[PATCH v2 0/3] efi: Allow initrd LoadFile2 proto on loaded image

[PATCH v2 0/3] efi: Allow initrd LoadFile2 proto on loaded image

[Ard Biesheuvel]

Rework the code that loads the initrd via LoadFile2 so that it looks for
the protocol on the loaded image handle first, and only if it doesn't
find it here, on the global singleton device path. This works around
reported issues where intermediate loader stages are providing an initrd
via this mechanism, and subsequently loading another intermediate boot
stage that does the same.

Changes since v1:
- pass 'end of device path' to LoadFile2() when grabbing the protocol
  from the loaded image instead of from the initrd global device path
- add Ilias's tags

Link: https://github.com/systemd/systemd/issues/26723

Cc: Michael Brown <mcb30@ipxe.org>
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>

Ard Biesheuvel (3):
  efi/libstub: Use const qualified device path protocol pointers
  efi/libstub: Pass loaded image EFI handle to efi_load_initrd()
  efi/libstub: Look for initrd LoadFile2 protocol on image handle

 drivers/firmware/efi/libstub/efi-stub-helper.c | 56 ++++++++++++--------
 drivers/firmware/efi/libstub/efi-stub.c        |  4 +-
 drivers/firmware/efi/libstub/efistub.h         |  7 +--
 drivers/firmware/efi/libstub/file.c            |  2 +-
 drivers/firmware/efi/libstub/x86-stub.c        |  4 +-
 include/linux/efi.h                            |  1 +
 include/linux/pe.h                             |  2 +-
 7 files changed, 46 insertions(+), 30 deletions(-)

-- 
2.39.2

[PATCH v2 1/3] efi/libstub: Use const qualified device path protocol pointers

[Ard Biesheuvel]

The EFI APIs that deal with device path protocol instances never modify
them, but given that these APIs do not use const qualified pointers at
all, but instead uses IN and OUT modifiers that are #define'd to empty
tokens, we cannot currently pass a device path protocol pointer that
refers to a read-only object.

So add the const qualification where appropriate, and drop a cast that
is no longer necessary.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 drivers/firmware/efi/libstub/efi-stub-helper.c | 4 ++--
 drivers/firmware/efi/libstub/efistub.h         | 4 ++--
 drivers/firmware/efi/libstub/file.c            | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
index 1e0203d74691ffcc..ff60e3a78337ce5c 100644
--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
+++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
@@ -499,12 +499,12 @@ efi_status_t efi_load_initrd_dev_path(struct linux_efi_initrd *initrd,
 				      unsigned long max)
 {
 	efi_guid_t lf2_proto_guid = EFI_LOAD_FILE2_PROTOCOL_GUID;
-	efi_device_path_protocol_t *dp;
+	const efi_device_path_protocol_t *dp;
 	efi_load_file2_protocol_t *lf2;
 	efi_handle_t handle;
 	efi_status_t status;
 
-	dp = (efi_device_path_protocol_t *)&initrd_dev_path;
+	dp = &initrd_dev_path.vendor.header;
 	status = efi_bs_call(locate_device_path, &lf2_proto_guid, &dp, &handle);
 	if (status != EFI_SUCCESS)
 		return status;
diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h
index 6bd3bb86d9679a1c..96a04ee05cdbb8bf 100644
--- a/drivers/firmware/efi/libstub/efistub.h
+++ b/drivers/firmware/efi/libstub/efistub.h
@@ -285,7 +285,7 @@ union efi_boot_services {
 						       void *, unsigned long *,
 						       efi_handle_t *);
 		efi_status_t (__efiapi *locate_device_path)(efi_guid_t *,
-							    efi_device_path_protocol_t **,
+							    const efi_device_path_protocol_t **,
 							    efi_handle_t *);
 		efi_status_t (__efiapi *install_configuration_table)(efi_guid_t *,
 								     void *);
@@ -894,7 +894,7 @@ typedef union efi_load_file_protocol efi_load_file2_protocol_t;
 union efi_load_file_protocol {
 	struct {
 		efi_status_t (__efiapi *load_file)(efi_load_file_protocol_t *,
-						   efi_device_path_protocol_t *,
+						   const efi_device_path_protocol_t *,
 						   bool, unsigned long *, void *);
 	};
 	struct {
diff --git a/drivers/firmware/efi/libstub/file.c b/drivers/firmware/efi/libstub/file.c
index d6a025df07dcf9ef..207dc578db910336 100644
--- a/drivers/firmware/efi/libstub/file.c
+++ b/drivers/firmware/efi/libstub/file.c
@@ -131,7 +131,7 @@ static efi_status_t efi_open_device_path(efi_file_protocol_t **volume,
 	efi_guid_t text_to_dp_guid = EFI_DEVICE_PATH_FROM_TEXT_PROTOCOL_GUID;
 	static efi_device_path_from_text_protocol_t *text_to_dp = NULL;
 	efi_guid_t fs_proto = EFI_FILE_SYSTEM_GUID;
-	efi_device_path_protocol_t *initrd_dp;
+	const efi_device_path_protocol_t *initrd_dp;
 	efi_simple_file_system_protocol_t *io;
 	struct efi_file_path_dev_path *fpath;
 	efi_handle_t handle;
-- 
2.39.2

