On Tue, 29 Mar, at 03:50:39PM, Ard Biesheuvel wrote: > > Should we perhaps whitelist rather than blacklist these flags? If a > 'EFI_CAPSULE_INITIATE_RESET_TOO' surfaces at some point, or flags that > do other nasty things, at least we won't be caught off guard. I spent a while thinking about this and was originally going to go with the blacklist. The idea being that we wouldn't need to update the kernel to allow new capsule flags to be passed through to the firmware, even when the kernel doesn't care about them. But then the thought of having to apply patches to stable to disallow new capsule flags that don't work correctly with the current patches left me feeling a cold chill. So yes, it's a good suggestion Ard. Let's go with the whitelist, which gives us the power to opt-in to any new capsule flags, whatever they may be. --- diff --git a/drivers/firmware/efi/capsule.c b/drivers/firmware/efi/capsule.c index dac25208ad5e..0de55944ac0b 100644 --- a/drivers/firmware/efi/capsule.c +++ b/drivers/firmware/efi/capsule.c @@ -64,6 +64,17 @@ out: return rv; } +/* + * Whitelist of EFI capsule flags that we support. + * + * We do not handle EFI_CAPSULE_INITIATE_RESET because that would + * require us to prepare the kernel for reboot. Refuse to load any + * capsules with that flag and any other flags that we do not know how + * to handle. + */ +#define EFI_CAPSULE_SUPPORTED_FLAG_MASK \ + (EFI_CAPSULE_PERSIST_ACROSS_RESET | EFI_CAPSULE_POPULATE_SYSTEM_TABLE) + /** * efi_capsule_supported - does the firmware support the capsule? * @guid: vendor guid of capsule @@ -84,6 +95,9 @@ int efi_capsule_supported(efi_guid_t guid, u32 flags, size_t size, int *reset) u64 max_size; int rv = 0; + if (flags & ~EFI_CAPSULE_SUPPORTED_FLAG_MASK) + return -EINVAL; + capsule = kmalloc(sizeof(*capsule), GFP_KERNEL); if (!capsule) return -ENOMEM; -- To unsubscribe from this list: send the line "unsubscribe linux-efi" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html