[PATCH] efi: Wipe INITRD config table from memory after consumption

[PATCH] efi: Wipe INITRD config table from memory after consumption

[Ard Biesheuvel]

When the EFI stub itself loads the initrd and puts it in memory (rather
than simply passing on a struct boot_params or device tree that already
carries initrd information), it exposes this information to the core
kernel via a INITRD configuration table.

Given that config tables are preserved across kexec, this means that
subsequent kexec boots will observe the same information, even though it
most likely has become stale by that point. On x86, this information is
usually superseded by the initrd info passed via bootparams, in which
case this stale information is simply ignored. However, when performing
a kexec boot without passing an initrd, the loader falls back to this
stale information and explodes.

So wipe the base and size from the INITRD config table as soon as it has
been consumed. This fixes the issue for kexec on all EFI architectures.

Reported-by: James Le Cuirot <chewi@gentoo.org>
Tested-by: James Le Cuirot <chewi@gentoo.org>
Acked-by: H. Peter Anvin (Intel) <hpa@zytor.com>
Link: https://lore.kernel.org/all/20251126173209.374755-2-chewi@gentoo.org
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 drivers/firmware/efi/efi.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
index a9070d00b833..988198c36a63 100644
--- a/drivers/firmware/efi/efi.c
+++ b/drivers/firmware/efi/efi.c
@@ -818,6 +818,7 @@ int __init efi_config_parse_tables(const efi_config_table_t *config_tables,
 		if (tbl) {
 			phys_initrd_start = tbl->base;
 			phys_initrd_size = tbl->size;
+			tbl->base = tbl->size = 0;
 			early_memunmap(tbl, sizeof(*tbl));
 		}
 	}
-- 
2.47.3

Re: [PATCH] efi: Wipe INITRD config table from memory after consumption

[Ard Biesheuvel]

On Fri, 5 Dec 2025 at 10:32, Ard Biesheuvel <ardb@kernel.org> wrote:
>
> When the EFI stub itself loads the initrd and puts it in memory (rather
> than simply passing on a struct boot_params or device tree that already
> carries initrd information), it exposes this information to the core
> kernel via a INITRD configuration table.
>
> Given that config tables are preserved across kexec, this means that
> subsequent kexec boots will observe the same information, even though it
> most likely has become stale by that point. On x86, this information is
> usually superseded by the initrd info passed via bootparams, in which
> case this stale information is simply ignored. However, when performing
> a kexec boot without passing an initrd, the loader falls back to this
> stale information and explodes.
>
> So wipe the base and size from the INITRD config table as soon as it has
> been consumed. This fixes the issue for kexec on all EFI architectures.
>
> Reported-by: James Le Cuirot <chewi@gentoo.org>
> Tested-by: James Le Cuirot <chewi@gentoo.org>
> Acked-by: H. Peter Anvin (Intel) <hpa@zytor.com>
> Link: https://lore.kernel.org/all/20251126173209.374755-2-chewi@gentoo.org
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> ---
>  drivers/firmware/efi/efi.c | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
> index a9070d00b833..988198c36a63 100644
> --- a/drivers/firmware/efi/efi.c
> +++ b/drivers/firmware/efi/efi.c
> @@ -818,6 +818,7 @@ int __init efi_config_parse_tables(const efi_config_table_t *config_tables,
>                 if (tbl) {
>                         phys_initrd_start = tbl->base;
>                         phys_initrd_size = tbl->size;
> +                       tbl->base = tbl->size = 0;
>                         early_memunmap(tbl, sizeof(*tbl));
>                 }
>         }

I had forgotten about this, I've queued it up now.