Commit | Line | Data |
---|---|---|
457c8996 | 1 | // SPDX-License-Identifier: GPL-2.0-only |
26d7f65f MF |
2 | #define pr_fmt(fmt) "efi: " fmt |
3 | ||
eeb9db09 ST |
4 | #include <linux/init.h> |
5 | #include <linux/kernel.h> | |
6 | #include <linux/string.h> | |
7 | #include <linux/time.h> | |
8 | #include <linux/types.h> | |
9 | #include <linux/efi.h> | |
10 | #include <linux/slab.h> | |
11 | #include <linux/memblock.h> | |
44be28e9 | 12 | #include <linux/acpi.h> |
d394f2d9 | 13 | #include <linux/dmi.h> |
5520b7e7 IM |
14 | |
15 | #include <asm/e820/api.h> | |
eeb9db09 ST |
16 | #include <asm/efi.h> |
17 | #include <asm/uv/uv.h> | |
2959c95d | 18 | #include <asm/cpu_device_id.h> |
e71b6f0b | 19 | #include <asm/realmode.h> |
3425d934 | 20 | #include <asm/reboot.h> |
eeb9db09 ST |
21 | |
22 | #define EFI_MIN_RESERVE 5120 | |
23 | ||
24 | #define EFI_DUMMY_GUID \ | |
25 | EFI_GUID(0x4424ac57, 0xbe4b, 0x47dd, 0x9e, 0x97, 0xed, 0x50, 0xf0, 0x9f, 0x92, 0xa9) | |
26 | ||
2959c95d JK |
27 | #define QUARK_CSH_SIGNATURE 0x5f435348 /* _CSH */ |
28 | #define QUARK_SECURITY_HEADER_SIZE 0x400 | |
29 | ||
30 | /* | |
31 | * Header prepended to the standard EFI capsule on Quark systems the are based | |
32 | * on Intel firmware BSP. | |
33 | * @csh_signature: Unique identifier to sanity check signed module | |
34 | * presence ("_CSH"). | |
35 | * @version: Current version of CSH used. Should be one for Quark A0. | |
36 | * @modulesize: Size of the entire module including the module header | |
37 | * and payload. | |
38 | * @security_version_number_index: Index of SVN to use for validation of signed | |
39 | * module. | |
40 | * @security_version_number: Used to prevent against roll back of modules. | |
41 | * @rsvd_module_id: Currently unused for Clanton (Quark). | |
42 | * @rsvd_module_vendor: Vendor Identifier. For Intel products value is | |
43 | * 0x00008086. | |
44 | * @rsvd_date: BCD representation of build date as yyyymmdd, where | |
45 | * yyyy=4 digit year, mm=1-12, dd=1-31. | |
46 | * @headersize: Total length of the header including including any | |
47 | * padding optionally added by the signing tool. | |
48 | * @hash_algo: What Hash is used in the module signing. | |
49 | * @cryp_algo: What Crypto is used in the module signing. | |
50 | * @keysize: Total length of the key data including including any | |
51 | * padding optionally added by the signing tool. | |
52 | * @signaturesize: Total length of the signature including including any | |
53 | * padding optionally added by the signing tool. | |
54 | * @rsvd_next_header: 32-bit pointer to the next Secure Boot Module in the | |
55 | * chain, if there is a next header. | |
56 | * @rsvd: Reserved, padding structure to required size. | |
57 | * | |
58 | * See also QuartSecurityHeader_t in | |
59 | * Quark_EDKII_v1.2.1.1/QuarkPlatformPkg/Include/QuarkBootRom.h | |
60 | * from https://downloadcenter.intel.com/download/23197/Intel-Quark-SoC-X1000-Board-Support-Package-BSP | |
61 | */ | |
62 | struct quark_security_header { | |
63 | u32 csh_signature; | |
64 | u32 version; | |
65 | u32 modulesize; | |
66 | u32 security_version_number_index; | |
67 | u32 security_version_number; | |
68 | u32 rsvd_module_id; | |
69 | u32 rsvd_module_vendor; | |
70 | u32 rsvd_date; | |
71 | u32 headersize; | |
72 | u32 hash_algo; | |
73 | u32 cryp_algo; | |
74 | u32 keysize; | |
75 | u32 signaturesize; | |
76 | u32 rsvd_next_header; | |
77 | u32 rsvd[2]; | |
78 | }; | |
79 | ||
36b64976 | 80 | static const efi_char16_t efi_dummy_name[] = L"DUMMY"; |
eeb9db09 ST |
81 | |
82 | static bool efi_no_storage_paranoia; | |
83 | ||
84 | /* | |
85 | * Some firmware implementations refuse to boot if there's insufficient | |
