summaryrefslogtreecommitdiff
path: root/include/linux
diff options
context:
space:
mode:
authorDemi Marie Obenour <demi@invisiblethingslab.com>2023-01-19 14:03:58 -0500
committerArd Biesheuvel <ardb@kernel.org>2023-01-23 11:33:24 +0100
commitc0fecaa44dc341d86e4ce96efcda9ea8b4c106af (patch)
tree78f775b1641c6c9af9f8b70c13842e6873f4041f /include/linux
parentaca1d27ac38a61d7db4b56418386992cb96b63f0 (diff)
efi: Apply allowlist to EFI configuration tables when running under Xen
As it turns out, Xen does not guarantee that EFI boot services data regions in memory are preserved, which means that EFI configuration tables pointing into such memory regions may be corrupted before the dom0 OS has had a chance to inspect them. This is causing problems for Qubes OS when it attempts to perform system firmware updates, which requires that the contents of the EFI System Resource Table are valid when the fwupd userspace program runs. However, other configuration tables such as the memory attributes table or the runtime properties table are equally affected, and so we need a comprehensive workaround that works for any table type. So when running under Xen, check the EFI memory descriptor covering the start of the table, and disregard the table if it does not reside in memory that is preserved by Xen. Co-developed-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com> Tested-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Diffstat (limited to 'include/linux')
-rw-r--r--include/linux/efi.h10
1 files changed, 10 insertions, 0 deletions
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 4d7a44f60990..1a1adc8d3ba3 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -1322,4 +1322,14 @@ struct linux_efi_initrd {
/* Header of a populated EFI secret area */
#define EFI_SECRET_TABLE_HEADER_GUID EFI_GUID(0x1e74f542, 0x71dd, 0x4d66, 0x96, 0x3e, 0xef, 0x42, 0x87, 0xff, 0x17, 0x3b)
+bool xen_efi_config_table_is_usable(const efi_guid_t *guid, unsigned long table);
+
+static inline
+bool efi_config_table_is_usable(const efi_guid_t *guid, unsigned long table)
+{
+ if (!IS_ENABLED(CONFIG_XEN_EFI))
+ return true;
+ return xen_efi_config_table_is_usable(guid, table);
+}
+
#endif /* _LINUX_EFI_H */