• Ard Biesheuvel's avatar
    x86/efistub: Avoid legacy decompressor when doing EFI boot · a1b87d54
    Ard Biesheuvel authored
    The bare metal decompressor code was never really intended to run in a
    hosted environment such as the EFI boot services, and does a few things
    that are becoming problematic in the context of EFI boot now that the
    logo requirements are getting tighter: EFI executables will no longer be
    allowed to consist of a single executable section that is mapped with
    read, write and execute permissions if they are intended for use in a
    context where Secure Boot is enabled (and where Microsoft's set of
    certificates is used, i.e., every x86 PC built to run Windows).
    
    To avoid stepping on reserved memory before having inspected the E820
    tables, and to ensure the correct placement when running a kernel build
    that is non-relocatable, the bare metal decompressor moves its own
    executable image to the end of the allocation that was reserved for it,
    in order to perform the decompression in place. This means the region in
    question requires both write and execute permissions, which either need
    to be given upfront (which EFI will no longer permit), or need to be
    applied on demand using the existing page fault handling framework.
    
    However, the physical placement of the kernel is usually randomized
    anyway, and even if it isn't, a dedicated decompression output buffer
    can be allocated anywhere in memory using EFI APIs when still running in
    the boot services, given that EFI support already implies a relocatable
    kernel. This means that decompression in place is never necessary, nor
    is moving the compressed image from one end to the other.
    
    Since EFI already maps all of memory 1:1, it is also unnecessary to
    create new page tables or handle page faults when decompressing the
    kernel. That means there is also no need to replace the special
    exception handlers for SEV. Generally, there is little need to do
    any of the things that the decompressor does beyond
    
    - initialize SEV encryption, if needed,
    - perform the 4/5 level paging switch, if needed,
    - decompress the kernel
    - relocate the kernel
    
    So do all of this from the EFI stub code, and avoid the bare metal
    decompressor altogether.
    Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
    Signed-off-by: default avatarBorislav Petkov (AMD) <bp@alien8.de>
    Link: https://lore.kernel.org/r/20230807162720.545787-24-ardb@kernel.org
    a1b87d54
efi.h 14.2 KB