86 | * space in the variable store. The implementation of garbage collection | |
87 | * in some FW versions causes stale (deleted) variables to take up space | |
88 | * longer than intended and space is only freed once the store becomes | |
89 | * almost completely full. | |
90 | * | |
91 | * Enabling this option disables the space checks in | |
92 | * efi_query_variable_store() and forces garbage collection. | |
93 | * | |
94 | * Only enable this option if deleting EFI variables does not free up | |
95 | * space in your variable store, e.g. if despite deleting variables | |
96 | * you're unable to create new ones. | |
97 | */ | |
98 | static int __init setup_storage_paranoia(char *arg) | |
99 | { | |
100 | efi_no_storage_paranoia = true; | |
101 | return 0; | |
102 | } | |
103 | early_param("efi_no_storage_paranoia", setup_storage_paranoia); | |
104 | ||
105 | /* | |
106 | * Deleting the dummy variable which kicks off garbage collection | |
107 | */ | |
108 | void efi_delete_dummy_variable(void) | |
109 | { | |
5a58bc1b SP |
110 | efi.set_variable_nonblocking((efi_char16_t *)efi_dummy_name, |
111 | &EFI_DUMMY_GUID, | |
112 | EFI_VARIABLE_NON_VOLATILE | | |
113 | EFI_VARIABLE_BOOTSERVICE_ACCESS | | |
114 | EFI_VARIABLE_RUNTIME_ACCESS, 0, NULL); | |
eeb9db09 ST |
115 | } |
116 | ||
ca0e30dc AB |
117 | /* |
118 | * In the nonblocking case we do not attempt to perform garbage | |
119 | * collection if we do not have enough free space. Rather, we do the | |
120 | * bare minimum check and give up immediately if the available space | |
121 | * is below EFI_MIN_RESERVE. | |
122 | * | |
123 | * This function is intended to be small and simple because it is | |
124 | * invoked from crash handler paths. | |
125 | */ | |
126 | static efi_status_t | |
127 | query_variable_store_nonblocking(u32 attributes, unsigned long size) | |
128 | { | |
129 | efi_status_t status; | |
130 | u64 storage_size, remaining_size, max_size; | |
131 | ||
132 | status = efi.query_variable_info_nonblocking(attributes, &storage_size, | |
133 | &remaining_size, | |
134 | &max_size); | |
135 | if (status != EFI_SUCCESS) | |
136 | return status; | |
137 | ||
138 | if (remaining_size - size < EFI_MIN_RESERVE) | |
139 | return EFI_OUT_OF_RESOURCES; | |
140 | ||
141 | return EFI_SUCCESS; | |
142 | } | |
143 | ||
eeb9db09 ST |
144 | /* |
145 | * Some firmware implementations refuse to boot if there's insufficient space | |
146 | * in the variable store. Ensure that we never use more than a safe limit. | |
147 | * | |
148 | * Return EFI_SUCCESS if it is safe to write 'size' bytes to the variable | |
149 | * store. | |
150 | */ | |
ca0e30dc AB |
151 | efi_status_t efi_query_variable_store(u32 attributes, unsigned long size, |
152 | bool nonblocking) | |
eeb9db09 ST |
153 | { |
154 | efi_status_t status; | |
155 | u64 storage_size, remaining_size, max_size; | |
156 | ||
157 | if (!(attributes & EFI_VARIABLE_NON_VOLATILE)) | |
158 | return 0; | |
159 | ||
ca0e30dc AB |
160 | if (nonblocking) |
161 | return query_variable_store_nonblocking(attributes, size); | |
162 | ||
eeb9db09 ST |
163 | status = efi.query_variable_info(attributes, &storage_size, |
164 | &remaining_size, &max_size); | |
165 | if (status != EFI_SUCCESS) | |
166 | return status; | |
167 | ||
168 | /* | |
169 | * We account for that by refusing the write if permitting it would | |
170 | * reduce the available space to under 5KB. This figure was provided by | |
171 | * Samsung, so should be safe. | |
172 | */ | |
173 | if ((remaining_size - size < EFI_MIN_RESERVE) && | |
174 | !efi_no_storage_paranoia) { | |
175 | ||
176 | /* | |
177 | * Triggering garbage collection may require that the firmware | |
178 | * generate a real EFI_OUT_OF_RESOURCES error. We can force | |