[PATCH v2 2/3] efi/libstub: Pass loaded image EFI handle to efi_load_initrd()

[Ard Biesheuvel]

In preparation for allowing loaders to pass the initrd loadfile2
protocol implementation via the loaded image handle instead of a global
singleton device path, pass the loaded image EFI handle down to the code
that loads the initrd.

Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 drivers/firmware/efi/libstub/efi-stub-helper.c | 3 ++-
 drivers/firmware/efi/libstub/efi-stub.c        | 4 ++--
 drivers/firmware/efi/libstub/efistub.h         | 3 ++-
 drivers/firmware/efi/libstub/x86-stub.c        | 4 ++--
 4 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
index ff60e3a78337ce5c..d1026c6a544058b4 100644
--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
+++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
@@ -554,7 +554,8 @@ efi_status_t efi_load_initrd_cmdline(efi_loaded_image_t *image,
  *
  * Return:	status code
  */
-efi_status_t efi_load_initrd(efi_loaded_image_t *image,
+efi_status_t efi_load_initrd(efi_handle_t handle,
+			     efi_loaded_image_t *image,
 			     unsigned long soft_limit,
 			     unsigned long hard_limit,
 			     const struct linux_efi_initrd **out)
diff --git a/drivers/firmware/efi/libstub/efi-stub.c b/drivers/firmware/efi/libstub/efi-stub.c
index 2955c1ac6a36ee00..a5eb773a574143cf 100644
--- a/drivers/firmware/efi/libstub/efi-stub.c
+++ b/drivers/firmware/efi/libstub/efi-stub.c
@@ -177,8 +177,8 @@ efi_status_t efi_stub_common(efi_handle_t handle,
 	/* Ask the firmware to clear memory on unclean shutdown */
 	efi_enable_reset_attack_mitigation();
 
-	efi_load_initrd(image, ULONG_MAX, efi_get_max_initrd_addr(image_addr),
-			NULL);
+	efi_load_initrd(handle, image, ULONG_MAX,
+			efi_get_max_initrd_addr(image_addr), NULL);
 
 	efi_random_get_seed();
 
diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h
index 96a04ee05cdbb8bf..d772f2e33af7c270 100644
--- a/drivers/firmware/efi/libstub/efistub.h
+++ b/drivers/firmware/efi/libstub/efistub.h
@@ -1019,7 +1019,8 @@ static inline efi_status_t efi_load_dtb(efi_loaded_image_t *image,
 				    ULONG_MAX, ULONG_MAX, load_addr, load_size);
 }
 
-efi_status_t efi_load_initrd(efi_loaded_image_t *image,
+efi_status_t efi_load_initrd(efi_handle_t handle,
+			     efi_loaded_image_t *image,
 			     unsigned long soft_limit,
 			     unsigned long hard_limit,
 			     const struct linux_efi_initrd **out);
diff --git a/drivers/firmware/efi/libstub/x86-stub.c b/drivers/firmware/efi/libstub/x86-stub.c
index a0bfd31358ba97b1..e79f6977b41c15c2 100644
--- a/drivers/firmware/efi/libstub/x86-stub.c
+++ b/drivers/firmware/efi/libstub/x86-stub.c
@@ -867,8 +867,8 @@ asmlinkage unsigned long efi_main(efi_handle_t handle,
 	 * arguments will be processed only if image is not NULL, which will be
 	 * the case only if we were loaded via the PE entry point.
 	 */
-	status = efi_load_initrd(image, hdr->initrd_addr_max, ULONG_MAX,
-				 &initrd);
+	status = efi_load_initrd(handle, image, hdr->initrd_addr_max,
+				 ULONG_MAX, &initrd);
 	if (status != EFI_SUCCESS)
 		goto fail;
 	if (initrd && initrd->size > 0) {
-- 
2.39.2

