[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20240311161111.3268190-4-eric.snowberg@oracle.com>
Date: Mon, 11 Mar 2024 12:11:06 -0400
From: Eric Snowberg <eric.snowberg@...cle.com>
To: linux-security-module@...r.kernel.org
Cc: dhowells@...hat.com, dwmw2@...radead.org, herbert@...dor.apana.org.au,
davem@...emloft.net, ardb@...nel.org, jarkko@...nel.org,
paul@...l-moore.com, jmorris@...ei.org, serge@...lyn.com,
zohar@...ux.ibm.com, roberto.sassu@...wei.com,
dmitry.kasatkin@...il.com, mic@...ikod.net, casey@...aufler-ca.com,
stefanb@...ux.ibm.com, eric.snowberg@...cle.com,
linux-kernel@...r.kernel.org, keyrings@...r.kernel.org,
linux-crypto@...r.kernel.org, linux-efi@...r.kernel.org,
linux-integrity@...r.kernel.org
Subject: [PATCH RFC 3/8] efi: Make clavis boot param persist across kexec
Add the ability for the clavis boot param to persist across kexec. This is
done by creating a RT variable before ExitBootServices is called. The new
variable is called Clavis with a new GUID
193ccef6-348b-4f1f-a81b-0ea4b899dbf2. This variable does not have NVRAM
set, signifying it was created during the Boot Services phase. This
variable will persist across a kexec, however it will not persist across
a power on reset. This same type of functionality is currently used
within EFI shim to mirror MOK variables into the kernel. It is being used
here so the clavis boot param can not be changed via kexec. If a different
clavis boot param is used, the one stored in the RT variable will be used
instead. Enforcement of which boot param to use will be done in a follow
on patch.
Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
---
drivers/firmware/efi/Kconfig | 12 +++++++
drivers/firmware/efi/libstub/Makefile | 1 +
drivers/firmware/efi/libstub/clavis.c | 33 +++++++++++++++++++
.../firmware/efi/libstub/efi-stub-helper.c | 2 ++
drivers/firmware/efi/libstub/efi-stub.c | 2 ++
drivers/firmware/efi/libstub/efistub.h | 8 +++++
drivers/firmware/efi/libstub/x86-stub.c | 2 ++
include/linux/efi.h | 1 +
8 files changed, 61 insertions(+)
create mode 100644 drivers/firmware/efi/libstub/clavis.c
diff --git a/drivers/firmware/efi/Kconfig b/drivers/firmware/efi/Kconfig
index 72f2537d90ca..8dcb5326d05d 100644
--- a/drivers/firmware/efi/Kconfig
+++ b/drivers/firmware/efi/Kconfig
@@ -186,6 +186,18 @@ config RESET_ATTACK_MITIGATION
have been evicted, since otherwise it will trigger even on clean
reboots.
+config EARLY_CLAVIS
+ bool "Early clavis"
+ depends on EFI_STUB
+ help
+ Allow the clavis boot param to persist across kexec. This will create a
+ variable called Clavis with a 193ccef6-348b-4f1f-a81b-0ea4b899dbf2 GUID.
+ This variable does not have NVRAM set, signifying it was created during
+ the Boot Services phase. This variable will persist across a kexec,
+ however it will not persist across a power on reset. During kexec, if
+ a different clavis boot param is used, the one stored in the RT variable
+ will be used instead.