179 | * that by attempting to use more space than is available. | |
180 | */ | |
181 | unsigned long dummy_size = remaining_size + 1024; | |
9f66d8d7 | 182 | void *dummy = kzalloc(dummy_size, GFP_KERNEL); |
eeb9db09 ST |
183 | |
184 | if (!dummy) | |
185 | return EFI_OUT_OF_RESOURCES; | |
186 | ||
36b64976 AB |
187 | status = efi.set_variable((efi_char16_t *)efi_dummy_name, |
188 | &EFI_DUMMY_GUID, | |
eeb9db09 ST |
189 | EFI_VARIABLE_NON_VOLATILE | |
190 | EFI_VARIABLE_BOOTSERVICE_ACCESS | | |
191 | EFI_VARIABLE_RUNTIME_ACCESS, | |
192 | dummy_size, dummy); | |
193 | ||
194 | if (status == EFI_SUCCESS) { | |
195 | /* | |
196 | * This should have failed, so if it didn't make sure | |
197 | * that we delete it... | |
198 | */ | |
199 | efi_delete_dummy_variable(); | |
200 | } | |
201 | ||
202 | kfree(dummy); | |
203 | ||
204 | /* | |
205 | * The runtime code may now have triggered a garbage collection | |
206 | * run, so check the variable info again | |
207 | */ | |
208 | status = efi.query_variable_info(attributes, &storage_size, | |
209 | &remaining_size, &max_size); | |
210 | ||
211 | if (status != EFI_SUCCESS) | |
212 | return status; | |
213 | ||
214 | /* | |
215 | * There still isn't enough room, so return an error | |
216 | */ | |
217 | if (remaining_size - size < EFI_MIN_RESERVE) | |
218 | return EFI_OUT_OF_RESOURCES; | |
219 | } | |
220 | ||
221 | return EFI_SUCCESS; | |
222 | } | |
223 | EXPORT_SYMBOL_GPL(efi_query_variable_store); | |
224 | ||
816e7612 MF |
225 | /* |
226 | * The UEFI specification makes it clear that the operating system is | |
227 | * free to do whatever it wants with boot services code after | |
228 | * ExitBootServices() has been called. Ignoring this recommendation a | |
229 | * significant bunch of EFI implementations continue calling into boot | |
230 | * services code (SetVirtualAddressMap). In order to work around such | |
231 | * buggy implementations we reserve boot services region during EFI | |
232 | * init and make sure it stays executable. Then, after | |
233 | * SetVirtualAddressMap(), it is discarded. | |
234 | * | |
235 | * However, some boot services regions contain data that is required | |
236 | * by drivers, so we need to track which memory ranges can never be | |
237 | * freed. This is done by tagging those regions with the | |
238 | * EFI_MEMORY_RUNTIME attribute. | |
239 | * | |
240 | * Any driver that wants to mark a region as reserved must use | |
241 | * efi_mem_reserve() which will insert a new EFI memory descriptor | |
242 | * into efi.memmap (splitting existing regions if necessary) and tag | |
243 | * it with EFI_MEMORY_RUNTIME. | |
244 | */ | |
245 | void __init efi_arch_mem_reserve(phys_addr_t addr, u64 size) | |
246 | { | |
1db91035 | 247 | struct efi_memory_map_data data = { 0 }; |
816e7612 MF |
248 | struct efi_mem_range mr; |
249 | efi_memory_desc_t md; | |
250 | int num_entries; | |
251 | void *new; | |
252 | ||
7e1550b8 AB |
253 | if (efi_mem_desc_lookup(addr, &md) || |
254 | md.type != EFI_BOOT_SERVICES_DATA) { | |
816e7612 MF |
255 | pr_err("Failed to lookup EFI memory descriptor for %pa\n", &addr); |
256 | return; | |
257 | } | |
258 | ||
259 | if (addr + size > md.phys_addr + (md.num_pages << EFI_PAGE_SHIFT)) { | |
260 | pr_err("Region spans EFI memory descriptors, %pa\n", &addr); | |
261 | return; | |
262 | } | |
263 | ||
92dc3350 MF |
264 | size += addr % EFI_PAGE_SIZE; |
265 | size = round_up(size, EFI_PAGE_SIZE); | |
266 | addr = round_down(addr, EFI_PAGE_SIZE); | |
267 | ||
816e7612 | 268 | mr.range.start = addr; |
92dc3350 | 269 | mr.range.end = addr + size - 1; |
816e7612 MF |
270 | mr.attribute = md.attribute | EFI_MEMORY_RUNTIME; |
271 | ||
272 | num_entries = efi_memmap_split_count(&md, &mr.range); | |
