efi: Discover BTI support in runtime services regions

ardbiesheuvel · ardbiesheuvel · commit cf1d2ffcc6f1 · 2023-02-04T09:19:02.000+01:00
Add the generic plumbing to detect whether or not the runtime code
regions were constructed with BTI/IBT landing pads by the firmware,
permitting the OS to enable enforcement when mapping these regions into
the OS's address space.

Signed-off-by: Ard Biesheuvel &lt;ardb@kernel.org&gt;
Reviewed-by: Kees Cook &lt;keescook@chromium.org&gt;
diff --git a/arch/arm/include/asm/efi.h b/arch/arm/include/asm/efi.h
@@ -20,7 +20,7 @@ void efi_init(void);
 void arm_efi_init(void);
 
 int efi_create_mapping(struct mm_struct *mm, efi_memory_desc_t *md);
-int efi_set_mapping_permissions(struct mm_struct *mm, efi_memory_desc_t *md);
+int efi_set_mapping_permissions(struct mm_struct *mm, efi_memory_desc_t *md, bool);
 
 #define arch_efi_call_virt_setup()	efi_virtmap_load()
 #define arch_efi_call_virt_teardown()	efi_virtmap_unload()
diff --git a/arch/arm/kernel/efi.c b/arch/arm/kernel/efi.c
@@ -23,7 +23,8 @@ static int __init set_permissions(pte_t *ptep, unsigned long addr, void *data)
 }
 
 int __init efi_set_mapping_permissions(struct mm_struct *mm,
-				       efi_memory_desc_t *md)
+				       efi_memory_desc_t *md,
+				       bool ignored)
 {
 	unsigned long base, size;
 
@@ -71,7 +72,7 @@ int __init efi_create_mapping(struct mm_struct *mm, efi_memory_desc_t *md)
 	 * If stricter permissions were specified, apply them now.
 	 */
 	if (md->attribute & (EFI_MEMORY_RO | EFI_MEMORY_XP))
-		return efi_set_mapping_permissions(mm, md);
+		return efi_set_mapping_permissions(mm, md, false);
 	return 0;
 }
 
diff --git a/arch/arm64/include/asm/efi.h b/arch/arm64/include/asm/efi.h
@@ -27,7 +27,8 @@ bool efi_runtime_fixup_exception(struct pt_regs *regs, const char *msg)
 #endif
 
 int efi_create_mapping(struct mm_struct *mm, efi_memory_desc_t *md);
-int efi_set_mapping_permissions(struct mm_struct *mm, efi_memory_desc_t *md);
+int efi_set_mapping_permissions(struct mm_struct *mm, efi_memory_desc_t *md,
+				bool has_bti);
 
 #define arch_efi_call_virt_setup()					\
 ({									\
diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c
@@ -110,7 +110,8 @@ static int __init set_permissions(pte_t *ptep, unsigned long addr, void *data)
 }
 
 int __init efi_set_mapping_permissions(struct mm_struct *mm,
-				       efi_memory_desc_t *md)
+				       efi_memory_desc_t *md,
+				       bool has_bti)
 {
 	BUG_ON(md->type != EFI_RUNTIME_SERVICES_CODE &&
 	       md->type != EFI_RUNTIME_SERVICES_DATA);
diff --git a/arch/riscv/include/asm/efi.h b/arch/riscv/include/asm/efi.h
@@ -19,7 +19,7 @@ extern void efi_init(void);
 #endif
 
 int efi_create_mapping(struct mm_struct *mm, efi_memory_desc_t *md);
-int efi_set_mapping_permissions(struct mm_struct *mm, efi_memory_desc_t *md);
+int efi_set_mapping_permissions(struct mm_struct *mm, efi_memory_desc_t *md, bool);
 
 #define arch_efi_call_virt_setup()      ({		\
 		sync_kernel_mappings(efi_mm.pgd);	\
diff --git a/arch/riscv/kernel/efi.c b/arch/riscv/kernel/efi.c
@@ -78,7 +78,8 @@ static int __init set_permissions(pte_t *ptep, unsigned long addr, void *data)
 }
 
 int __init efi_set_mapping_permissions(struct mm_struct *mm,
-				       efi_memory_desc_t *md)
+				       efi_memory_desc_t *md,
+				       bool ignored)
 {
 	BUG_ON(md->type != EFI_RUNTIME_SERVICES_CODE &&
 	       md->type != EFI_RUNTIME_SERVICES_DATA);
diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
@@ -389,7 +389,8 @@ static int __init efi_update_mappings(efi_memory_desc_t *md, unsigned long pf)
 	return err1 || err2;
 }
 
-static int __init efi_update_mem_attr(struct mm_struct *mm, efi_memory_desc_t *md)
+static int __init efi_update_mem_attr(struct mm_struct *mm, efi_memory_desc_t *md,
+				      bool has_ibt)
 {
 	unsigned long pf = 0;
 
diff --git a/drivers/firmware/efi/memattr.c b/drivers/firmware/efi/memattr.c
@@ -129,6 +129,7 @@ int __init efi_memattr_apply_permissions(struct mm_struct *mm,
 					 efi_memattr_perm_setter fn)
 {
 	efi_memory_attributes_table_t *tbl;
+	bool has_bti = false;
 	int i, ret;
 
 	if (tbl_size <= sizeof(*tbl))
@@ -150,6 +151,10 @@ int __init efi_memattr_apply_permissions(struct mm_struct *mm,
 		return -ENOMEM;
 	}
 
