x86/efi: Avoid triple faults during EFI mixed mode calls

Andy pointed out that if an NMI or MCE is received while we're in the middle of an EFI mixed mode call a triple fault will occur. This can happen, for example, when issuing an EFI mixed mode call while running perf. The reason for the triple fault is that we execute the mixed mode call in 32-bit mode with paging disabled but with 64-bit kernel IDT handlers installed throughout the call. At Andy's suggestion, stop playing the games we currently do at runtime, such as disabling paging and installing a 32-bit GDT for __KERNEL_CS. We can simply switch to the __KERNEL32_CS descriptor before invoking firmware services, and run in compatibility mode. This way, if an NMI/MCE does occur the kernel IDT handler will execute correctly, since it'll jump to __KERNEL_CS automatically. However, this change is only possible post-ExitBootServices(). Before then the firmware "owns" the machine and expects for its 32-bit IDT handlers to be left intact to service interrupts, etc. So, we now need to distinguish between early boot and runtime invocations of EFI services. During early boot, we need to restore the GDT that the firmware expects to be present. We can only jump to the __KERNEL32_CS code segment for mixed mode calls after ExitBootServices() has been invoked. A liberal sprinkling of comments in the thunking code should make the differences in early and late environments more apparent. Reported-by: Andy Lutomirski <luto@amacapital.net> Tested-by: Borislav Petkov <bp@suse.de> Cc: <stable@vger.kernel.org> Signed-off-by: Matt Fleming <matt.fleming@intel.com>
author: Matt Fleming <matt.fleming@intel.com> 2015-01-13 10:25:00 -0500
committer: Matt Fleming <matt.fleming@intel.com> 2015-02-13 10:42:56 -0500
commit: 96738c69a7fcdbf0d7c9df0c8a27660011e82a7b (patch)
tree: 4b3afbfe8476f8eef85b2f7862abeb695076cd46 /arch/x86/boot
parent: 3c01b74e818a7a3b2ee9b0d584cca0bc154a031c (diff)
3 files changed, 197 insertions, 25 deletions
diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
index ad754b4411f7..8bd44e8ee6e2 100644
--- a/arch/x86/boot/compressed/Makefile
+++ b/arch/x86/boot/compressed/Makefile
@@ -49,6 +49,7 @@ $(obj)/eboot.o: KBUILD_CFLAGS += -fshort-wchar -mno-red-zone
 vmlinux-objs-$(CONFIG_EFI_STUB) += $(obj)/eboot.o $(obj)/efi_stub_$(BITS).o \
        $(objtree)/drivers/firmware/efi/libstub/lib.a
+vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_thunk_$(BITS).o
 $(obj)/vmlinux: $(vmlinux-objs-y) FORCE
        $(call if_changed,ld)
diff --git a/arch/x86/boot/compressed/efi_stub_64.S b/arch/x86/boot/compressed/efi_stub_64.S
index 7ff3632806b1..99494dff2113 100644
--- a/arch/x86/boot/compressed/efi_stub_64.S
+++ b/arch/x86/boot/compressed/efi_stub_64.S
@@ -3,28 +3,3 @@
 #include <asm/processor-flags.h>
 #include "../../platform/efi/efi_stub_64.S"
-#ifdef CONFIG_EFI_MIXED
-        .code64
-        .text
-ENTRY(efi64_thunk)
-        push    %rbp
-        push    %rbx
-        subq    $16, %rsp
-        leaq    efi_exit32(%rip), %rax
-        movl    %eax, 8(%rsp)
-        leaq    efi_gdt64(%rip), %rax
-        movl    %eax, 4(%rsp)
-        movl    %eax, 2(%rax)           /* Fixup the gdt base address */
-        leaq    efi32_boot_gdt(%rip), %rax
-        movl    %eax, (%rsp)
-        call    __efi64_thunk
-        addq    $16, %rsp
-        pop     %rbx
-        pop     %rbp
-        ret
-ENDPROC(efi64_thunk)
-#endif /* CONFIG_EFI_MIXED */
diff --git a/arch/x86/boot/compressed/efi_thunk_64.S b/arch/x86/boot/compressed/efi_thunk_64.S
new file mode 100644
index 000000000000..630384a4c14a
--- /dev/null
+++ b/arch/x86/boot/compressed/efi_thunk_64.S
@@ -0,0 +1,196 @@
+/*
+ * Copyright (C) 2014, 2015 Intel Corporation; author Matt Fleming
+ *
+ * Early support for invoking 32-bit EFI services from a 64-bit kernel.