273 | num_entries += efi.memmap.nr_map; | |
274 | ||
1db91035 | 275 | if (efi_memmap_alloc(num_entries, &data) != 0) { |
816e7612 MF |
276 | pr_err("Could not allocate boot services memmap\n"); |
277 | return; | |
278 | } | |
279 | ||
1db91035 | 280 | new = early_memremap(data.phys_map, data.size); |
816e7612 MF |
281 | if (!new) { |
282 | pr_err("Failed to map new boot services memmap\n"); | |
283 | return; | |
284 | } | |
285 | ||
286 | efi_memmap_insert(&efi.memmap, new, &mr); | |
1db91035 | 287 | early_memunmap(new, data.size); |
816e7612 | 288 | |
1db91035 | 289 | efi_memmap_install(&data); |
af164898 DY |
290 | e820__range_update(addr, size, E820_TYPE_RAM, E820_TYPE_RESERVED); |
291 | e820__update_table(e820_table); | |
816e7612 MF |
292 | } |
293 | ||
452308de MF |
294 | /* |
295 | * Helper function for efi_reserve_boot_services() to figure out if we | |
296 | * can free regions in efi_free_boot_services(). | |
297 | * | |
298 | * Use this function to ensure we do not free regions owned by somebody | |
299 | * else. We must only reserve (and then free) regions: | |
300 | * | |
301 | * - Not within any part of the kernel | |
09821ff1 | 302 | * - Not the BIOS reserved area (E820_TYPE_RESERVED, E820_TYPE_NVS, etc) |
452308de | 303 | */ |
8fe55212 | 304 | static __init bool can_free_region(u64 start, u64 size) |
452308de MF |
305 | { |
306 | if (start + size > __pa_symbol(_text) && start <= __pa_symbol(_end)) | |
307 | return false; | |
308 | ||
09821ff1 | 309 | if (!e820__mapped_all(start, start+size, E820_TYPE_RAM)) |
452308de MF |
310 | return false; |
311 | ||
312 | return true; | |
313 | } | |
314 | ||
eeb9db09 ST |
315 | void __init efi_reserve_boot_services(void) |
316 | { | |
78ce248f | 317 | efi_memory_desc_t *md; |
eeb9db09 | 318 | |
6950e31b DW |
319 | if (!efi_enabled(EFI_MEMMAP)) |
320 | return; | |
321 | ||
78ce248f | 322 | for_each_efi_memory_desc(md) { |
eeb9db09 ST |
323 | u64 start = md->phys_addr; |
324 | u64 size = md->num_pages << EFI_PAGE_SHIFT; | |
452308de | 325 | bool already_reserved; |
eeb9db09 ST |
326 | |
327 | if (md->type != EFI_BOOT_SERVICES_CODE && | |
328 | md->type != EFI_BOOT_SERVICES_DATA) | |
329 | continue; | |
452308de MF |
330 | |
331 | already_reserved = memblock_is_region_reserved(start, size); | |
332 | ||
333 | /* | |
334 | * Because the following memblock_reserve() is paired | |
53ab85eb | 335 | * with memblock_free_late() for this region in |
452308de MF |
336 | * efi_free_boot_services(), we must be extremely |
337 | * careful not to reserve, and subsequently free, | |
338 | * critical regions of memory (like the kernel image) or | |
339 | * those regions that somebody else has already | |
340 | * reserved. | |
341 | * | |
342 | * A good example of a critical region that must not be | |
343 | * freed is page zero (first 4Kb of memory), which may | |
344 | * contain boot services code/data but is marked | |
09821ff1 | 345 | * E820_TYPE_RESERVED by trim_bios_range(). |
452308de MF |
346 | */ |
347 | if (!already_reserved) { | |
eeb9db09 | 348 | memblock_reserve(start, size); |
452308de MF |
349 | |
350 | /* | |
351 | * If we are the first to reserve the region, no | |
352 | * one else cares about it. We own it and can | |
353 | * free it later. | |
354 | */ | |
355 | if (can_free_region(start, size)) | |
356 | continue; | |
357 | } | |
358 | ||
359 | /* | |
360 | * We don't own the region. We must not free it. | |
361 | * | |
362 | * Setting this bit for a boot services region really | |
363 | * doesn't make sense as far as the firmware is | |
364 | * concerned, but it does provide us with a way to tag | |
365 | * those regions that must not be paired with | |
53ab85eb | 366 | * memblock_free_late(). |
452308de MF |