[PATCH v2 3/3] efi/libstub: Look for initrd LoadFile2 protocol on image handle

[Ard Biesheuvel]

The use of a global singleton device path for describing the initrd to
be loaded by the kernel implies that only a single handle can exist that
carries the initrd LoadFile2 protocol implementation.

This avoids the need on the part of the EFI stub to reason about which
initrd is the preferred one when several are being provided - we already
have initrd loading via the setup header on x86 and via DT on other
architectures, in addition to the initrd= command line option, and so
having a single loader provided initrd that supersedes all of them was
deemed preferable over having multiple sources.

However, this means that intermediate loader stages cannot simply
install the LoadFile2 initrd device path, and will need to check for
failures and deal with them. It also means that such stages will have to
reason about whether or not the subsequent stage being loaded is the
final one, or whether it may attempt to install the initrd device path
itself.

We can solve this by associating the initrd LoadFile2 protocol with the
loaded image instead of with a global singleton device path. That way,
each stage can associate any initrd it provides with the image that it
is loading.

Tested-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Reviewed-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
 drivers/firmware/efi/libstub/efi-stub-helper.c | 53 ++++++++++++--------
 include/linux/efi.h                            |  1 +
 include/linux/pe.h                             |  2 +-
 3 files changed, 35 insertions(+), 21 deletions(-)

diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c
index d1026c6a544058b4..7ca993fd0e331637 100644
--- a/drivers/firmware/efi/libstub/efi-stub-helper.c
+++ b/drivers/firmware/efi/libstub/efi-stub-helper.c
@@ -482,37 +482,50 @@ static const struct {
 };
 
 /**
- * efi_load_initrd_dev_path() - load the initrd from the Linux initrd device path
- * @initrd:	pointer of struct to store the address where the initrd was loaded
- *		and the size of the loaded initrd
- * @max:	upper limit for the initrd memory allocation
+ * efi_load_initrd_lf2() - load the initrd either from the LoadFile2 initrd
+ *			   loading protocol installed on the loaded image
+ *			   handle, or from the Linux initrd device path
+ * @image_handle: EFI handle of the loaded image
+ * @initrd:	  pointer of struct to store the address where the initrd was
+ *                loaded and the size of the loaded initrd
+ * @max:	  upper limit for the initrd memory allocation
  *
  * Return:
- * * %EFI_SUCCESS if the initrd was loaded successfully, in which
- *   case @load_addr and @load_size are assigned accordingly
- * * %EFI_NOT_FOUND if no LoadFile2 protocol exists on the initrd device path
+ * * %EFI_SUCCESS if the initrd was loaded successfully, in which case the base
+ *   and size members of @initrd are assigned accordingly
+ * * %EFI_NOT_FOUND if no LoadFile2 protocol exists on the loaded image handle
+ *   or on the initrd device path
  * * %EFI_OUT_OF_RESOURCES if memory allocation failed
  * * %EFI_LOAD_ERROR in all other cases
  */
 static
-efi_status_t efi_load_initrd_dev_path(struct linux_efi_initrd *initrd,
-				      unsigned long max)
+efi_status_t efi_load_initrd_lf2(efi_handle_t image_handle,
+				 struct linux_efi_initrd *initrd,
+				 unsigned long max)
 {
 	efi_guid_t lf2_proto_guid = EFI_LOAD_FILE2_PROTOCOL_GUID;
-	const efi_device_path_protocol_t *dp;
+	efi_guid_t initrd_lf2_proto_guid = LINUX_EFI_INITRD_LF2_PROTOCOL_GUID;
+	const efi_device_path_protocol_t *dp = &initrd_dev_path.end;
 	efi_load_file2_protocol_t *lf2;
 	efi_handle_t handle;
 	efi_status_t status;
 
