[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v1.1 64/65] x86/efi: Disable CET-IBT around Runtime Services calls

  • To: Andrew Cooper <amc96@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Mon, 13 Dec 2021 08:52:12 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KnZU/btKpWAQYmo2KWzc9dqlh89wmA+eJZrp4gFS5sY=; b=LOAWoU8qPZNu58zuis4G5E5QOcVSi4NgUQf7YrhxsB2JfCr1Vry7RGCclufHV+VMw50bgak+bIpVEHFVH/Z2o2G0GHAT4v0K/qo4TYyDZiOUSQRLOTVW4j3js4n74t13a+N63vDXzoKEeG2kZXaQCAlSoy7SIoE2ZDOl466r1eh7Ikrn69saX9SYamUoyZ7Zblu7MOZNiBQXMpcpBDrXZpGvxJQbyQbPfUtQH1h5G/9nxGT/ttzAaskDuiHtlWJTT8a9wJEEaOqf84zIpo2P71UxxYZdkLXSsT7buOvhQZsznk6ogDZJU+NSESANlHHHCz8wBcqyOz80rxZSPRKg8A==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jOS4V29HxAF9tPjIfsVgpJoyzcVCtkH5xatrugzQ3GVxLnnD6diURe+pF7vpAwoGK21rxWFBts46DB6g8Zsqc+R9NtDHk+5pjiXOREoDSllL1S0EYfx7WT52Na11Z/WsoZ8r7ZV12uxIuUob3Vzznxdehg8KBMTPlsYv4o0ogngVFPlqBn/R8D3qU3i7hRbvVRgAOLGN8Wj/OKDTfFEVh027QlW2arOPr9FssO9NFLeTgYziwTuHQgSMnsMxdvdq8cYpFs3SewopCVQphPwuNoPkSLAwxcGhzBNFHuRTo90V3p3eLnAxBGtMp5avBU/nciDy07AjGldqahY0I+YfbQ==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Mon, 13 Dec 2021 07:52:28 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 10.12.2021 18:16, Andrew Cooper wrote:
> On 06/12/2021 11:06, Jan Beulich wrote:
>> On 26.11.2021 17:38, Andrew Cooper wrote:
>>> --- a/xen/arch/x86/efi/stub.c
>>> +++ b/xen/arch/x86/efi/stub.c
>>> @@ -11,6 +11,8 @@
>>>  #include <efi/efidevp.h>
>>>  #include <efi/efiapi.h>
>>>  
>>> +bool __initdata efi_no_cet_ibt;
>> I'm having trouble seeing what this is needed for - when this file gets
>> built, neither boot.c nor runtime.c will get compiled, and hence there
>> should not be any reference to the symbol that needs satisfying.
>>
>>> @@ -735,6 +736,14 @@ static void __init efi_init(EFI_HANDLE ImageHandle, 
>>> EFI_SYSTEM_TABLE *SystemTabl
>>>  
>>>      StdOut = SystemTable->ConOut;
>>>      StdErr = SystemTable->StdErr ?: StdOut;
>>> +
>>> +#ifdef CONFIG_X86
>> CONFIG_XEN_IBT?
>>
>>> +    /*
>>> +     * Heuristic.  Look under an arbitrary function pointer to see if UEFI 
>>> was
>>> +     * compiled with CET-IBT support.  Experimentally some are not.
>>> +     */
>>> +    efi_no_cet_ibt = !is_endbr64(efi_rs->GetTime);
>> I'm afraid I consider this insufficient. Even if the core EFI was built
>> with IBT support, some driver may not have been.
> 
> That's not an issue.  Everything is built together in practice.

I'd be willing to take your word on this for everything that comes right
with the firmware. I'd further be willing to accept that there are no
add-in card BIOSes which may get involved. But I highly doubt that what
you say applies to all software which may get loaded ahead of starting
Xen. Such software may very well register hooks with core EFI.

>>  Hence I think there
>> needs to be a command line control to force turning off IBT. The only
>> question is whether we want to also honor its positive form - that
>> would, afaict, be a recipe for a guaranteed crash if used wrongly (and
>> it would be meaningless when used on IBT-aware firmware).
> 
> It turns out that IBT support is lacking from tianocore, so nothing is
> going to support IBT for a good while yet.
> 
> https://bugzilla.tianocore.org/show_bug.cgi?id=3726 is the proposed
> change to the spec to support this.
> 
> In the meantime, I'm just going to blanket disable IBT for RS calls.

Yeah, that's going to be okay for the time being.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.