367 | */ |
368 | md->attribute |= EFI_MEMORY_RUNTIME; | |
eeb9db09 ST |
369 | } |
370 | } | |
371 | ||
08cfb38f SPP |
372 | /* |
373 | * Apart from having VA mappings for EFI boot services code/data regions, | |
374 | * (duplicate) 1:1 mappings were also created as a quirk for buggy firmware. So, | |
375 | * unmap both 1:1 and VA mappings. | |
376 | */ | |
377 | static void __init efi_unmap_pages(efi_memory_desc_t *md) | |
378 | { | |
379 | pgd_t *pgd = efi_mm.pgd; | |
380 | u64 pa = md->phys_addr; | |
381 | u64 va = md->virt_addr; | |
382 | ||
1debf095 SPP |
383 | /* |
384 | * EFI mixed mode has all RAM mapped to access arguments while making | |
385 | * EFI runtime calls, hence don't unmap EFI boot services code/data | |
386 | * regions. | |
387 | */ | |
a8147dba | 388 | if (efi_is_mixed()) |
1debf095 SPP |
389 | return; |
390 | ||
08cfb38f SPP |
391 | if (kernel_unmap_pages_in_pgd(pgd, pa, md->num_pages)) |
392 | pr_err("Failed to unmap 1:1 mapping for 0x%llx\n", pa); | |
393 | ||
394 | if (kernel_unmap_pages_in_pgd(pgd, va, md->num_pages)) | |
395 | pr_err("Failed to unmap VA mapping for 0x%llx\n", va); | |
396 | } | |
397 | ||
eeb9db09 ST |
398 | void __init efi_free_boot_services(void) |
399 | { | |
1db91035 | 400 | struct efi_memory_map_data data = { 0 }; |
78ce248f | 401 | efi_memory_desc_t *md; |
816e7612 MF |
402 | int num_entries = 0; |
403 | void *new, *new_md; | |
eeb9db09 | 404 | |
0e72a6a3 HG |
405 | /* Keep all regions for /sys/kernel/debug/efi */ |
406 | if (efi_enabled(EFI_DBG)) | |
407 | return; | |
408 | ||
78ce248f | 409 | for_each_efi_memory_desc(md) { |
eeb9db09 ST |
410 | unsigned long long start = md->phys_addr; |
411 | unsigned long long size = md->num_pages << EFI_PAGE_SHIFT; | |
5bc653b7 | 412 | size_t rm_size; |
eeb9db09 ST |
413 | |
414 | if (md->type != EFI_BOOT_SERVICES_CODE && | |
816e7612 MF |
415 | md->type != EFI_BOOT_SERVICES_DATA) { |
416 | num_entries++; | |
eeb9db09 | 417 | continue; |
816e7612 | 418 | } |
eeb9db09 | 419 | |
452308de | 420 | /* Do not free, someone else owns it: */ |
816e7612 MF |
421 | if (md->attribute & EFI_MEMORY_RUNTIME) { |
422 | num_entries++; | |
eeb9db09 | 423 | continue; |
816e7612 | 424 | } |
eeb9db09 | 425 | |
08cfb38f SPP |
426 | /* |
427 | * Before calling set_virtual_address_map(), EFI boot services | |
428 | * code/data regions were mapped as a quirk for buggy firmware. | |
429 | * Unmap them from efi_pgd before freeing them up. | |
430 | */ | |
431 | efi_unmap_pages(md); | |
432 | ||
5bc653b7 AL |
433 | /* |
434 | * Nasty quirk: if all sub-1MB memory is used for boot | |
435 | * services, we can get here without having allocated the | |
436 | * real mode trampoline. It's too late to hand boot services | |
437 | * memory back to the memblock allocator, so instead | |
438 | * try to manually allocate the trampoline if needed. | |
439 | * | |
440 | * I've seen this on a Dell XPS 13 9350 with firmware | |
441 | * 1.4.4 with SGX enabled booting Linux via Fedora 24's | |
442 | * grub2-efi on a hard disk. (And no, I don't know why | |
443 | * this happened, but Linux should still try to boot rather | |
163b0991 | 444 | * panicking early.) |
5bc653b7 AL |
445 | */ |
446 | rm_size = real_mode_size_needed(); | |
447 | if (rm_size && (start + rm_size) < (1<<20) && size >= rm_size) { | |
f560bd19 | 448 | set_real_mode_mem(start); |
5bc653b7 AL |
449 | start += rm_size; |
450 | size -= rm_size; | |
451 | } | |
452 | ||
f1d4d47c MR |
453 | /* |
454 | * Don't free memory under 1M for two reasons: | |
455 | * - BIOS might clobber it | |
456 | * - Crash kernel needs it to be reserved | |
457 | */ | |
458 | if (start + size < SZ_1M) | |
459 | continue; | |
460 | if (start < SZ_1M) { | |
461 | size -= (SZ_1M - start); | |