+ *
+ * Because this thunking occurs before ExitBootServices() we have to
+ * restore the firmware's 32-bit GDT before we make EFI serivce calls,
+ * since the firmware's 32-bit IDT is still currently installed and it
+ * needs to be able to service interrupts.
+ *
+ * On the plus side, we don't have to worry about mangling 64-bit
+ * addresses into 32-bits because we're executing with an identify
+ * mapped pagetable and haven't transitioned to 64-bit virtual addresses
+ * yet.
+ */
+#include <linux/linkage.h>
+#include <asm/msr.h>
+#include <asm/page_types.h>
+#include <asm/processor-flags.h>
+#include <asm/segment.h>
+        .code64
+        .text
+ENTRY(efi64_thunk)
+        push    %rbp
+        push    %rbx
+        subq    $8, %rsp
+        leaq    efi_exit32(%rip), %rax
+        movl    %eax, 4(%rsp)
+        leaq    efi_gdt64(%rip), %rax
+        movl    %eax, (%rsp)
+        movl    %eax, 2(%rax)           /* Fixup the gdt base address */
+        movl    %ds, %eax
+        push    %rax
+        movl    %es, %eax
+        push    %rax
+        movl    %ss, %eax
+        push    %rax
+        /*
+         * Convert x86-64 ABI params to i386 ABI
+         */
+        subq    $32, %rsp
+        movl    %esi, 0x0(%rsp)
+        movl    %edx, 0x4(%rsp)
+        movl    %ecx, 0x8(%rsp)
+        movq    %r8, %rsi
+        movl    %esi, 0xc(%rsp)
+        movq    %r9, %rsi
+        movl    %esi,  0x10(%rsp)
+        sgdt    save_gdt(%rip)
+        leaq    1f(%rip), %rbx
+        movq    %rbx, func_rt_ptr(%rip)
+        /*
+         * Switch to gdt with 32-bit segments. This is the firmware GDT
+         * that was installed when the kernel started executing. This
+         * pointer was saved at the EFI stub entry point in head_64.S.
+         */
+        leaq    efi32_boot_gdt(%rip), %rax
+        lgdt    (%rax)
+        pushq   $__KERNEL_CS
+        leaq    efi_enter32(%rip), %rax
+        pushq   %rax
+        lretq
+1:      addq    $32, %rsp
+        lgdt    save_gdt(%rip)
+        pop     %rbx
+        movl    %ebx, %ss
+        pop     %rbx
+        movl    %ebx, %es
+        pop     %rbx
+        movl    %ebx, %ds
+        /*
+         * Convert 32-bit status code into 64-bit.
+         */
+        test    %rax, %rax
+        jz      1f
+        movl    %eax, %ecx
+        andl    $0x0fffffff, %ecx
+        andl    $0xf0000000, %eax
+        shl     $32, %rax
+        or      %rcx, %rax
+1:
+        addq    $8, %rsp
+        pop     %rbx
+        pop     %rbp
+        ret
+ENDPROC(efi64_thunk)
+ENTRY(efi_exit32)
+        movq    func_rt_ptr(%rip), %rax
+        push    %rax
+        mov     %rdi, %rax
+        ret
+ENDPROC(efi_exit32)
+        .code32
+/*
+ * EFI service pointer must be in %edi.
+ *
+ * The stack should represent the 32-bit calling convention.
