From: Sai Praneeth <sai.praneeth.prakhya@xxxxxxxxx>
Presently, the kernel maps EFI_BOOT_SERVICES_<CODE/DATA> regions as a
workaround for buggy firmware that accesses them even when they
shouldn't. With EFI_WARN_ON_ILLEGAL_ACCESSES enabled kernel can now
detect and handle such accesses dynamically. Hence, rather than safely
mapping all the EFI_BOOT_SERVICES_<CODE/DATA> regions, map only
EFI_RUNTIME_SERVICES_<CODE/DATA> regions and trap all other illegal
accesses.
Signed-off-by: Sai Praneeth Prakhya <sai.praneeth.prakhya@xxxxxxxxx>
Suggested-by: Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx>
Based-on-code-from: Ricardo Neri <ricardo.neri@xxxxxxxxx>
Cc: Al Stone <astone@xxxxxxxxxx>
Cc: Lee Chun-Yi <jlee@xxxxxxxx>
Cc: Borislav Petkov <bp@xxxxxxxxx>
Cc: Bhupesh Sharma <bhsharma@xxxxxxxxxx>
Cc: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
---
arch/x86/platform/efi/efi.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c
index 7d18b7ed5d41..0ddb22a03d88 100644
--- a/arch/x86/platform/efi/efi.c
+++ b/arch/x86/platform/efi/efi.c
@@ -768,9 +768,13 @@ static bool should_map_region(efi_memory_desc_t *md)
/*
* Map boot services regions as a workaround for buggy
* firmware that accesses them even when they shouldn't.
+ * (only if CONFIG_EFI_WARN_ON_ILLEGAL_ACCESSES is disabled)
*
* See efi_{reserve,free}_boot_services().
*/
+ if (IS_ENABLED(CONFIG_EFI_WARN_ON_ILLEGAL_ACCESSES))
+ return false;
+
if (md->type == EFI_BOOT_SERVICES_CODE ||
md->type == EFI_BOOT_SERVICES_DATA)
return true;
--
2.7.4
--
To unsubscribe from this list: send the line "unsubscribe linux-efi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
