Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

+3 -1

arch/x86/boot/compressed/eboot.c

··· 13 13 #include <asm/e820/types.h> 14 14 #include <asm/setup.h> 15 15 #include <asm/desc.h> 16 + #include <asm/boot.h> 16 17 17 18 #include "../string.h" 18 19 #include "eboot.h" ··· 814 813 status = efi_relocate_kernel(sys_table, &bzimage_addr, 815 814 hdr->init_size, hdr->init_size, 816 815 hdr->pref_address, 817 - hdr->kernel_alignment); 816 + hdr->kernel_alignment, 817 + LOAD_PHYSICAL_ADDR); 818 818 if (status != EFI_SUCCESS) { 819 819 efi_printk(sys_table, "efi_relocate_kernel() failed!\n"); 820 820 goto fail;

+1

drivers/firmware/efi/Kconfig

··· 182 182 183 183 config EFI_RCI2_TABLE 184 184 bool "EFI Runtime Configuration Interface Table Version 2 Support" 185 + depends on X86 || COMPILE_TEST 185 186 help 186 187 Displays the content of the Runtime Configuration Interface 187 188 Table version 2 on Dell EMC PowerEdge systems as a binary

+1 -1

drivers/firmware/efi/efi.c

··· 554 554 sizeof(*seed) + size); 555 555 if (seed != NULL) { 556 556 pr_notice("seeding entropy pool\n"); 557 - add_device_randomness(seed->bits, seed->size); 557 + add_bootloader_randomness(seed->bits, seed->size); 558 558 early_memunmap(seed, sizeof(*seed) + size); 559 559 } else { 560 560 pr_err("Could not map UEFI random seed!\n");

+1

drivers/firmware/efi/libstub/Makefile

··· 52 52 53 53 lib-$(CONFIG_ARM) += arm32-stub.o 54 54 lib-$(CONFIG_ARM64) += arm64-stub.o 55 + CFLAGS_arm32-stub.o := -DTEXT_OFFSET=$(TEXT_OFFSET) 55 56 CFLAGS_arm64-stub.o := -DTEXT_OFFSET=$(TEXT_OFFSET) 56 57 57 58 #

+13 -3

drivers/firmware/efi/libstub/arm32-stub.c

··· 195 195 unsigned long dram_base, 196 196 efi_loaded_image_t *image) 197 197 { 198 + unsigned long kernel_base; 198 199 efi_status_t status; 199 200 200 201 /* ··· 205 204 * loaded. These assumptions are made by the decompressor, 206 205 * before any memory map is available. 207 206 */ 208 - dram_base = round_up(dram_base, SZ_128M); 207 + kernel_base = round_up(dram_base, SZ_128M); 209 208 210 - status = reserve_kernel_base(sys_table, dram_base, reserve_addr, 209 + /* 210 + * Note that some platforms (notably, the Raspberry Pi 2) put 211 + * spin-tables and other pieces of firmware at the base of RAM, 212 + * abusing the fact that the window of TEXT_OFFSET bytes at the 213 + * base of the kernel image is only partially used at the moment. 214 + * (Up to 5 pages are used for the swapper page tables) 215 + */ 216 + kernel_base += TEXT_OFFSET - 5 * PAGE_SIZE; 217 + 218 + status = reserve_kernel_base(sys_table, kernel_base, reserve_addr, 211 219 reserve_size); 212 220 if (status != EFI_SUCCESS) { 213 221 pr_efi_err(sys_table, "Unable to allocate memory for uncompressed kernel.\n"); ··· 230 220 *image_size = image->image_size; 231 221 status = efi_relocate_kernel(sys_table, image_addr, *image_size, 232 222 *image_size, 233 - dram_base + MAX_UNCOMP_KERNEL_SIZE, 0); 223 + kernel_base + MAX_UNCOMP_KERNEL_SIZE, 0, 0); 234 224 if (status != EFI_SUCCESS) { 235 225 pr_efi_err(sys_table, "Failed to relocate kernel.\n"); 236 226 efi_free(sys_table, *reserve_size, *reserve_addr);

