oxmc/ipxe
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
Files
562c74e1ea52a399f7a6c416e35d98f4b37888cf
ipxe/src/interface/efi/efi_init.c
T
Michael Brown 562c74e1ea [efi] Run ExitBootServices shutdown hook at TPL_NOTIFY 
On some systems (observed with the Thunderbolt ports on a ThinkPad X1
Extreme Gen3 and a ThinkPad P53), if the IOMMU is enabled then the
system firmware will install an ExitBootServices notification event
that disables bus mastering on the Thunderbolt xHCI controller and all
PCI bridges, and destroys any extant IOMMU mappings.  This leaves the
xHCI controller unable to perform any DMA operations.

As described in commit 236299b ("[xhci] Avoid DMA during shutdown if
firmware has disabled bus mastering"), any subsequent DMA operation
attempted by the xHCI controller will end up completing after the
operating system kernel has reenabled bus mastering, resulting in a
DMA operation to an area of memory that the hardware is no longer
permitted to access and, on Windows with the Driver Verifier enabled,
a STOP 0xE6 (DRIVER_VERIFIER_DMA_VIOLATION).

That commit avoids triggering any DMA attempts during the shutdown of
the xHCI controller itself.  However, this is not a complete solution
since any attached and opened USB device (e.g. a USB NIC) may
asynchronously trigger DMA attempts that happen to occur after bus
mastering has been disabled but before we reset the xHCI controller.

Avoid this problem by installing our own ExitBootServices notification
event at TPL_NOTIFY, thereby causing it to be invoked before the
firmware's own ExitBootServices notification event that disables bus
mastering.

This unsurprisingly causes the shutdown hook itself to be invoked at
TPL_NOTIFY, which causes a fatal error when later code attempts to
raise the TPL to TPL_CALLBACK (which is a lower TPL).  Work around
this problem by redefining the "internal" iPXE TPL to be variable, and
set this internal TPL to TPL_NOTIFY when the shutdown hook is invoked.

Avoid calling into an underlying SNP protocol instance from within our
shutdown hook at TPL_NOTIFY, since the underlying SNP driver may
attempt to raise the TPL to TPL_CALLBACK (which would cause a fatal
error).  Failing to shut down the underlying SNP device is safe to do
since the underlying device must, in any case, have installed its own
ExitBootServices hook if any shutdown actions are required.

Reported-by: Andreas Hammarskjöld <junior@2PintSoftware.com>
Tested-by: Andreas Hammarskjöld <junior@2PintSoftware.com>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
2021-11-23 15:55:01 +00:00