462 | start = SZ_1M; | |
463 | } | |
464 | ||
53ab85eb | 465 | memblock_free_late(start, size); |
eeb9db09 | 466 | } |
816e7612 | 467 | |
1ea34adb JG |
468 | if (!num_entries) |
469 | return; | |
470 | ||
1db91035 | 471 | if (efi_memmap_alloc(num_entries, &data) != 0) { |
816e7612 MF |
472 | pr_err("Failed to allocate new EFI memmap\n"); |
473 | return; | |
474 | } | |
475 | ||
1db91035 | 476 | new = memremap(data.phys_map, data.size, MEMREMAP_WB); |
816e7612 MF |
477 | if (!new) { |
478 | pr_err("Failed to map new EFI memmap\n"); | |
479 | return; | |
480 | } | |
481 | ||
482 | /* | |
483 | * Build a new EFI memmap that excludes any boot services | |
484 | * regions that are not tagged EFI_MEMORY_RUNTIME, since those | |
485 | * regions have now been freed. | |
486 | */ | |
487 | new_md = new; | |
488 | for_each_efi_memory_desc(md) { | |
489 | if (!(md->attribute & EFI_MEMORY_RUNTIME) && | |
490 | (md->type == EFI_BOOT_SERVICES_CODE || | |
491 | md->type == EFI_BOOT_SERVICES_DATA)) | |
492 | continue; | |
493 | ||
494 | memcpy(new_md, md, efi.memmap.desc_size); | |
495 | new_md += efi.memmap.desc_size; | |
496 | } | |
497 | ||
498 | memunmap(new); | |
499 | ||
1db91035 | 500 | if (efi_memmap_install(&data) != 0) { |
816e7612 MF |
501 | pr_err("Could not install new EFI memmap\n"); |
502 | return; | |
503 | } | |
eeb9db09 ST |
504 | } |
505 | ||
506 | /* | |
507 | * A number of config table entries get remapped to virtual addresses | |
508 | * after entering EFI virtual mode. However, the kexec kernel requires | |
509 | * their physical addresses therefore we pass them via setup_data and | |
510 | * correct those entries to their respective physical addresses here. | |
511 | * | |
512 | * Currently only handles smbios which is necessary for some firmware | |
513 | * implementation. | |
514 | */ | |
515 | int __init efi_reuse_config(u64 tables, int nr_tables) | |
516 | { | |
517 | int i, sz, ret = 0; | |
518 | void *p, *tablep; | |
519 | struct efi_setup_data *data; | |
520 | ||
88447c5b RB |
521 | if (nr_tables == 0) |
522 | return 0; | |
523 | ||
eeb9db09 ST |
524 | if (!efi_setup) |
525 | return 0; | |
526 | ||
527 | if (!efi_enabled(EFI_64BIT)) | |
528 | return 0; | |
529 | ||
530 | data = early_memremap(efi_setup, sizeof(*data)); | |
531 | if (!data) { | |
532 | ret = -ENOMEM; | |
533 | goto out; | |
534 | } | |
535 | ||
536 | if (!data->smbios) | |
537 | goto out_memremap; | |
538 | ||
539 | sz = sizeof(efi_config_table_64_t); | |
540 | ||
541 | p = tablep = early_memremap(tables, nr_tables * sz); | |
542 | if (!p) { | |
543 | pr_err("Could not map Configuration table!\n"); | |
544 | ret = -ENOMEM; | |
545 | goto out_memremap; | |
546 | } | |
547 | ||
9cd437ac | 548 | for (i = 0; i < nr_tables; i++) { |
eeb9db09 ST |
549 | efi_guid_t guid; |
550 | ||
551 | guid = ((efi_config_table_64_t *)p)->guid; | |
552 | ||
553 | if (!efi_guidcmp(guid, SMBIOS_TABLE_GUID)) | |
554 | ((efi_config_table_64_t *)p)->table = data->smbios; | |
555 | p += sz; | |
556 | } | |
98a716b6 | 557 | early_memunmap(tablep, nr_tables * sz); |
eeb9db09 ST |
558 | |
559 | out_memremap: | |
98a716b6 | 560 | early_memunmap(data, sizeof(*data)); |
eeb9db09 ST |
561 | out: |
562 | return ret; | |
563 | } | |
564 | ||
565 | void __init efi_apply_memmap_quirks(void) | |
566 | { | |
567 | /* | |
568 | * Once setup is done earlier, unmap the EFI memory map on mismatched | |
569 | * firmware/kernel architectures since there is no support for runtime | |
570 | * services. | |
571 | */ | |
572 | if (!efi_runtime_supported()) { | |
26d7f65f | 573 | pr_info("Setup done, disabling due to 32/64-bit mismatch\n"); |
9479c7ce | 574 | efi_memmap_unmap(); |
eeb9db09 | 575 | } |
eeb9db09 | 576 | } |
