platform/efi/quirks.c

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 #define pr_fmt(fmt) "efi: " fmt
0003
0004 #include <linux/init.h>
0005 #include <linux/kernel.h>
0006 #include <linux/string.h>
0007 #include <linux/time.h>
0008 #include <linux/types.h>
0009 #include <linux/efi.h>
0010 #include <linux/slab.h>
0011 #include <linux/memblock.h>
0012 #include <linux/acpi.h>
0013 #include <linux/dmi.h>
0014
0015 #include <asm/e820/api.h>
0016 #include <asm/efi.h>
0017 #include <asm/uv/uv.h>
0018 #include <asm/cpu_device_id.h>
0019 #include <asm/realmode.h>
0020 #include <asm/reboot.h>
0021
0022 #define EFI_MIN_RESERVE 5120
0023
0024 #define EFI_DUMMY_GUID \
0025     EFI_GUID(0x4424ac57, 0xbe4b, 0x47dd, 0x9e, 0x97, 0xed, 0x50, 0xf0, 0x9f, 0x92, 0xa9)
0026
0027 #define QUARK_CSH_SIGNATURE     0x5f435348  /* _CSH */
0028 #define QUARK_SECURITY_HEADER_SIZE  0x400
0029
0030 /*
0031  * Header prepended to the standard EFI capsule on Quark systems the are based
0032  * on Intel firmware BSP.
0033  * @csh_signature:  Unique identifier to sanity check signed module
0034  *          presence ("_CSH").
0035  * @version:        Current version of CSH used. Should be one for Quark A0.
0036  * @modulesize:     Size of the entire module including the module header
0037  *          and payload.
0038  * @security_version_number_index: Index of SVN to use for validation of signed
0039  *          module.
0040  * @security_version_number: Used to prevent against roll back of modules.
0041  * @rsvd_module_id: Currently unused for Clanton (Quark).
0042  * @rsvd_module_vendor: Vendor Identifier. For Intel products value is
0043  *          0x00008086.
0044  * @rsvd_date:      BCD representation of build date as yyyymmdd, where
0045  *          yyyy=4 digit year, mm=1-12, dd=1-31.
0046  * @headersize:     Total length of the header including including any
0047  *          padding optionally added by the signing tool.
0048  * @hash_algo:      What Hash is used in the module signing.
0049  * @cryp_algo:      What Crypto is used in the module signing.
0050  * @keysize:        Total length of the key data including including any
0051  *          padding optionally added by the signing tool.
0052  * @signaturesize:  Total length of the signature including including any
0053  *          padding optionally added by the signing tool.
0054  * @rsvd_next_header:   32-bit pointer to the next Secure Boot Module in the
0055  *          chain, if there is a next header.
0056  * @rsvd:       Reserved, padding structure to required size.
0057  *
0058  * See also QuartSecurityHeader_t in
0059  * Quark_EDKII_v1.2.1.1/QuarkPlatformPkg/Include/QuarkBootRom.h
0060  * from https://downloadcenter.intel.com/download/23197/Intel-Quark-SoC-X1000-Board-Support-Package-BSP
0061  */
0062 struct quark_security_header {
0063     u32 csh_signature;
0064     u32 version;
0065     u32 modulesize;
0066     u32 security_version_number_index;
0067     u32 security_version_number;
0068     u32 rsvd_module_id;
0069     u32 rsvd_module_vendor;
0070     u32 rsvd_date;
0071     u32 headersize;
0072     u32 hash_algo;
0073     u32 cryp_algo;
0074     u32 keysize;
0075     u32 signaturesize;
0076     u32 rsvd_next_header;
0077     u32 rsvd[2];
0078 };
0079
0080 static const efi_char16_t efi_dummy_name[] = L"DUMMY";
0081
0082 static bool efi_no_storage_paranoia;
0083
0084 /*
0085  * Some firmware implementations refuse to boot if there's insufficient
0086  * space in the variable store. The implementation of garbage collection
0087  * in some FW versions causes stale (deleted) variables to take up space
0088  * longer than intended and space is only freed once the store becomes
0089  * almost completely full.
0090  *
0091  * Enabling this option disables the space checks in
0092  * efi_query_variable_store() and forces garbage collection.
0093  *
0094  * Only enable this option if deleting EFI variables does not free up
0095  * space in your variable store, e.g. if despite deleting variables
0096  * you're unable to create new ones.