419 lines
11 KiB
C
Raw Blame History

/*
* Copyright (C) 2008 Michael Brown <mbrown@fensystems.co.uk>.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation; either version 2 of the
* License, or any later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
* 02110-1301, USA.
*/
FILE_LICENCE ( GPL2_OR_LATER );
#include <string.h>
#include <errno.h>
#include <endian.h>
#include <ipxe/init.h>
#include <ipxe/rotate.h>
#include <ipxe/efi/efi.h>
#include <ipxe/efi/efi_driver.h>
#include <ipxe/efi/efi_path.h>
#include <ipxe/efi/Protocol/LoadedImage.h>
/** Image handle passed to entry point */
EFI_HANDLE efi_image_handle;
/** Loaded image protocol for this image */
EFI_LOADED_IMAGE_PROTOCOL *efi_loaded_image;
/** Device path for the loaded image's device handle */
EFI_DEVICE_PATH_PROTOCOL *efi_loaded_image_path;
/** System table passed to entry point
*
* We construct the symbol name efi_systab via the PLATFORM macro.
* This ensures that the symbol is defined only in EFI builds, and so
* prevents EFI code from being incorrectly linked in to a non-EFI
* build.
*/
EFI_SYSTEM_TABLE * _C2 ( PLATFORM, _systab );
/** Internal task priority level */
EFI_TPL efi_internal_tpl = TPL_CALLBACK;
/** External task priority level */
EFI_TPL efi_external_tpl = TPL_APPLICATION;
/** EFI shutdown is in progress */
int efi_shutdown_in_progress;
/** Event used to signal shutdown */
static EFI_EVENT efi_shutdown_event;
/** Stack cookie */
unsigned long __stack_chk_guard;
/** Exit function
*
* Cached to minimise external dependencies when a stack check
* failure is triggered.
*/
static EFI_EXIT efi_exit;
/* Forward declarations */
static EFI_STATUS EFIAPI efi_unload ( EFI_HANDLE image_handle );
/**
* Shut down in preparation for booting an OS.
*
* This hook gets called at ExitBootServices time in order to make
* sure that everything is properly shut down before the OS takes
* over.
*/
static EFIAPI void efi_shutdown_hook ( EFI_EVENT event __unused,
void *context __unused ) {
/* This callback is invoked at TPL_NOTIFY in order to ensure
* that we have an opportunity to shut down cleanly before
* other shutdown hooks perform destructive operations such as
* disabling the IOMMU.
*
* Modify the internal task priority level so that no code
* attempts to raise from TPL_NOTIFY to TPL_CALLBACK (which
* would trigger a fatal exception).
*/
efi_internal_tpl = TPL_NOTIFY;
/* Mark shutdown as being in progress, to indicate that large
* parts of the system (e.g. timers) are no longer functional.
*/
efi_shutdown_in_progress = 1;
/* Shut down iPXE */
shutdown_boot();
}
/**
* Look up EFI configuration table
*
* @v guid Configuration table GUID
* @ret table Configuration table, or NULL
*/
static void * efi_find_table ( EFI_GUID *guid ) {
unsigned int i;
for ( i = 0 ; i < efi_systab->NumberOfTableEntries ; i++ ) {
if ( memcmp ( &efi_systab->ConfigurationTable[i].VendorGuid,
guid, sizeof ( *guid ) ) == 0 )
return efi_systab->ConfigurationTable[i].VendorTable;
}
return NULL;
}
/**
* Construct a stack cookie value
*
* @v handle Image handle
* @ret cookie Stack cookie
*/
__attribute__ (( noinline )) unsigned long
efi_stack_cookie ( EFI_HANDLE handle ) {
unsigned long cookie = 0;
unsigned int rotation = ( 8 * sizeof ( cookie ) / 4 );
/* There is no viable source of entropy available at this
* point. Construct a value that is at least likely to vary
* between platforms and invocations.
*/
cookie ^= ( ( unsigned long ) handle );
cookie = roll ( cookie, rotation );
cookie ^= ( ( unsigned long ) &handle );
cookie = roll ( cookie, rotation );
