lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3671fd52-6034-7149-ebe4-f7560c0dc6b0@suse.com>
Date:   Wed, 21 Sep 2022 22:34:04 +0200
From:   Jan Beulich <jbeulich@...e.com>
To:     Ard Biesheuvel <ardb@...nel.org>,
        Demi Marie Obenour <demi@...isiblethingslab.com>
Cc:     Juergen Gross <jgross@...e.com>,
        Stefano Stabellini <sstabellini@...nel.org>,
        Oleksandr Tyshchenko <oleksandr_tyshchenko@...m.com>,
        linux-efi@...r.kernel.org, linux-kernel@...r.kernel.org,
        xen-devel@...ts.xenproject.org
Subject: Re: [PATCH v3] Support ESRT in Xen dom0

On 20.09.2022 18:09, Ard Biesheuvel wrote:
> On Tue, 20 Sept 2022 at 17:54, Jan Beulich <jbeulich@...e.com> wrote:
>>
>> On 20.09.2022 17:36, Ard Biesheuvel wrote:
>>> On Mon, 19 Sept 2022 at 21:33, Demi Marie Obenour
>>> <demi@...isiblethingslab.com> wrote:
>>>>
>>>> fwupd requires access to the EFI System Resource Table (ESRT) to
>>>> discover which firmware can be updated by the OS.  Currently, Linux does
>>>> not expose the ESRT when running as a Xen dom0.  Therefore, it is not
>>>> possible to use fwupd in a Xen dom0, which is a serious problem for e.g.
>>>> Qubes OS.
>>>>
>>>> Before Xen 4.16, this was not fixable due to hypervisor limitations.
>>>> The UEFI specification requires the ESRT to be in EfiBootServicesData
>>>> memory, which Xen will use for whatever purposes it likes.  Therefore,
>>>> Linux cannot safely access the ESRT, as Xen may have overwritten it.
>>>>
>>>> Starting with Xen 4.17, Xen checks if the ESRT is in EfiBootServicesData
>>>> or EfiRuntimeServicesData memory.  If the ESRT is in EfiBootServicesData
>>>> memory, Xen allocates some memory of type EfiRuntimeServicesData, copies
>>>> the ESRT to it, and finally replaces the ESRT pointer with a pointer to
>>>> the copy.  Since Xen will not clobber EfiRuntimeServicesData memory,
>>>> this ensures that the ESRT can safely be accessed by the OS.  It is safe
>>>> to access the ESRT under Xen if, and only if, it is in memory of type
>>>> EfiRuntimeServicesData.
>>>>
>>>
>>> Thanks for the elaborate explanation. This is really helpful.
>>>
>>> So here, you are explaining that the only way for Xen to prevent
>>> itself from potentially clobbering the ESRT is by creating a
>>> completely new allocation?
>>
>> There are surely other ways, e.g. preserving BootServices* regions
>> alongside RuntimeServices* ones. But as the maintainer of the EFI
>> code in Xen I don't view this as a reasonable approach.
> 
> Why not?

Because it's against the intentions the EFI has (or at least had)
for this memory type. Much more than EfiAcpiReclaimMemory this
type is intended for use as ordinary RAM post-boot.

>>> TBH I still don't think this is a scalable approach. There are other
>>> configuration tables that may be passed in EFI boot services memory,
>>> and MS especially were pushing back in the UEFI forum on adding table
>>> types that were passed in anything other the EfiBootServicesData.
>>
>> Within Xen we might abstract the approach currently implemented in
>> case more such pieces of data appear.
>>
>> While I can easily believe MS might be advocating for this model,
>> I view it as problematic not only for Xen. How would you pass on
>> this information across kexec, for example, without introducing
>> further producer-consumer dependencies requiring separate protocols
>> to be followed?
>>
> 
> In this case, I don't think this is unreasonable for configuration
> tables, which only have a GUID and a base address. If the OS knows the
> GUID, and knows how to interpret the contents, it can decide for
> itself whether or not to preserve it. If it doesn't know the GUID, the
> memory is just treated as available memory [after EBS()]
> 
> I personally think reclaimable memory is more suitable for these
> cases, which is why I am willing to consider that as well. Note that
> the EFI spec now also mandates device trees on ARM to be passed via
> EfiAcpiReclaimMemory, simply because it is the memory type suitable
> for firmware tables that only the OS consumes.

We do preserve EfiAcpiReclaimMemory, for the simple reason that with
Xen "the OS" is ambiguous: Is that Xen or Dom0? Most of ACPI is
handled by Dom0, so we can't very well discard the data before Dom0
starts. (This then also matters for what you've said in the earlier
paragraph. In particular the sets of known GUIDs may be dissimilar
for Xen and the Dom0 kernel. Considering your other remark about
fragmentation you might agree that preserving in-place is not very
desirable.)

Especially with DT mandated to use EfiAcpiReclaimMemory I'm willing
to consider using that type for the storing of ESRT (and whatever
else may appear along these lines). Demi, you may want to check for
both types in your Linux side patch ...

Jan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