+ */
+ENTRY(efi_enter32)
+        movl    $__KERNEL_DS, %eax
+        movl    %eax, %ds
+        movl    %eax, %es
+        movl    %eax, %ss
+        /* Reload pgtables */
+        movl    %cr3, %eax
+        movl    %eax, %cr3
+        /* Disable paging */
+        movl    %cr0, %eax
+        btrl    $X86_CR0_PG_BIT, %eax
+        movl    %eax, %cr0
+        /* Disable long mode via EFER */
+        movl    $MSR_EFER, %ecx
+        rdmsr
+        btrl    $_EFER_LME, %eax
+        wrmsr
+        call    *%edi
+        /* We must preserve return value */
+        movl    %eax, %edi
+        /*
+         * Some firmware will return with interrupts enabled. Be sure to
+         * disable them before we switch GDTs.
+         */
+        cli
+        movl    56(%esp), %eax
+        movl    %eax, 2(%eax)
+        lgdtl   (%eax)
+        movl    %cr4, %eax
+        btsl    $(X86_CR4_PAE_BIT), %eax
+        movl    %eax, %cr4
+        movl    %cr3, %eax
+        movl    %eax, %cr3
+        movl    $MSR_EFER, %ecx
+        rdmsr
+        btsl    $_EFER_LME, %eax
+        wrmsr
+        xorl    %eax, %eax
+        lldt    %ax
+        movl    60(%esp), %eax
+        pushl   $__KERNEL_CS
+        pushl   %eax
+        /* Enable paging */
+        movl    %cr0, %eax
+        btsl    $X86_CR0_PG_BIT, %eax
+        movl    %eax, %cr0
+        lret
+ENDPROC(efi_enter32)
+        .data
+        .balign 8
+        .global efi32_boot_gdt
+efi32_boot_gdt: .word   0
+                .quad   0
+save_gdt:       .word   0
+                .quad   0
+func_rt_ptr:    .quad   0
+        .global efi_gdt64
+efi_gdt64:
+        .word   efi_gdt64_end - efi_gdt64
+        .long   0                       /* Filled out by user */
+        .word   0
+        .quad   0x0000000000000000      /* NULL descriptor */
+        .quad   0x00af9a000000ffff      /* __KERNEL_CS */
+        .quad   0x00cf92000000ffff      /* __KERNEL_DS */
+        .quad   0x0080890000000000      /* TS descriptor */
+        .quad   0x0000000000000000      /* TS continued */
+efi_gdt64_end:
author	Matt Fleming <matt.fleming@intel.com>	2015-01-13 10:25:00 -0500
committer	Matt Fleming <matt.fleming@intel.com>	2015-02-13 10:42:56 -0500
commit	96738c69a7fcdbf0d7c9df0c8a27660011e82a7b (patch)
tree	4b3afbfe8476f8eef85b2f7862abeb695076cd46 /arch/x86/boot
parent	3c01b74e818a7a3b2ee9b0d584cca0bc154a031c (diff)

diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile index ad754b4411f7..8bd44e8ee6e2 100644 --- a/arch/x86/boot/compressed/Makefile +++ b/arch/x86/boot/compressed/Makefile
@@ -49,6 +49,7 @@ $(obj)/eboot.o: KBUILD_CFLAGS += -fshort-wchar -mno-red-zone
49		49
50	vmlinux-objs-$(CONFIG_EFI_STUB) += $(obj)/eboot.o $(obj)/efi_stub_$(BITS).o \	50	vmlinux-objs-$(CONFIG_EFI_STUB) += $(obj)/eboot.o $(obj)/efi_stub_$(BITS).o \
51	$(objtree)/drivers/firmware/efi/libstub/lib.a	51	$(objtree)/drivers/firmware/efi/libstub/lib.a
		52	vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_thunk_$(BITS).o
52		53