+	if (tbl->version > 1 &&
+	    (tbl->flags & EFI_MEMORY_ATTRIBUTES_FLAGS_RT_FORWARD_CONTROL_FLOW_GUARD))
+		has_bti = true;
+
 	if (efi_enabled(EFI_DBG))
 		pr_info("Processing EFI Memory Attributes table:\n");
 
@@ -169,7 +174,7 @@ int __init efi_memattr_apply_permissions(struct mm_struct *mm,
 				efi_md_typeattr_format(buf, sizeof(buf), &md));
 
 		if (valid) {
-			ret = fn(mm, &md);
+			ret = fn(mm, &md, has_bti);
 			if (ret)
 				pr_err("Error updating mappings, skipping subsequent md's\n");
 		}
diff --git a/include/linux/efi.h b/include/linux/efi.h
@@ -584,11 +584,15 @@ typedef struct {
 
 #define EFI_INVALID_TABLE_ADDR		(~0UL)
 
+// BIT0 implies that Runtime code includes the forward control flow guard
+// instruction, such as X86 CET-IBT or ARM BTI.
+#define EFI_MEMORY_ATTRIBUTES_FLAGS_RT_FORWARD_CONTROL_FLOW_GUARD	0x1
+
 typedef struct {
 	u32 version;
 	u32 num_entries;
 	u32 desc_size;
-	u32 reserved;
+	u32 flags;
 	efi_memory_desc_t entry[0];
 } efi_memory_attributes_table_t;
 
@@ -751,7 +755,7 @@ extern unsigned long efi_mem_attr_table;
  *                           argument in the page tables referred to by the
  *                           first argument.
  */
-typedef int (*efi_memattr_perm_setter)(struct mm_struct *, efi_memory_desc_t *);
+typedef int (*efi_memattr_perm_setter)(struct mm_struct *, efi_memory_desc_t *, bool);
 
 extern int efi_memattr_init(void);
 extern int efi_memattr_apply_permissions(struct mm_struct *mm,

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,8 @@ static int __init set_permissions(pte_t ptep, unsigned long addr, void data)`
`23`	`23`	`}`
`24`	`24`
`25`	`25`	`int __init efi_set_mapping_permissions(struct mm_struct *mm,`
`26`		`- efi_memory_desc_t *md)`
	`26`	`+ efi_memory_desc_t *md,`
	`27`	`+ bool ignored)`
`27`	`28`	`{`
`28`	`29`	`unsigned long base, size;`
`29`	`30`
`@@ -71,7 +72,7 @@ int __init efi_create_mapping(struct mm_struct mm, efi_memory_desc_t md)`
`71`	`72`	`* If stricter permissions were specified, apply them now.`
`72`	`73`	`*/`
`73`	`74`	`if (md->attribute & (EFI_MEMORY_RO \| EFI_MEMORY_XP))`
`74`		`- return efi_set_mapping_permissions(mm, md);`
	`75`	`+ return efi_set_mapping_permissions(mm, md, false);`
`75`	`76`	`return 0;`
`76`	`77`	`}`
`77`	`78`
Original file line number	Diff line number	Diff line change
`@@ -110,7 +110,8 @@ static int __init set_permissions(pte_t ptep, unsigned long addr, void data)`
`110`	`110`	`}`
`111`	`111`
`112`	`112`	`int __init efi_set_mapping_permissions(struct mm_struct *mm,`
`113`		`- efi_memory_desc_t *md)`
	`113`	`+ efi_memory_desc_t *md,`
	`114`	`+ bool has_bti)`
`114`	`115`	`{`
`115`	`116`	`BUG_ON(md->type != EFI_RUNTIME_SERVICES_CODE &&`
`116`	`117`	`md->type != EFI_RUNTIME_SERVICES_DATA);`
Original file line number	Diff line number	Diff line change
`@@ -78,7 +78,8 @@ static int __init set_permissions(pte_t ptep, unsigned long addr, void data)`
`78`	`78`	`}`
`79`	`79`
`80`	`80`	`int __init efi_set_mapping_permissions(struct mm_struct *mm,`
`81`		`- efi_memory_desc_t *md)`
	`81`	`+ efi_memory_desc_t *md,`
	`82`	`+ bool ignored)`
`82`	`83`	`{`
`83`	`84`	`BUG_ON(md->type != EFI_RUNTIME_SERVICES_CODE &&`
`84`	`85`	`md->type != EFI_RUNTIME_SERVICES_DATA);`
Original file line number	Diff line number	Diff line change
`@@ -389,7 +389,8 @@ static int __init efi_update_mappings(efi_memory_desc_t *md, unsigned long pf)`
`389`	`389`	`return err1 \|\| err2;`
`390`	`390`	`}`
`391`	`391`
`392`		`-static int __init efi_update_mem_attr(struct mm_struct mm, efi_memory_desc_t md)`
	`392`	`+static int __init efi_update_mem_attr(struct mm_struct mm, efi_memory_desc_t md,`
	`393`	`+ bool has_ibt)`
`393`	`394`	`{`
`394`	`395`	`unsigned long pf = 0;`
`395`	`396`