+10 -14

drivers/firmware/efi/libstub/efi-stub-helper.c

··· 260 260 } 261 261 262 262 /* 263 - * Allocate at the lowest possible address. 263 + * Allocate at the lowest possible address that is not below 'min'. 264 264 */ 265 - efi_status_t efi_low_alloc(efi_system_table_t *sys_table_arg, 266 - unsigned long size, unsigned long align, 267 - unsigned long *addr) 265 + efi_status_t efi_low_alloc_above(efi_system_table_t *sys_table_arg, 266 + unsigned long size, unsigned long align, 267 + unsigned long *addr, unsigned long min) 268 268 { 269 269 unsigned long map_size, desc_size, buff_size; 270 270 efi_memory_desc_t *map; ··· 311 311 start = desc->phys_addr; 312 312 end = start + desc->num_pages * EFI_PAGE_SIZE; 313 313 314 - /* 315 - * Don't allocate at 0x0. It will confuse code that 316 - * checks pointers against NULL. Skip the first 8 317 - * bytes so we start at a nice even number. 318 - */ 319 - if (start == 0x0) 320 - start += 8; 314 + if (start < min) 315 + start = min; 321 316 322 317 start = round_up(start, align); 323 318 if ((start + size) > end) ··· 693 698 unsigned long image_size, 694 699 unsigned long alloc_size, 695 700 unsigned long preferred_addr, 696 - unsigned long alignment) 701 + unsigned long alignment, 702 + unsigned long min_addr) 697 703 { 698 704 unsigned long cur_image_addr; 699 705 unsigned long new_addr = 0; ··· 727 731 * possible. 728 732 */ 729 733 if (status != EFI_SUCCESS) { 730 - status = efi_low_alloc(sys_table_arg, alloc_size, alignment, 731 - &new_addr); 734 + status = efi_low_alloc_above(sys_table_arg, alloc_size, 735 + alignment, &new_addr, min_addr); 732 736 } 733 737 if (status != EFI_SUCCESS) { 734 738 pr_efi_err(sys_table_arg, "Failed to allocate usable memory for kernel.\n");

+8

drivers/firmware/efi/test/efi_test.c

··· 14 14 #include <linux/init.h> 15 15 #include <linux/proc_fs.h> 16 16 #include <linux/efi.h> 17 + #include <linux/security.h> 17 18 #include <linux/slab.h> 18 19 #include <linux/uaccess.h> 19 20 ··· 718 717 719 718 static int efi_test_open(struct inode *inode, struct file *file) 720 719 { 720 + int ret = security_locked_down(LOCKDOWN_EFI_TEST); 721 + 722 + if (ret) 723 + return ret; 724 + 725 + if (!capable(CAP_SYS_ADMIN)) 726 + return -EACCES; 721 727 /* 722 728 * nothing special to do here 723 729 * We do accept multiple open files at the same time as we

+1

drivers/firmware/efi/tpm.c

··· 88 88 89 89 if (tbl_size < 0) { 90 90 pr_err(FW_BUG "Failed to parse event in TPM Final Events Log\n"); 91 + ret = -EINVAL; 91 92 goto out_calc; 92 93 } 93 94

+16 -2

include/linux/efi.h

··· 1579 1579 efi_status_t efi_get_memory_map(efi_system_table_t *sys_table_arg, 1580 1580 struct efi_boot_memmap *map); 1581 1581 1582 + efi_status_t efi_low_alloc_above(efi_system_table_t *sys_table_arg, 1583 + unsigned long size, unsigned long align, 1584 + unsigned long *addr, unsigned long min); 1585 + 1586 + static inline 1582 1587 efi_status_t efi_low_alloc(efi_system_table_t *sys_table_arg, 1583 1588 unsigned long size, unsigned long align, 1584 - unsigned long *addr); 1589 + unsigned long *addr) 1590 + { 1591 + /* 1592 + * Don't allocate at 0x0. It will confuse code that 1593 + * checks pointers against NULL. Skip the first 8 1594 + * bytes so we start at a nice even number. 1595 + */ 1596 + return efi_low_alloc_above(sys_table_arg, size, align, addr, 0x8); 1597 + } 1585 1598 1586 1599 efi_status_t efi_high_alloc(efi_system_table_t *sys_table_arg, 1587 1600 unsigned long size, unsigned long align, ··· 1605 1592 unsigned long image_size, 1606 1593 unsigned long alloc_size, 1607 1594 unsigned long preferred_addr, 1608 - unsigned long alignment); 1595 + unsigned long alignment, 1596 + unsigned long min_addr); 1609 1597 1610 1598 efi_status_t handle_cmdline_files(efi_system_table_t *sys_table_arg, 1611 1599 efi_loaded_image_t *image,

+1

include/linux/security.h

··· 105 105 LOCKDOWN_NONE, 106 106 LOCKDOWN_MODULE_SIGNATURE, 107 107 LOCKDOWN_DEV_MEM, 108 + LOCKDOWN_EFI_TEST, 108 109 LOCKDOWN_KEXEC, 109 110 LOCKDOWN_HIBERNATION, 110 111 LOCKDOWN_PCI_ACCESS,

+1

security/lockdown/lockdown.c

··· 20 20 [LOCKDOWN_NONE] = "none", 21 21 [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading", 22 22 [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port", 23 + [LOCKDOWN_EFI_TEST] = "/dev/efi_test access", 23 24 [LOCKDOWN_KEXEC] = "kexec of unsigned images", 24 25 [LOCKDOWN_HIBERNATION] = "hibernation", 25 26 [LOCKDOWN_PCI_ACCESS] = "direct PCI access",

Configure Feed

Configure Feed