cookie ^= profile_timestamp();
cookie = roll ( cookie, rotation );
cookie ^= build_id;
/* Ensure that the value contains a NUL byte, to act as a
* runaway string terminator. Construct the NUL using a shift
* rather than a mask, to avoid losing valuable entropy in the
* lower-order bits.
*/
cookie <<= 8;
/* Ensure that the NUL byte is placed at the bottom of the
* stack cookie, to avoid potential disclosure via an
* unterminated string.
*/
if ( __BYTE_ORDER == __BIG_ENDIAN )
cookie >>= 8;
return cookie;
}
/**
* Initialise EFI environment
*
* @v image_handle Image handle
* @v systab System table
* @ret efirc EFI return status code
*/
EFI_STATUS efi_init ( EFI_HANDLE image_handle,
EFI_SYSTEM_TABLE *systab ) {
EFI_BOOT_SERVICES *bs;
struct efi_protocol *prot;
struct efi_config_table *tab;
void *loaded_image;
void *device_path;
void *device_path_copy;
size_t device_path_len;
EFI_STATUS efirc;
int rc;
/* Store image handle and system table pointer for future use */
efi_image_handle = image_handle;
efi_systab = systab;
/* Sanity checks */
if ( ! systab ) {
efirc = EFI_NOT_AVAILABLE_YET;
goto err_sanity;
}
if ( ! systab->ConOut ) {
efirc = EFI_NOT_AVAILABLE_YET;
goto err_sanity;
}
if ( ! systab->BootServices ) {
DBGC ( systab, "EFI provided no BootServices entry point\n" );
efirc = EFI_NOT_AVAILABLE_YET;
goto err_sanity;
}
if ( ! systab->RuntimeServices ) {
DBGC ( systab, "EFI provided no RuntimeServices entry "
"point\n" );
efirc = EFI_NOT_AVAILABLE_YET;
goto err_sanity;
}
DBGC ( systab, "EFI handle %p systab %p\n", image_handle, systab );
bs = systab->BootServices;
/* Store abort function pointer */
efi_exit = bs->Exit;
/* Look up used protocols */
for_each_table_entry ( prot, EFI_PROTOCOLS ) {
if ( ( efirc = bs->LocateProtocol ( &prot->guid, NULL,
prot->protocol ) ) == 0 ) {
DBGC ( systab, "EFI protocol %s is at %p\n",
efi_guid_ntoa ( &prot->guid ),
*(prot->protocol) );
} else {
DBGC ( systab, "EFI does not provide protocol %s\n",
efi_guid_ntoa ( &prot->guid ) );
/* Fail if protocol is required */
if ( prot->required )
goto err_missing_protocol;
}
}
/* Look up used configuration tables */
for_each_table_entry ( tab, EFI_CONFIG_TABLES ) {
if ( ( *(tab->table) = efi_find_table ( &tab->guid ) ) ) {
DBGC ( systab, "EFI configuration table %s is at %p\n",
efi_guid_ntoa ( &tab->guid ), *(tab->table) );
} else {
DBGC ( systab, "EFI does not provide configuration "
"table %s\n", efi_guid_ntoa ( &tab->guid ) );
if ( tab->required ) {
efirc = EFI_NOT_AVAILABLE_YET;
goto err_missing_table;
}
}
}
/* Get loaded image protocol */
if ( ( efirc = bs->OpenProtocol ( image_handle,
&efi_loaded_image_protocol_guid,
&loaded_image, image_handle, NULL,
EFI_OPEN_PROTOCOL_GET_PROTOCOL ) ) != 0 ) {
rc = -EEFI ( efirc );
DBGC ( systab, "EFI could not get loaded image protocol: %s",
strerror ( rc ) );
goto err_no_loaded_image;
}
efi_loaded_image = loaded_image;
DBGC ( systab, "EFI image base address %p\n",
efi_loaded_image->ImageBase );
/* Get loaded image's device handle's device path */
if ( ( efirc = bs->OpenProtocol ( efi_loaded_image->DeviceHandle,
&efi_device_path_protocol_guid,
&device_path, image_handle, NULL,
EFI_OPEN_PROTOCOL_GET_PROTOCOL ) ) != 0 ) {
rc = -EEFI ( efirc );
DBGC ( systab, "EFI could not get loaded image's device path: "
"%s", strerror ( rc ) );
goto err_no_device_path;
}
/* Make a copy of the loaded image's device handle's device
* path, since the device handle itself may become invalidated
* when we load our own drivers.
*/
device_path_len = ( efi_path_len ( device_path ) +
