[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v1.1 64/65] x86/efi: Disable CET-IBT around Runtime Services calls



On 06/12/2021 11:06, Jan Beulich wrote:
> On 26.11.2021 17:38, Andrew Cooper wrote:
>> --- a/xen/arch/x86/efi/stub.c
>> +++ b/xen/arch/x86/efi/stub.c
>> @@ -11,6 +11,8 @@
>>  #include <efi/efidevp.h>
>>  #include <efi/efiapi.h>
>>  
>> +bool __initdata efi_no_cet_ibt;
> I'm having trouble seeing what this is needed for - when this file gets
> built, neither boot.c nor runtime.c will get compiled, and hence there
> should not be any reference to the symbol that needs satisfying.
>
>> @@ -735,6 +736,14 @@ static void __init efi_init(EFI_HANDLE ImageHandle, 
>> EFI_SYSTEM_TABLE *SystemTabl
>>  
>>      StdOut = SystemTable->ConOut;
>>      StdErr = SystemTable->StdErr ?: StdOut;
>> +
>> +#ifdef CONFIG_X86
> CONFIG_XEN_IBT?
>
>> +    /*
>> +     * Heuristic.  Look under an arbitrary function pointer to see if UEFI 
>> was
>> +     * compiled with CET-IBT support.  Experimentally some are not.
>> +     */
>> +    efi_no_cet_ibt = !is_endbr64(efi_rs->GetTime);
> I'm afraid I consider this insufficient. Even if the core EFI was built
> with IBT support, some driver may not have been.

That's not an issue.  Everything is built together in practice.

>  Hence I think there
> needs to be a command line control to force turning off IBT. The only
> question is whether we want to also honor its positive form - that
> would, afaict, be a recipe for a guaranteed crash if used wrongly (and
> it would be meaningless when used on IBT-aware firmware).

It turns out that IBT support is lacking from tianocore, so nothing is
going to support IBT for a good while yet.

https://bugzilla.tianocore.org/show_bug.cgi?id=3726 is the proposed
change to the spec to support this.

In the meantime, I'm just going to blanket disable IBT for RS calls.

~Andrew



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.