-	dp = &initrd_dev_path.vendor.header;
-	status = efi_bs_call(locate_device_path, &lf2_proto_guid, &dp, &handle);
-	if (status != EFI_SUCCESS)
-		return status;
-
-	status = efi_bs_call(handle_protocol, handle, &lf2_proto_guid,
+	/* first look for a initrd loading protocol specific to this image */
+	status = efi_bs_call(handle_protocol, image_handle, &initrd_lf2_proto_guid,
 			     (void **)&lf2);
-	if (status != EFI_SUCCESS)
-		return status;
+	if (status != EFI_SUCCESS) {
+		/* look for the global singleton initrd loading protocol */
+		dp = &initrd_dev_path.vendor.header;
+		status = efi_bs_call(locate_device_path, &lf2_proto_guid, &dp,
+				     &handle);
+		if (status != EFI_SUCCESS)
+			return status;
+
+		status = efi_bs_call(handle_protocol, handle, &lf2_proto_guid,
+				     (void **)&lf2);
+		if (status != EFI_SUCCESS)
+			return status;
+	}
 
 	initrd->size = 0;
 	status = efi_call_proto(lf2, load_file, dp, false, &initrd->size, NULL);
@@ -567,9 +580,9 @@ efi_status_t efi_load_initrd(efi_handle_t handle,
 	if (!IS_ENABLED(CONFIG_BLK_DEV_INITRD) || efi_noinitrd)
 		return EFI_SUCCESS;
 
-	status = efi_load_initrd_dev_path(&initrd, hard_limit);
+	status = efi_load_initrd_lf2(handle, &initrd, hard_limit);
 	if (status == EFI_SUCCESS) {
-		efi_info("Loaded initrd from LINUX_EFI_INITRD_MEDIA_GUID device path\n");
+		efi_info("Loaded initrd using LoadFile2 protocol\n");
 		if (initrd.size > 0 &&
 		    efi_measure_tagged_event(initrd.base, initrd.size,
 					     EFISTUB_EVT_INITRD) == EFI_SUCCESS)
diff --git a/include/linux/efi.h b/include/linux/efi.h
index 04a733f0ba956211..08a1518de0fb4921 100644
--- a/include/linux/efi.h
+++ b/include/linux/efi.h
@@ -417,6 +417,7 @@ void efi_native_runtime_setup(void);
 #define LINUX_EFI_MOK_VARIABLE_TABLE_GUID	EFI_GUID(0xc451ed2b, 0x9694, 0x45d3,  0xba, 0xba, 0xed, 0x9f, 0x89, 0x88, 0xa3, 0x89)
 #define LINUX_EFI_COCO_SECRET_AREA_GUID		EFI_GUID(0xadf956ad, 0xe98c, 0x484c,  0xae, 0x11, 0xb5, 0x1c, 0x7d, 0x33, 0x64, 0x47)
 #define LINUX_EFI_BOOT_MEMMAP_GUID		EFI_GUID(0x800f683f, 0xd08b, 0x423a,  0xa2, 0x93, 0x96, 0x5c, 0x3c, 0x6f, 0xe2, 0xb4)
+#define LINUX_EFI_INITRD_LF2_PROTOCOL_GUID	EFI_GUID(0xf9e3378e, 0xb3b1, 0x423a,  0xbd, 0x9a, 0x2d, 0x08, 0x60, 0x28, 0x7f, 0x72)
 
 #define RISCV_EFI_BOOT_PROTOCOL_GUID		EFI_GUID(0xccd15fec, 0x6f73, 0x4eec,  0x83, 0x95, 0x3e, 0x69, 0xe4, 0xb9, 0x40, 0xbf)
 
diff --git a/include/linux/pe.h b/include/linux/pe.h
index 6ffabf1e6d039e67..934e3a15ea7ddc07 100644
--- a/include/linux/pe.h
+++ b/include/linux/pe.h
@@ -29,7 +29,7 @@
  * handover_offset and xloadflags fields in the bootparams structure.
  */
 #define LINUX_EFISTUB_MAJOR_VERSION		0x1
-#define LINUX_EFISTUB_MINOR_VERSION		0x1
+#define LINUX_EFISTUB_MINOR_VERSION		0x2
 
 /*
  * LINUX_PE_MAGIC appears at offset 0x38 into the MS-DOS header of EFI bootable
-- 
2.39.2