sizeof ( EFI_DEVICE_PATH_PROTOCOL ) );
if ( ( efirc = bs->AllocatePool ( EfiBootServicesData, device_path_len,
&device_path_copy ) ) != 0 ) {
rc = -EEFI ( efirc );
goto err_alloc_device_path;
}
memcpy ( device_path_copy, device_path, device_path_len );
efi_loaded_image_path = device_path_copy;
DBGC ( systab, "EFI image device path %s\n",
efi_devpath_text ( efi_loaded_image_path ) );
/* EFI is perfectly capable of gracefully shutting down any
* loaded devices if it decides to fall back to a legacy boot.
* For no particularly comprehensible reason, it doesn't
* bother doing so when ExitBootServices() is called.
*/
if ( ( efirc = bs->CreateEvent ( EVT_SIGNAL_EXIT_BOOT_SERVICES,
TPL_NOTIFY, efi_shutdown_hook,
NULL, &efi_shutdown_event ) ) != 0 ) {
rc = -EEFI ( efirc );
DBGC ( systab, "EFI could not create ExitBootServices event: "
"%s\n", strerror ( rc ) );
goto err_create_event;
}
/* Install driver binding protocol */
if ( ( rc = efi_driver_install() ) != 0 ) {
DBGC ( systab, "EFI could not install driver: %s\n",
strerror ( rc ) );
efirc = EFIRC ( rc );
goto err_driver_install;
}
/* Install image unload method */
efi_loaded_image->Unload = efi_unload;
return 0;
efi_driver_uninstall();
err_driver_install:
bs->CloseEvent ( efi_shutdown_event );
err_create_event:
bs->FreePool ( efi_loaded_image_path );
err_alloc_device_path:
err_no_device_path:
err_no_loaded_image:
err_missing_table:
err_missing_protocol:
err_sanity:
return efirc;
}
/**
* Shut down EFI environment
*
* @v image_handle Image handle
*/
static EFI_STATUS EFIAPI efi_unload ( EFI_HANDLE image_handle __unused ) {
EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
EFI_SYSTEM_TABLE *systab = efi_systab;
struct efi_saved_tpl tpl;
DBGC ( systab, "EFI image unloading\n" );
/* Raise TPL */
efi_raise_tpl ( &tpl );
/* Shut down */
shutdown_exit();
/* Disconnect any remaining devices */
efi_driver_disconnect_all();
/* Uninstall driver binding protocol */
efi_driver_uninstall();
/* Uninstall exit boot services event */
bs->CloseEvent ( efi_shutdown_event );
/* Free copy of loaded image's device handle's device path */
bs->FreePool ( efi_loaded_image_path );
DBGC ( systab, "EFI image unloaded\n" );
/* Restore TPL */
efi_restore_tpl ( &tpl );
return 0;
}
/**
* Abort on stack check failure
*
*/
__attribute__ (( noreturn )) void __stack_chk_fail ( void ) {
EFI_STATUS efirc;
int rc;
/* Report failure (when debugging) */
DBGC ( efi_systab, "EFI stack check failed (cookie %#lx); aborting\n",
__stack_chk_guard );
/* Attempt to exit cleanly with an error status */
if ( efi_exit ) {
efirc = efi_exit ( efi_image_handle, EFI_COMPROMISED_DATA,
0, NULL );
rc = -EEFI ( efirc );
DBGC ( efi_systab, "EFI stack check exit failed: %s\n",
strerror ( rc ) );
}
/* If the exit fails for any reason, lock the system */
while ( 1 ) {}
}
/**
* Raise task priority level to internal level
*
* @v tpl Saved TPL
*/
void efi_raise_tpl ( struct efi_saved_tpl *tpl ) {
EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
/* Record current external TPL */
tpl->previous = efi_external_tpl;
/* Raise TPL and record previous TPL as new external TPL */
tpl->current = bs->RaiseTPL ( efi_internal_tpl );
efi_external_tpl = tpl->current;
}
/**
* Restore task priority level
*
* @v tpl Saved TPL
*/
void efi_restore_tpl ( struct efi_saved_tpl *tpl ) {
EFI_BOOT_SERVICES *bs = efi_systab->BootServices;
/* Restore external TPL */
efi_external_tpl = tpl->previous;
/* Restore TPL */
bs->RestoreTPL ( tpl->current );
}
Reference in New Issue View Git Blame Copy Permalink