53	$(obj)/vmlinux: $(vmlinux-objs-y) FORCE	54	$(obj)/vmlinux: $(vmlinux-objs-y) FORCE
54	$(call if_changed,ld)	55	$(call if_changed,ld)


diff --git a/arch/x86/boot/compressed/efi_stub_64.S b/arch/x86/boot/compressed/efi_stub_64.S index 7ff3632806b1..99494dff2113 100644 --- a/arch/x86/boot/compressed/efi_stub_64.S +++ b/arch/x86/boot/compressed/efi_stub_64.S
@@ -3,28 +3,3 @@
3	#include <asm/processor-flags.h>	3	#include <asm/processor-flags.h>
4		4
5	#include "../../platform/efi/efi_stub_64.S"	5	#include "../../platform/efi/efi_stub_64.S"
6
7	#ifdef CONFIG_EFI_MIXED
8	.code64
9	.text
10	ENTRY(efi64_thunk)
11	push %rbp
12	push %rbx
13
14	subq $16, %rsp
15	leaq efi_exit32(%rip), %rax
16	movl %eax, 8(%rsp)
17	leaq efi_gdt64(%rip), %rax
18	movl %eax, 4(%rsp)
19	movl %eax, 2(%rax) /* Fixup the gdt base address */
20	leaq efi32_boot_gdt(%rip), %rax
21	movl %eax, (%rsp)
22
23	call __efi64_thunk
24
25	addq $16, %rsp
26	pop %rbx
27	pop %rbp
28	ret
29	ENDPROC(efi64_thunk)
30	#endif /* CONFIG_EFI_MIXED */


diff --git a/arch/x86/boot/compressed/efi_thunk_64.S b/arch/x86/boot/compressed/efi_thunk_64.S new file mode 100644 index 000000000000..630384a4c14a --- /dev/null +++ b/arch/x86/boot/compressed/efi_thunk_64.S
@@ -0,0 +1,196 @@
		1	/*
		2	* Copyright (C) 2014, 2015 Intel Corporation; author Matt Fleming
		3	*
		4	* Early support for invoking 32-bit EFI services from a 64-bit kernel.
		5	*
		6	* Because this thunking occurs before ExitBootServices() we have to
		7	* restore the firmware's 32-bit GDT before we make EFI serivce calls,
		8	* since the firmware's 32-bit IDT is still currently installed and it
		9	* needs to be able to service interrupts.
		10	*
		11	* On the plus side, we don't have to worry about mangling 64-bit
		12	* addresses into 32-bits because we're executing with an identify
		13	* mapped pagetable and haven't transitioned to 64-bit virtual addresses
		14	* yet.
		15	*/
		16
		17	#include <linux/linkage.h>
		18	#include <asm/msr.h>
		19	#include <asm/page_types.h>
		20	#include <asm/processor-flags.h>
		21	#include <asm/segment.h>
		22
		23	.code64
		24	.text
		25	ENTRY(efi64_thunk)
		26	push %rbp
		27	push %rbx
		28
		29	subq $8, %rsp
		30	leaq efi_exit32(%rip), %rax
		31	movl %eax, 4(%rsp)
		32	leaq efi_gdt64(%rip), %rax
		33	movl %eax, (%rsp)
		34	movl %eax, 2(%rax) /* Fixup the gdt base address */
		35
		36	movl %ds, %eax
		37	push %rax
		38	movl %es, %eax
		39	push %rax
		40	movl %ss, %eax
		41	push %rax
		42
		43	/*
		44	* Convert x86-64 ABI params to i386 ABI
		45	*/
		46	subq $32, %rsp
		47	movl %esi, 0x0(%rsp)
		48	movl %edx, 0x4(%rsp)
		49	movl %ecx, 0x8(%rsp)
		50	movq %r8, %rsi
		51	movl %esi, 0xc(%rsp)
		52	movq %r9, %rsi
		53	movl %esi, 0x10(%rsp)
		54
		55	sgdt save_gdt(%rip)
		56
		57	leaq 1f(%rip), %rbx
		58	movq %rbx, func_rt_ptr(%rip)
		59
		60	/*
		61	* Switch to gdt with 32-bit segments. This is the firmware GDT
		62	* that was installed when the kernel started executing. This
		63	* pointer was saved at the EFI stub entry point in head_64.S.