44be28e9 MF |
577 | |
578 | /* | |
579 | * For most modern platforms the preferred method of powering off is via | |
580 | * ACPI. However, there are some that are known to require the use of | |
581 | * EFI runtime services and for which ACPI does not work at all. | |
582 | * | |
583 | * Using EFI is a last resort, to be used only if no other option | |
584 | * exists. | |
585 | */ | |
586 | bool efi_reboot_required(void) | |
587 | { | |
588 | if (!acpi_gbl_reduced_hardware) | |
589 | return false; | |
590 | ||
591 | efi_reboot_quirk_mode = EFI_RESET_WARM; | |
592 | return true; | |
593 | } | |
594 | ||
595 | bool efi_poweroff_required(void) | |
596 | { | |
13737181 | 597 | return acpi_gbl_reduced_hardware || acpi_no_s5; |
44be28e9 | 598 | } |
2959c95d JK |
599 | |
600 | #ifdef CONFIG_EFI_CAPSULE_QUIRK_QUARK_CSH | |
601 | ||
602 | static int qrk_capsule_setup_info(struct capsule_info *cap_info, void **pkbuff, | |
603 | size_t hdr_bytes) | |
604 | { | |
605 | struct quark_security_header *csh = *pkbuff; | |
606 | ||
607 | /* Only process data block that is larger than the security header */ | |
608 | if (hdr_bytes < sizeof(struct quark_security_header)) | |
609 | return 0; | |
610 | ||
611 | if (csh->csh_signature != QUARK_CSH_SIGNATURE || | |
612 | csh->headersize != QUARK_SECURITY_HEADER_SIZE) | |
613 | return 1; | |
614 | ||
615 | /* Only process data block if EFI header is included */ | |
616 | if (hdr_bytes < QUARK_SECURITY_HEADER_SIZE + | |
617 | sizeof(efi_capsule_header_t)) | |
618 | return 0; | |
619 | ||
620 | pr_debug("Quark security header detected\n"); | |
621 | ||
622 | if (csh->rsvd_next_header != 0) { | |
623 | pr_err("multiple Quark security headers not supported\n"); | |
624 | return -EINVAL; | |
625 | } | |
626 | ||
627 | *pkbuff += csh->headersize; | |
628 | cap_info->total_size = csh->headersize; | |
629 | ||
630 | /* | |
631 | * Update the first page pointer to skip over the CSH header. | |
632 | */ | |
f24c4d47 AB |
633 | cap_info->phys[0] += csh->headersize; |
634 | ||
635 | /* | |
636 | * cap_info->capsule should point at a virtual mapping of the entire | |
637 | * capsule, starting at the capsule header. Our image has the Quark | |
638 | * security header prepended, so we cannot rely on the default vmap() | |
639 | * mapping created by the generic capsule code. | |
640 | * Given that the Quark firmware does not appear to care about the | |
641 | * virtual mapping, let's just point cap_info->capsule at our copy | |
642 | * of the capsule header. | |
643 | */ | |
644 | cap_info->capsule = &cap_info->header; | |
2959c95d JK |
645 | |
646 | return 1; | |
647 | } | |
648 | ||
2959c95d | 649 | static const struct x86_cpu_id efi_capsule_quirk_ids[] = { |
9595198f TG |
650 | X86_MATCH_VENDOR_FAM_MODEL(INTEL, 5, INTEL_FAM5_QUARK_X1000, |
651 | &qrk_capsule_setup_info), | |
2959c95d JK |
652 | { } |
653 | }; | |
654 | ||
655 | int efi_capsule_setup_info(struct capsule_info *cap_info, void *kbuff, | |
656 | size_t hdr_bytes) | |
657 | { | |
658 | int (*quirk_handler)(struct capsule_info *, void **, size_t); | |
659 | const struct x86_cpu_id *id; | |
660 | int ret; | |
661 | ||
662 | if (hdr_bytes < sizeof(efi_capsule_header_t)) | |
663 | return 0; | |
664 | ||
665 | cap_info->total_size = 0; | |
666 | ||
667 | id = x86_match_cpu(efi_capsule_quirk_ids); | |
668 | if (id) { | |
669 | /* | |
670 | * The quirk handler is supposed to return | |
671 | * - a value > 0 if the setup should continue, after advancing | |
672 | * kbuff as needed | |
673 | * - 0 if not enough hdr_bytes are available yet | |
674 | * - a negative error code otherwise | |
675 | */ | |
676 | quirk_handler = (typeof(quirk_handler))id->driver_data; | |
677 | ret = quirk_handler(cap_info, &kbuff, hdr_bytes); | |
