| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251204072143.3636863-3-sohil.mehta@intel.com>
Date: Wed, 3 Dec 2025 23:21:42 -0800
From: Sohil Mehta <sohil.mehta@...el.com>
To: x86@...nel.org,
Dave Hansen <dave.hansen@...ux.intel.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>,
Borislav Petkov <bp@...en8.de>,
Ard Biesheuvel <ardb@...nel.org>
Cc: "H . Peter Anvin" <hpa@...or.com>,
Andy Lutomirski <luto@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Kiryl Shutsemau <kas@...nel.org>,
Sohil Mehta <sohil.mehta@...el.com>,
Rick Edgecombe <rick.p.edgecombe@...el.com>,
Andrew Cooper <andrew.cooper3@...rix.com>,
Tony Luck <tony.luck@...el.com>,
Alexander Shishkin <alexander.shishkin@...ux.intel.com>,
linux-kernel@...r.kernel.org,
linux-efi@...r.kernel.org
Subject: [PATCH 2/3] x86/efi: Make runtime services compatible with LASS
Ideally, EFI runtime services should switch to kernel virtual addresses
after SetVirtualAddressMap(). However, firmware implementations are
known to be buggy in this regard and continue to access physical
addresses. The kernel maintains a 1:1 mapping of all runtime services
code and data regions to avoid breaking such firmware.
LASS enforcement relies on bit 63 of the virtual address, which would
block such accesses to the lower half. Unfortunately, not doing anything
could lead to #GP faults when users update to a kernel with LASS
enabled.
One option is to use a STAC/CLAC pair to temporarily disable LASS data
enforcement. However, there is no guarantee that the stray accesses
would only touch data and not perform instruction fetches. Also, relying
on the AC bit would depend on the runtime calls preserving RFLAGS, which
is highly unlikely in practice.
Instead, use the big hammer and switch off the entire LASS mechanism
temporarily by clearing CR4.LASS. Do this right after switching to
efi_mm (as userspace is not mapped) to minimize the security impact.
Some runtime services can be invoked during boot when LASS isn't active.
Use a global variable (similar to efi_mm) to save and restore the
correct CR4.LASS state. The runtime calls are serialized with the
efi_runtime_lock, so no concurrency issues are expected.
Signed-off-by: Sohil Mehta <sohil.mehta@...el.com>
---
arch/x86/platform/efi/efi_64.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
index b4409df2105a..3d0593d6d54c 100644
--- a/arch/x86/platform/efi/efi_64.c
+++ b/arch/x86/platform/efi/efi_64.c
@@ -55,6 +55,7 @@
*/
static u64 efi_va = EFI_VA_START;
static struct mm_struct *efi_prev_mm;
+static unsigned long efi_cr4_lass;
/*
* We need our own copy of the higher levels of the page tables
@@ -443,16 +444,46 @@ static void efi_leave_mm(void)
unuse_temporary_mm(efi_prev_mm);
}
+/*
+ * Toggle LASS to allow EFI to access any 1:1 mapped region in the lower
+ * half.
+ *
+ * Disable LASS after switching to EFI-mm, as userspace is not mapped in
+ * it. Similar to EFI-mm, they rely on preemption being disabled and the
+ * calls being serialized.
+ */
+
+static void efi_disable_lass(void)
+{
+ if (!cpu_feature_enabled(X86_FEATURE_LASS))
+ return;
+
+ /* Save current CR4.LASS state */
+ efi_cr4_lass = cr4_read_shadow() & X86_CR4_LASS;
+ cr4_clear_bits(efi_cr4_lass);
+}
+
+static void efi_enable_lass(void)
+{
+ if (!cpu_feature_enabled(X86_FEATURE_LASS))
+ return;
+
+ /* Reprogram CR4.LASS only if it was set earlier */
+ cr4_set_bits(efi_cr4_lass);
+}
+
void arch_efi_call_virt_setup(void)
{
efi_sync_low_kernel_mappings();
efi_fpu_begin();
firmware_restrict_branch_speculation_start();
efi_enter_mm();
+ efi_disable_lass();
}
void arch_efi_call_virt_teardown(void)
{
+ efi_enable_lass();
efi_leave_mm();
firmware_restrict_branch_speculation_end();
efi_fpu_end();
--
2.43.0
Powered by blists - more mailing lists