+
config EFI_RCI2_TABLE
bool "EFI Runtime Configuration Interface Table Version 2 Support"
depends on X86 || COMPILE_TEST
diff --git a/drivers/firmware/efi/libstub/Makefile b/drivers/firmware/efi/libstub/Makefile
index 06964a3c130f..c4aef94d877a 100644
--- a/drivers/firmware/efi/libstub/Makefile
+++ b/drivers/firmware/efi/libstub/Makefile
@@ -85,6 +85,7 @@ $(obj)/lib-%.o: $(srctree)/lib/%.c FORCE
lib-$(CONFIG_EFI_GENERIC_STUB) += efi-stub.o string.o intrinsics.o systable.o \
screen_info.o efi-stub-entry.o
+lib-$(CONFIG_EARLY_CLAVIS) += clavis.o
lib-$(CONFIG_ARM) += arm32-stub.o
lib-$(CONFIG_ARM64) += kaslr.o arm64.o arm64-stub.o smbios.o
lib-$(CONFIG_X86) += x86-stub.o
diff --git a/drivers/firmware/efi/libstub/clavis.c b/drivers/firmware/efi/libstub/clavis.c
new file mode 100644
index 000000000000..3a715e87a13a
--- /dev/null
+++ b/drivers/firmware/efi/libstub/clavis.c
@@ -0,0 +1,33 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <linux/efi.h>
+#include <asm/efi.h>
+#include "efistub.h"
+
+#define MAX_PARAM_LENGTH 64
+static const efi_char16_t clavis_param_name[] = L"Clavis";
+static const efi_guid_t clavis_guid = LINUX_EFI_CLAVIS_GUID;
+static unsigned char param_data[MAX_PARAM_LENGTH];
+static size_t param_len;
+
+void efi_parse_clavis(char *option)
+{
+ if (!option)
+ return;
+
+ param_len = strnlen(option, MAX_PARAM_LENGTH);
+ memcpy(param_data, option, param_len);
+}
+
+void efi_setup_clavis(void)
+{
+ efi_status_t error;
+
+ if (param_len) {
+ error = set_efi_var(clavis_param_name, &clavis_guid,
+ EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_RUNTIME_ACCESS,
+ param_len, ¶m_data);
+ }
+
+ if (error)
+ efi_err("Failed to set Clavis\n");
+}
diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
index bfa30625f5d0..0d9c6ac0a652 100644
--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
+++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
@@ -91,6 +91,8 @@ efi_status_t efi_parse_options(char const *cmdline)
} else if (!strcmp(param, "video") &&
val && strstarts(val, "efifb:")) {
efi_parse_option_graphics(val + strlen("efifb:"));
+ } else if (!strcmp(param, "clavis") && val) {
+ efi_parse_clavis(val);
}
}
efi_bs_call(free_pool, buf);
diff --git a/drivers/firmware/efi/libstub/efi-stub.c b/drivers/firmware/efi/libstub/efi-stub.c
index f9c1e8a2bd1d..16e50a124ce1 100644
--- a/drivers/firmware/efi/libstub/efi-stub.c
+++ b/drivers/firmware/efi/libstub/efi-stub.c
@@ -183,6 +183,8 @@ efi_status_t efi_stub_common(efi_handle_t handle,
install_memreserve_table();
+ efi_setup_clavis();
+
status = efi_boot_kernel(handle, image, image_addr, cmdline_ptr);
free_screen_info(si);
diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h
index 212687c30d79..81a1f013f483 100644
--- a/drivers/firmware/efi/libstub/efistub.h
+++ b/drivers/firmware/efi/libstub/efistub.h
@@ -1060,6 +1060,14 @@ static inline void
efi_enable_reset_attack_mitigation(void) { }
#endif
+#ifdef CONFIG_EARLY_CLAVIS
+void efi_parse_clavis(char *option);
+void efi_setup_clavis(void);
+#else
+static inline void efi_parse_clavis(char *option) { }
+static inline void efi_setup_clavis(void) { }
+#endif
+
void efi_retrieve_tpm2_eventlog(void);
struct screen_info *alloc_screen_info(void);
diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c
index 0d510c9a06a4..08bd6224d17a 100644
--- a/drivers/firmware/efi/libstub/x86-stub.c
+++ b/drivers/firmware/efi/libstub/x86-stub.c
@@ -928,6 +928,8 @@ void __noreturn efi_stub_entry(efi_handle_t handle,
setup_unaccepted_memory();
+ efi_setup_clavis();
+
status = exit_boot(boot_params, handle);
if (status != EFI_SUCCESS) {
efi_err("exit_boot() failed!\n");
diff --git a/include/linux/efi.h b/include/linux/efi.h
index c74f47711f0b..d0fe291d433e 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -420,6 +420,7 @@ void efi_native_runtime_setup(void);
#define LINUX_EFI_UNACCEPTED_MEM_TABLE_GUID EFI_GUID(0xd5d1de3c, 0x105c, 0x44f9, 0x9e, 0xa9, 0xbc, 0xef, 0x98, 0x12, 0x00, 0x31)
#define RISCV_EFI_BOOT_PROTOCOL_GUID EFI_GUID(0xccd15fec, 0x6f73, 0x4eec, 0x83, 0x95, 0x3e, 0x69, 0xe4, 0xb9, 0x40, 0xbf)
+#define LINUX_EFI_CLAVIS_GUID EFI_GUID(0x193ccef6, 0x348b, 0x4f1f, 0xa8, 0x1b, 0x0e, 0xa4, 0xb8, 0x99, 0xdb, 0xf2)
/*
* This GUID may be installed onto the kernel image's handle as a NULL protocol
--
2.39.3
Powered by blists - more mailing lists