678 | if (ret <= 0) | |
679 | return ret; | |
680 | } | |
681 | ||
682 | memcpy(&cap_info->header, kbuff, sizeof(cap_info->header)); | |
683 | ||
684 | cap_info->total_size += cap_info->header.imagesize; | |
685 | ||
686 | return __efi_capsule_setup_info(cap_info); | |
687 | } | |
688 | ||
689 | #endif | |
3425d934 SP |
690 | |
691 | /* | |
692 | * If any access by any efi runtime service causes a page fault, then, | |
693 | * 1. If it's efi_reset_system(), reboot through BIOS. | |
694 | * 2. If any other efi runtime service, then | |
695 | * a. Return error status to the efi caller process. | |
696 | * b. Disable EFI Runtime Services forever and | |
697 | * c. Freeze efi_rts_wq and schedule new process. | |
698 | * | |
699 | * @return: Returns, if the page fault is not handled. This function | |
700 | * will never return if the page fault is handled successfully. | |
701 | */ | |
c46f5223 | 702 | void efi_crash_gracefully_on_page_fault(unsigned long phys_addr) |
3425d934 SP |
703 | { |
704 | if (!IS_ENABLED(CONFIG_X86_64)) | |
705 | return; | |
706 | ||
c46f5223 AL |
707 | /* |
708 | * If we get an interrupt/NMI while processing an EFI runtime service | |
709 | * then this is a regular OOPS, not an EFI failure. | |
710 | */ | |
711 | if (in_interrupt()) | |
712 | return; | |
713 | ||
3425d934 SP |
714 | /* |
715 | * Make sure that an efi runtime service caused the page fault. | |
c46f5223 AL |
716 | * READ_ONCE() because we might be OOPSing in a different thread, |
717 | * and we don't want to trip KTSAN while trying to OOPS. | |
3425d934 | 718 | */ |
c46f5223 AL |
719 | if (READ_ONCE(efi_rts_work.efi_rts_id) == EFI_NONE || |
720 | current_work() != &efi_rts_work.work) | |
3425d934 SP |
721 | return; |
722 | ||
723 | /* | |
724 | * Address range 0x0000 - 0x0fff is always mapped in the efi_pgd, so | |
725 | * page faulting on these addresses isn't expected. | |
726 | */ | |
919aef44 | 727 | if (phys_addr <= 0x0fff) |
3425d934 SP |
728 | return; |
729 | ||
730 | /* | |
731 | * Print stack trace as it might be useful to know which EFI Runtime | |
732 | * Service is buggy. | |
733 | */ | |
734 | WARN(1, FW_BUG "Page fault caused by firmware at PA: 0x%lx\n", | |
735 | phys_addr); | |
736 | ||
737 | /* | |
738 | * Buggy efi_reset_system() is handled differently from other EFI | |
739 | * Runtime Services as it doesn't use efi_rts_wq. Although, | |
740 | * native_machine_emergency_restart() says that machine_real_restart() | |
d9f6e12f | 741 | * could fail, it's better not to complicate this fault handler |
3425d934 SP |
742 | * because this case occurs *very* rarely and hence could be improved |
743 | * on a need by basis. | |
744 | */ | |
5c418dc7 | 745 | if (efi_rts_work.efi_rts_id == EFI_RESET_SYSTEM) { |
3425d934 SP |
746 | pr_info("efi_reset_system() buggy! Reboot through BIOS\n"); |
747 | machine_real_restart(MRR_BIOS); | |
748 | return; | |
749 | } | |
750 | ||
751 | /* | |
752 | * Before calling EFI Runtime Service, the kernel has switched the | |
753 | * calling process to efi_mm. Hence, switch back to task_mm. | |
754 | */ | |
755 | arch_efi_call_virt_teardown(); | |
756 | ||
757 | /* Signal error status to the efi caller process */ | |
758 | efi_rts_work.status = EFI_ABORTED; | |
759 | complete(&efi_rts_work.efi_rts_comp); | |
760 | ||
761 | clear_bit(EFI_RUNTIME_SERVICES, &efi.flags); | |
762 | pr_info("Froze efi_rts_wq and disabled EFI Runtime Services\n"); | |
763 | ||
764 | /* | |
765 | * Call schedule() in an infinite loop, so that any spurious wake ups | |
766 | * will never run efi_rts_wq again. | |
767 | */ | |
768 | for (;;) { | |
769 | set_current_state(TASK_IDLE); | |
770 | schedule(); | |
771 | } | |
3425d934 | 772 | } |