		64	*/
		65	leaq efi32_boot_gdt(%rip), %rax
		66	lgdt (%rax)
		67
		68	pushq $__KERNEL_CS
		69	leaq efi_enter32(%rip), %rax
		70	pushq %rax
		71	lretq
		72
		73	1: addq $32, %rsp
		74
		75	lgdt save_gdt(%rip)
		76
		77	pop %rbx
		78	movl %ebx, %ss
		79	pop %rbx
		80	movl %ebx, %es
		81	pop %rbx
		82	movl %ebx, %ds
		83
		84	/*
		85	* Convert 32-bit status code into 64-bit.
		86	*/
		87	test %rax, %rax
		88	jz 1f
		89	movl %eax, %ecx
		90	andl $0x0fffffff, %ecx
		91	andl $0xf0000000, %eax
		92	shl $32, %rax
		93	or %rcx, %rax
		94	1:
		95	addq $8, %rsp
		96	pop %rbx
		97	pop %rbp
		98	ret
		99	ENDPROC(efi64_thunk)
		100
		101	ENTRY(efi_exit32)
		102	movq func_rt_ptr(%rip), %rax
		103	push %rax
		104	mov %rdi, %rax
		105	ret
		106	ENDPROC(efi_exit32)
		107
		108	.code32
		109	/*
		110	* EFI service pointer must be in %edi.
		111	*
		112	* The stack should represent the 32-bit calling convention.
		113	*/
		114	ENTRY(efi_enter32)
		115	movl $__KERNEL_DS, %eax
		116	movl %eax, %ds
		117	movl %eax, %es
		118	movl %eax, %ss
		119
		120	/* Reload pgtables */
		121	movl %cr3, %eax
		122	movl %eax, %cr3
		123
		124	/* Disable paging */
		125	movl %cr0, %eax
		126	btrl $X86_CR0_PG_BIT, %eax
		127	movl %eax, %cr0
		128
		129	/* Disable long mode via EFER */
		130	movl $MSR_EFER, %ecx
		131	rdmsr
		132	btrl $_EFER_LME, %eax
		133	wrmsr
		134
		135	call *%edi
		136
		137	/* We must preserve return value */
		138	movl %eax, %edi
		139
		140	/*
		141	* Some firmware will return with interrupts enabled. Be sure to
		142	* disable them before we switch GDTs.
		143	*/
		144	cli
		145
		146	movl 56(%esp), %eax
		147	movl %eax, 2(%eax)
		148	lgdtl (%eax)
		149
		150	movl %cr4, %eax
		151	btsl $(X86_CR4_PAE_BIT), %eax
		152	movl %eax, %cr4
		153
		154	movl %cr3, %eax
		155	movl %eax, %cr3
		156
		157	movl $MSR_EFER, %ecx
		158	rdmsr
		159	btsl $_EFER_LME, %eax
		160	wrmsr
		161
		162	xorl %eax, %eax
		163	lldt %ax
		164
		165	movl 60(%esp), %eax
		166	pushl $__KERNEL_CS
		167	pushl %eax
		168
		169	/* Enable paging */
		170	movl %cr0, %eax
		171	btsl $X86_CR0_PG_BIT, %eax
		172	movl %eax, %cr0
		173	lret
		174	ENDPROC(efi_enter32)
		175
		176	.data
		177	.balign 8
		178	.global efi32_boot_gdt
		179	efi32_boot_gdt: .word 0
		180	.quad 0
		181
		182	save_gdt: .word 0
		183	.quad 0
		184	func_rt_ptr: .quad 0
		185
		186	.global efi_gdt64
		187	efi_gdt64:
		188	.word efi_gdt64_end - efi_gdt64
		189	.long 0 /* Filled out by user */
		190	.word 0
		191	.quad 0x0000000000000000 /* NULL descriptor */
		192	.quad 0x00af9a000000ffff /* __KERNEL_CS */
		193	.quad 0x00cf92000000ffff /* __KERNEL_DS */
		194	.quad 0x0080890000000000 /* TS descriptor */
		195	.quad 0x0000000000000000 /* TS continued */
		196	efi_gdt64_end: