Commit e8dfdf31 authored by Ard Biesheuvel's avatar Ard Biesheuvel

arm64: efi: Recover from synchronous exceptions occurring in firmware

Unlike x86, which has machinery to deal with page faults that occur
during the execution of EFI runtime services, arm64 has nothing like
that, and a synchronous exception raised by firmware code brings down
the whole system.

With more EFI based systems appearing that were not built to run Linux
(such as the Windows-on-ARM laptops based on Qualcomm SOCs), as well as
the introduction of PRM (platform specific firmware routines that are
callable just like EFI runtime services), we are more likely to run into
issues of this sort, and it is much more likely that we can identify and
work around such issues if they don't bring down the system entirely.

Since we already use a EFI runtime services call wrapper in assembler,
we can quite easily add some code that captures the execution state at
the point where the call is made, allowing us to revert to this state
and proceed execution if the call triggered a synchronous exception.

Given that the kernel and the firmware don't share any data structures
that could end up in an indeterminate state, we can happily continue
running, as long as we mark the EFI runtime services as unavailable from
that point on.
Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
parent ff7a1679
...@@ -14,8 +14,16 @@ ...@@ -14,8 +14,16 @@
#ifdef CONFIG_EFI #ifdef CONFIG_EFI
extern void efi_init(void); extern void efi_init(void);
bool efi_runtime_fixup_exception(struct pt_regs *regs, const char *msg);
#else #else
#define efi_init() #define efi_init()
static inline
bool efi_runtime_fixup_exception(struct pt_regs *regs, const char *msg)
{
return false;
}
#endif #endif
int efi_create_mapping(struct mm_struct *mm, efi_memory_desc_t *md); int efi_create_mapping(struct mm_struct *mm, efi_memory_desc_t *md);
......
...@@ -6,7 +6,7 @@ ...@@ -6,7 +6,7 @@
#include <linux/linkage.h> #include <linux/linkage.h>
SYM_FUNC_START(__efi_rt_asm_wrapper) SYM_FUNC_START(__efi_rt_asm_wrapper)
stp x29, x30, [sp, #-32]! stp x29, x30, [sp, #-112]!
mov x29, sp mov x29, sp
/* /*
...@@ -16,11 +16,21 @@ SYM_FUNC_START(__efi_rt_asm_wrapper) ...@@ -16,11 +16,21 @@ SYM_FUNC_START(__efi_rt_asm_wrapper)
*/ */
stp x1, x18, [sp, #16] stp x1, x18, [sp, #16]
/*
* Preserve all callee saved registers and preserve the stack pointer
* value at the base of the EFI runtime stack so we can recover from
* synchronous exceptions occurring while executing the firmware
* routines.
*/
stp x19, x20, [sp, #32]
stp x21, x22, [sp, #48]
stp x23, x24, [sp, #64]
stp x25, x26, [sp, #80]
stp x27, x28, [sp, #96]
ldr_l x16, efi_rt_stack_top ldr_l x16, efi_rt_stack_top
mov sp, x16 mov sp, x16
#ifdef CONFIG_SHADOW_CALL_STACK stp x18, x29, [sp, #-16]!
str x18, [sp, #-16]!
#endif
/* /*
* We are lucky enough that no EFI runtime services take more than * We are lucky enough that no EFI runtime services take more than
...@@ -38,7 +48,7 @@ SYM_FUNC_START(__efi_rt_asm_wrapper) ...@@ -38,7 +48,7 @@ SYM_FUNC_START(__efi_rt_asm_wrapper)
mov sp, x29 mov sp, x29
ldp x1, x2, [sp, #16] ldp x1, x2, [sp, #16]
cmp x2, x18 cmp x2, x18
ldp x29, x30, [sp], #32 ldp x29, x30, [sp], #112
b.ne 0f b.ne 0f
ret ret
0: 0:
...@@ -56,3 +66,15 @@ SYM_FUNC_START(__efi_rt_asm_wrapper) ...@@ -56,3 +66,15 @@ SYM_FUNC_START(__efi_rt_asm_wrapper)
b efi_handle_corrupted_x18 // tail call b efi_handle_corrupted_x18 // tail call
SYM_FUNC_END(__efi_rt_asm_wrapper) SYM_FUNC_END(__efi_rt_asm_wrapper)
SYM_CODE_START(__efi_rt_asm_recover)
mov sp, x30
ldp x19, x20, [sp, #32]
ldp x21, x22, [sp, #48]
ldp x23, x24, [sp, #64]
ldp x25, x26, [sp, #80]
ldp x27, x28, [sp, #96]
ldp x29, x30, [sp], #112
ret
SYM_CODE_END(__efi_rt_asm_recover)
...@@ -149,6 +149,28 @@ DEFINE_SPINLOCK(efi_rt_lock); ...@@ -149,6 +149,28 @@ DEFINE_SPINLOCK(efi_rt_lock);
asmlinkage u64 *efi_rt_stack_top __ro_after_init; asmlinkage u64 *efi_rt_stack_top __ro_after_init;
asmlinkage efi_status_t __efi_rt_asm_recover(void);
bool efi_runtime_fixup_exception(struct pt_regs *regs, const char *msg)
{
/* Check whether the exception occurred while running the firmware */
if (current_work() != &efi_rts_work.work || regs->pc >= TASK_SIZE_64)
return false;
pr_err(FW_BUG "Unable to handle %s in EFI runtime service\n", msg);
add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK);
clear_bit(EFI_RUNTIME_SERVICES, &efi.flags);
regs->regs[0] = EFI_ABORTED;
regs->regs[30] = efi_rt_stack_top[-1];
regs->pc = (u64)__efi_rt_asm_recover;
if (IS_ENABLED(CONFIG_SHADOW_CALL_STACK))
regs->regs[18] = efi_rt_stack_top[-2];
return true;
}
/* EFI requires 8 KiB of stack space for runtime services */ /* EFI requires 8 KiB of stack space for runtime services */
static_assert(THREAD_SIZE >= SZ_8K); static_assert(THREAD_SIZE >= SZ_8K);
......
...@@ -30,6 +30,7 @@ ...@@ -30,6 +30,7 @@
#include <asm/bug.h> #include <asm/bug.h>
#include <asm/cmpxchg.h> #include <asm/cmpxchg.h>
#include <asm/cpufeature.h> #include <asm/cpufeature.h>
#include <asm/efi.h>
#include <asm/exception.h> #include <asm/exception.h>
#include <asm/daifflags.h> #include <asm/daifflags.h>
#include <asm/debug-monitors.h> #include <asm/debug-monitors.h>
...@@ -391,6 +392,9 @@ static void __do_kernel_fault(unsigned long addr, unsigned long esr, ...@@ -391,6 +392,9 @@ static void __do_kernel_fault(unsigned long addr, unsigned long esr,
msg = "paging request"; msg = "paging request";
} }
if (efi_runtime_fixup_exception(regs, msg))
return;
die_kernel_fault(msg, addr, esr, regs); die_kernel_fault(msg, addr, esr, regs);
} }
......
...@@ -83,6 +83,7 @@ struct efi_runtime_work efi_rts_work; ...@@ -83,6 +83,7 @@ struct efi_runtime_work efi_rts_work;
else \ else \
pr_err("Failed to queue work to efi_rts_wq.\n"); \ pr_err("Failed to queue work to efi_rts_wq.\n"); \
\ \
WARN_ON_ONCE(efi_rts_work.status == EFI_ABORTED); \
exit: \ exit: \
efi_rts_work.efi_rts_id = EFI_NONE; \ efi_rts_work.efi_rts_id = EFI_NONE; \
efi_rts_work.status; \ efi_rts_work.status; \
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment