[PATCH] lkdtm: Add case to provoke a crash in EFI runtime services

[PATCH] lkdtm: Add case to provoke a crash in EFI runtime services

[Ard Biesheuvel]

From: Ard Biesheuvel <ardb@kernel.org>

Add a lkdtm test case that triggers a fault during the execution of a
EFI runtime service by passing a read-only variable as a by-ref argument
that the firmware is supposed to update.

This is useful for testing the graceful handling of faults/exception in
EFI platform firmware, which is implemented on x86 and arm64.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 drivers/misc/lkdtm/bugs.c | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c
index e0098f314570..3eca2ef64aff 100644
--- a/drivers/misc/lkdtm/bugs.c
+++ b/drivers/misc/lkdtm/bugs.c
@@ -7,6 +7,7 @@
  */
 #include "lkdtm.h"
 #include <linux/cpu.h>
+#include <linux/efi.h>
 #include <linux/list.h>
 #include <linux/hrtimer.h>
 #include <linux/sched.h>
@@ -817,6 +818,29 @@ static noinline void lkdtm_CORRUPT_PAC(void)
 #endif
 }
 
+static void __maybe_unused lkdtm_EFI_RUNTIME_CRASH(void)
+{
+	static unsigned long size __ro_after_init = sizeof(efi_char16_t);
+	efi_status_t status;
+
+	if (!efi.get_next_variable ||
+	    !efi_enabled(EFI_RUNTIME_SERVICES) ||
+	    !efi_rt_services_supported(EFI_RT_SUPPORTED_GET_NEXT_VARIABLE_NAME)) {
+		pr_err("FAIL: EFI GetNextVariableName() is not available\n");
+		return;
+	}
+
+	/*
+	 * Provoke a fault by asking the firmware to write to a read-only
+	 * variable.
+	 */
+	status = efi.get_next_variable(&size, L"", &(efi_guid_t){});
+
+	if (status != EFI_ABORTED || efi_enabled(EFI_RUNTIME_SERVICES))
+		pr_err("FAIL: EFI GetNextVariable() did not abort (%#lx)\n",
+		       status);
+}
+
 static struct crashtype crashtypes[] = {
 	CRASHTYPE(PANIC),
 	CRASHTYPE(PANIC_STOP_IRQOFF),
@@ -850,6 +874,9 @@ static struct crashtype crashtypes[] = {
 	CRASHTYPE(UNSET_SMEP),
 	CRASHTYPE(DOUBLE_FAULT),
 	CRASHTYPE(CORRUPT_PAC),
+#ifdef CONFIG_EFI
+	CRASHTYPE(EFI_RUNTIME_CRASH),
+#endif
 };
 
 struct crashtype_category bugs_crashtypes = {
-- 
2.54.0.545.g6539524ca2-goog

Re: [PATCH] lkdtm: Add case to provoke a crash in EFI runtime services

[Ard Biesheuvel]

On Fri, 1 May 2026, at 19:01, Ard Biesheuvel wrote:
> From: Ard Biesheuvel <ardb@kernel.org>
>
> Add a lkdtm test case that triggers a fault during the execution of a
> EFI runtime service by passing a read-only variable as a by-ref argument
> that the firmware is supposed to update.
>
> This is useful for testing the graceful handling of faults/exception in
> EFI platform firmware, which is implemented on x86 and arm64.
>
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> ---
>  drivers/misc/lkdtm/bugs.c | 27 +++++++++++++++++++++++++++
>  1 file changed, 27 insertions(+)
>

Ping?

> diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c
> index e0098f314570..3eca2ef64aff 100644
> --- a/drivers/misc/lkdtm/bugs.c
> +++ b/drivers/misc/lkdtm/bugs.c
> @@ -7,6 +7,7 @@
>   */
>  #include "lkdtm.h"
>  #include <linux/cpu.h>
> +#include <linux/efi.h>
>  #include <linux/list.h>
>  #include <linux/hrtimer.h>
>  #include <linux/sched.h>
> @@ -817,6 +818,29 @@ static noinline void lkdtm_CORRUPT_PAC(void)
>  #endif
>  }
> 
> +static void __maybe_unused lkdtm_EFI_RUNTIME_CRASH(void)
> +{
> +	static unsigned long size __ro_after_init = sizeof(efi_char16_t);
> +	efi_status_t status;
> +
> +	if (!efi.get_next_variable ||
> +	    !efi_enabled(EFI_RUNTIME_SERVICES) ||
> +	    !efi_rt_services_supported(EFI_RT_SUPPORTED_GET_NEXT_VARIABLE_NAME)) {
> +		pr_err("FAIL: EFI GetNextVariableName() is not available\n");
> +		return;
> +	}
> +
> +	/*
> +	 * Provoke a fault by asking the firmware to write to a read-only
> +	 * variable.
> +	 */
> +	status = efi.get_next_variable(&size, L"", &(efi_guid_t){});
> +
> +	if (status != EFI_ABORTED || efi_enabled(EFI_RUNTIME_SERVICES))
> +		pr_err("FAIL: EFI GetNextVariable() did not abort (%#lx)\n",
> +		       status);
> +}
> +
>  static struct crashtype crashtypes[] = {
>  	CRASHTYPE(PANIC),
>  	CRASHTYPE(PANIC_STOP_IRQOFF),
> @@ -850,6 +874,9 @@ static struct crashtype crashtypes[] = {
>  	CRASHTYPE(UNSET_SMEP),
>  	CRASHTYPE(DOUBLE_FAULT),
>  	CRASHTYPE(CORRUPT_PAC),
> +#ifdef CONFIG_EFI
> +	CRASHTYPE(EFI_RUNTIME_CRASH),
> +#endif
>  };
> 
>  struct crashtype_category bugs_crashtypes = {
> -- 
> 2.54.0.545.g6539524ca2-goog

Re: [PATCH] lkdtm: Add case to provoke a crash in EFI runtime services

[Kees Cook]

On Fri, 01 May 2026 19:01:56 +0200, Ard Biesheuvel wrote:
> Add a lkdtm test case that triggers a fault during the execution of a
> EFI runtime service by passing a read-only variable as a by-ref argument
> that the firmware is supposed to update.
> 
> This is useful for testing the graceful handling of faults/exception in
> EFI platform firmware, which is implemented on x86 and arm64.
> 
> [...]

Applied to for-next/hardening, thanks!

[1/1] lkdtm: Add case to provoke a crash in EFI runtime services
      https://git.kernel.org/kees/c/a34039981e6d

Take care,

-- 
Kees Cook