| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 8 Mar 2020 09:08:35 +0100
From: Ard Biesheuvel <ardb@...nel.org>
To: linux-efi@...r.kernel.org, Ingo Molnar <mingo@...nel.org>,
Thomas Gleixner <tglx@...utronix.de>
Cc: Ard Biesheuvel <ardb@...nel.org>, linux-kernel@...r.kernel.org,
Arvind Sankar <nivedita@...m.mit.edu>,
Christoph Hellwig <hch@....de>,
David Hildenbrand <david@...hat.com>,
Davidlohr Bueso <dave@...olabs.net>,
Guenter Roeck <linux@...ck-us.net>,
Heinrich Schuchardt <xypron.glpk@....de>,
Jonathan Corbet <corbet@....net>,
Lukas Bulwahn <lukas.bulwahn@...il.com>,
Masahiro Yamada <masahiroy@...nel.org>,
Nikolai Merinov <n.merinov@...ngo-systems.com>,
Tom Lendacky <thomas.lendacky@....com>,
Vladis Dronov <vdronov@...hat.com>
Subject: [PATCH 04/28] efi/arm: clean EFI stub exit code from cache instead of avoiding it
Commit c7225494b ("efi/arm: Work around missing cache maintenance in
decompressor handover") modified the handover code written in assembler
to work around the missing cache maintenance of the piece of code that
is executed after the MMU and caches are turned off. Due to the fact
that this sequence incorporates a subroutine call, cleaning that code
from the cache is not a matter of simply passing the start and end of
the currently running subroutine into cache_clean_flush(), which is why
instead, the code jumps across into the cleaned copy of the image.
However, this assumes that this copy is executable, and this means we
expect EFI_LOADER_DATA regions to be executable as well, which is not
a reasonable assumption to make, even if this is true for most UEFI
implementations today.
So change this back, and add a cache_clean_flush() call to cover the
remaining code in the subroutine, and any code it may execute in the
context of cache_off().
Signed-off-by: Ard Biesheuvel <ardb@...nel.org>
---
arch/arm/boot/compressed/head.S | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/arch/arm/boot/compressed/head.S b/arch/arm/boot/compressed/head.S
index 36ffbeecd30b..04f77214f050 100644
--- a/arch/arm/boot/compressed/head.S
+++ b/arch/arm/boot/compressed/head.S
@@ -1452,13 +1452,11 @@ ENTRY(efi_enter_kernel)
@ The PE/COFF loader might not have cleaned the code we are
@ running beyond the PoU, and so calling cache_off below from
- @ inside the PE/COFF loader allocated region is unsafe. Let's
- @ assume our own zImage relocation code did a better job, and
- @ jump into its version of this routine before proceeding.
- ldr r1, .Ljmp
- sub r1, r7, r1
- mov pc, r1 @ no mode switch
-0:
+ @ inside the PE/COFF loader allocated region is unsafe unless
+ @ we explicitly clean it to the PoC.
+ adr r0, call_cache_fn @ region of code we will
+ adr r1, 0f @ run with MMU off
+ bl cache_clean_flush
bl cache_off
@ Set parameters for booting zImage according to boot protocol
@@ -1467,10 +1465,10 @@ ENTRY(efi_enter_kernel)
mov r0, #0
mov r1, #0xFFFFFFFF
mov r2, r4
- b __efi_start
+ add r7, r7, #(__efi_start - start)
+ mov pc, r7 @ no mode switch
ENDPROC(efi_enter_kernel)
- .align 2
-.Ljmp: .long start - 0b
+0:
#endif
.align
--
2.17.1
Powered by blists - more mailing lists