry to removing eboot.c Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 08/28] efi/libstub: add libstub/mem.c to documentation tree Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 09/28] efi/x86: Annotate the LOADED_IMAGE_PROTOCOL_GUID with SYM_DATA Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 10/28] efi/x86: Respect 32-bit ABI in efi32_pe_entry Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 11/28] efi/x86: Make efi32_pe_entry more readable Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 12/28] efi/x86: Avoid using code32_start Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 13/28] x86/boot: Use unsigned comparison for addresses Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 14/28] efi/libstub/x86: deal with exit() boot service returning Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 15/28] x86/boot/compressed/32: Save the output address instead of recalculating it Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 16/28] efi/x86: Decompress at start of PE image load address Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 17/28] efi/x86: Add kernel preferred address to PE header Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 18/28] efi/x86: Remove extra headroom for setup block Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 19/28] efi/x86: Don't relocate the kernel unless necessary Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 20/28] efi/x86: ignore memory attributes table on i386 Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 21/28] efi/x86: preserve %ebx correctly in efi_set_virtual_address_map() Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 22/28] efi/libstub: avoid linking libstub/lib-ksyms.o into vmlinux Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 23/28] efi: fix a race and a buffer overflow while reading efivars via sysfs Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 24/28] efi: add a sanity check to efivar_store_raw() Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 25/28] efi: fix a mistype in comments mentioning efivar_entry_iter_begin() Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 26/28] efi/libstub/x86: use ULONG_MAX as upper bound for all allocations Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 27/28] efi/x86: Fix cast of image argument Ard Biesheuvel
2020-03-08 8:08 ` [PATCH 28/28] partitions/efi: Fix partition name parsing in GUID partition entry Ard Biesheuvel
2020-03-08 9:00 ` [GIT PULL 00/28] More EFI fixes for v5.7 Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200308080859.21568-3-ardb@kernel.org \
--to=ardb@kernel.org \
--cc=corbet@lwn.net \
--cc=dave@stgolabs.net \
--cc=david@redhat.com \
--cc=hch@lst.de \
--cc=linux-efi@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=lukas.bulwahn@gmail.com \
--cc=masahiroy@kernel.org \
--cc=mingo@kernel.org \
--cc=n.merinov@inango-systems.com \
--cc=nivedita@alum.mit.edu \
--cc=tglx@linutronix.de \
--cc=thomas.lendacky@amd.com \
--cc=vdronov@redhat.com \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).