From patchwork Wed Oct 25 10:04:48 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ard.biesheuvel@linaro.org>
X-Patchwork-Id: 117083
Delivered-To: patch@linaro.org
Received: by 10.140.22.164 with SMTP id 33csp657277qgn;
 Wed, 25 Oct 2017 03:05:15 -0700 (PDT)
X-Google-Smtp-Source: ABhQp+T56ETY3UMyoTtYuB4O3/gVnBYih18CRBvi/ds8V0eq+va4MyUyI72+mnlxuUq8C0u2Jf9j
X-Received: by 10.159.242.137 with SMTP id u9mr1330812plr.243.1508925915713; 
 Wed, 25 Oct 2017 03:05:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1508925915; cv=none;
 d=google.com; s=arc-20160816;
 b=VnoouLs0qO9dKPrGh79Bc12L4b1m2/Y/ZMO3V7s/MItmpK8WIrVJJb8uj3jeLhtxmx
 FMVCE3bvfZNdDCsaeFB1PMdnOCeJtwd0jAQJl0vmIar3tTSmcxgaK/99rQsHelzdHwse
 hxHKzk9KX/bPaSNDYWEoROApTDCntgHy8Dzun+GrZZVbky2PPtIyCnCLAmLfTn+vqq99
 yjAkfgWWIj1S0msAcXp2y+VKgxTYqZZHQX8JB/wOzHfG/GWiOaPyVHzkysm3zBv4y2kj
 xyXYvC3lljkqRTvq8+iAqp8rFmT5qICRnWR/VHsJQYPjPvPy1cYb4ExnSVAADCVYWXCG
 xxyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature:arc-authentication-results;
 bh=/vg2x+APkhjFPAaGECXv98eKudTaRbF1QP1O1arIM0U=;
 b=WDzX8WV3kwuG8L0Kq5KeXFVD03G1ufDazFTPkbR5e6W7ic1OHwIqGZmZD7k1r+w+YJ
 AtwYJGUiPBiR1BweuLRUMm/a+h6/WRjSe3NayrL6HKi7MiY+fct9YF7KvwNQjudxVcQf
 tqKjLhbUniNbrqMq2uPED/f71zADHD2EWrKdRMTenc0k44g3clU8qm9DEk+Uy93hWSJM
 f245B1i97vb1YS+DL6SdDS/6K2DB3/ugHrM/R5DXbhuHUYJmy6suHFUiJeZ/3IA4IuPg
 FetaWska6pz0vv4ge2PhxKmJvf1phLW8ASIMlcCOih7aBh/AETlOMqvb4aK7A98ZAPZs
 QKKA==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=YVYd3p5G;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 s18si1780355pfg.199.2017.10.25.03.05.15; 
 Wed, 25 Oct 2017 03:05:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=YVYd3p5G;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S932486AbdJYKFO (ORCPT <rfc822;semen.protsenko@linaro.org>
 + 27 others); Wed, 25 Oct 2017 06:05:14 -0400
Received: from mail-wr0-f195.google.com ([209.85.128.195]:54696 "EHLO
 mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S932399AbdJYKFF (ORCPT
 <rfc822;linux-kernel@vger.kernel.org>);
 Wed, 25 Oct 2017 06:05:05 -0400
Received: by mail-wr0-f195.google.com with SMTP id o44so23390945wrf.11
 for <linux-kernel@vger.kernel.org>;
 Wed, 25 Oct 2017 03:05:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=/vg2x+APkhjFPAaGECXv98eKudTaRbF1QP1O1arIM0U=;
 b=YVYd3p5GzrP+fjHSsBw9CS5farJrcHP3EMvRoMUF9gIJdLyumws6VMRtzkVttjYoW/
 UO5f8+9SSlAUg1Y0xLjDycNA6e/tMhd+iHdfy8b/zWLE1oFNVNKU9p2wgrlhWNdRwvGo
 b/0/6AJ6kD5qGXPPmYn7WVOkMyzLzxdUrSIZ8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=/vg2x+APkhjFPAaGECXv98eKudTaRbF1QP1O1arIM0U=;
 b=iAxc9VJ76P4JmOJQ+JVmwVv/x7ec05YOXaI0Fyul2fAUocl0a7q8wO0jQ+Iih/d2Q9
 txSRXIKCzAaWuRjOxukHAtNn5DCvqdoJlJXZrCJcbXJohQXmSvidfyFjSJ1umrrYeSj1
 VUpUZ/YWS/APk5nBJxvp6VvYvZrwk7r9EKsWU9Wk2aVKbbUKC1MKw6oj0iwtnvmCoorA
 n1ZfRr1Cpe9x5h2wwfqHHSaEJhCcdaXYEot12kJH625KRU9jnr1IzinrmMCEczJK7ots
 8tOJMKAz4jjlVHWLXETuejrpk3eI0nGD/6u2ekh41UipPxpvdETZCsl2WQXcNKAas4bE
 HW0A==
X-Gm-Message-State: AMCzsaW4iAUk9I49rDMUdChYNfHA8blY5cZX9fMP/WekizjZb0kQuLrq
 N0yaDkwLOcnlmNUfzPswFaRx5/aFTkw=
X-Received: by 10.223.139.85 with SMTP id v21mr1711136wra.70.1508925904530; 
 Wed, 25 Oct 2017 03:05:04 -0700 (PDT)
Received: from localhost.localdomain ([160.161.173.60])
 by smtp.gmail.com with ESMTPSA id
 n30sm2089657wra.39.2017.10.25.03.05.02
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 25 Oct 2017 03:05:03 -0700 (PDT)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux-efi@vger.kernel.org, Ingo Molnar <mingo@kernel.org>,
 Thomas Gleixner <tglx@linutronix.de>, "H . Peter Anvin" <hpa@zytor.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
 linux-kernel@vger.kernel.org, James Morse <james.morse@arm.com>,
 Matt Fleming <matt@codeblueprint.co.uk>
Subject: [PATCH 2/2] efi/libstub: arm: don't randomize runtime regions when
 CONFIG_HIBERNATION=y
Date: Wed, 25 Oct 2017 11:04:48 +0100
Message-Id: <20171025100448.26056-3-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20171025100448.26056-1-ard.biesheuvel@linaro.org>
References: <20171025100448.26056-1-ard.biesheuvel@linaro.org>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Commit

  e69176d68d26 ef/libstub/arm/arm64: Randomize the base of the UEFI rt services region

implemented randomization of the virtual mapping that the OS chooses for
the UEFI runtime services. This was motivated by the fact that UEFI usually
does not bother to specify any permission restrictions for those regions,
making them prime real estate for exploitation now that the OS is getting
more and more careful not to leave any R+W+X mapped regions lying around.

However, this randomization breaks assumptions in the resume from
hibernation code, which expects all memory regions populated by UEFI to
remain in the same place, including their virtual mapping into the OS
memory space. While this assumption may not be entirely reasonable in the
first place, breaking it deliberately does not make a lot of sense either.
So let's refrain from this randomization pass if CONFIG_HIBERNATION=y.

Cc: James Morse <james.morse@arm.com>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 drivers/firmware/efi/libstub/arm-stub.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

-- 
2.11.0

diff --git a/drivers/firmware/efi/libstub/arm-stub.c b/drivers/firmware/efi/libstub/arm-stub.c
index 1cb2d1c070c3..a94601d5939e 100644
--- a/drivers/firmware/efi/libstub/arm-stub.c
+++ b/drivers/firmware/efi/libstub/arm-stub.c
@@ -238,7 +238,8 @@ unsigned long efi_entry(void *handle, efi_system_table_t *sys_table,
 
 	efi_random_get_seed(sys_table);
 
-	if (!nokaslr()) {
+	/* hibernation expects the runtime regions to stay in the same place */
+	if (!IS_ENABLED(CONFIG_HIBERNATION) && !nokaslr()) {
 		/*
 		 * Randomize the base of the UEFI runtime services region.
 		 * Preserve the 2 MB alignment of the region by taking a