0097  */
0098 static int __init setup_storage_paranoia(char *arg)
0099 {
0100     efi_no_storage_paranoia = true;
0101     return 0;
0102 }
0103 early_param("efi_no_storage_paranoia", setup_storage_paranoia);
0104
0105 /*
0106  * Deleting the dummy variable which kicks off garbage collection
0107 */
0108 void efi_delete_dummy_variable(void)
0109 {
0110     efi.set_variable_nonblocking((efi_char16_t *)efi_dummy_name,
0111                      &EFI_DUMMY_GUID,
0112                      EFI_VARIABLE_NON_VOLATILE |
0113                      EFI_VARIABLE_BOOTSERVICE_ACCESS |
0114                      EFI_VARIABLE_RUNTIME_ACCESS, 0, NULL);
0115 }
0116
0117 /*
0118  * In the nonblocking case we do not attempt to perform garbage
0119  * collection if we do not have enough free space. Rather, we do the
0120  * bare minimum check and give up immediately if the available space
0121  * is below EFI_MIN_RESERVE.
0122  *
0123  * This function is intended to be small and simple because it is
0124  * invoked from crash handler paths.
0125  */
0126 static efi_status_t
0127 query_variable_store_nonblocking(u32 attributes, unsigned long size)
0128 {
0129     efi_status_t status;
0130     u64 storage_size, remaining_size, max_size;
0131
0132     status = efi.query_variable_info_nonblocking(attributes, &storage_size,
0133                              &remaining_size,
0134                              &max_size);
0135     if (status != EFI_SUCCESS)
0136         return status;
0137
0138     if (remaining_size - size < EFI_MIN_RESERVE)
0139         return EFI_OUT_OF_RESOURCES;
0140
0141     return EFI_SUCCESS;
0142 }
0143
0144 /*
0145  * Some firmware implementations refuse to boot if there's insufficient space
0146  * in the variable store. Ensure that we never use more than a safe limit.
0147  *
0148  * Return EFI_SUCCESS if it is safe to write 'size' bytes to the variable
0149  * store.
0150  */
0151 efi_status_t efi_query_variable_store(u32 attributes, unsigned long size,
0152                       bool nonblocking)
0153 {
0154     efi_status_t status;
0155     u64 storage_size, remaining_size, max_size;
0156
0157     if (!(attributes & EFI_VARIABLE_NON_VOLATILE))
0158         return 0;
0159
0160     if (nonblocking)
0161         return query_variable_store_nonblocking(attributes, size);
0162
0163     status = efi.query_variable_info(attributes, &storage_size,
0164                      &remaining_size, &max_size);
0165     if (status != EFI_SUCCESS)
0166         return status;
0167
0168     /*
0169      * We account for that by refusing the write if permitting it would
0170      * reduce the available space to under 5KB. This figure was provided by
0171      * Samsung, so should be safe.
0172      */
0173     if ((remaining_size - size < EFI_MIN_RESERVE) &&
0174         !efi_no_storage_paranoia) {
0175
0176         /*
0177          * Triggering garbage collection may require that the firmware
0178          * generate a real EFI_OUT_OF_RESOURCES error. We can force
0179          * that by attempting to use more space than is available.
0180          */
0181         unsigned long dummy_size = remaining_size + 1024;
0182         void *dummy = kzalloc(dummy_size, GFP_KERNEL);
0183
0184         if (!dummy)
0185             return EFI_OUT_OF_RESOURCES;
0186
0187         status = efi.set_variable((efi_char16_t *)efi_dummy_name,
0188                       &EFI_DUMMY_GUID,
0189                       EFI_VARIABLE_NON_VOLATILE |
0190                       EFI_VARIABLE_BOOTSERVICE_ACCESS |
0191                       EFI_VARIABLE_RUNTIME_ACCESS,
0192                       dummy_size, dummy);
0193
0194         if (status == EFI_SUCCESS) {
0195             /*
0196              * This should have failed, so if it didn't make sure
0197              * that we delete it...
0198              */
0199             efi_delete_dummy_variable();
0200         }
0201
0202         kfree(dummy);
0203
0204         /*
0205          * The runtime code may now have triggered a garbage collection
0206          * run, so check the variable info again
0207          */
0208         status = efi.query_variable_info(attributes, &storage_size,
0209                          &remaining_size, &max_size);
0210
0211         if (status != EFI_SUCCESS)
0212             return status;
0213
0214         /*
0215          * There still isn't enough room, so return an error
0216          */
0217         if (remaining_size - size < EFI_MIN_RESERVE)
0218             return EFI_OUT_OF_RESOURCES;
0219     }
0220
0221     return EFI_SUCCESS;
0222 }
0223 EXPORT_SYMBOL_GPL(efi_query_variable_store);
0224
0225 /*
0226  * The UEFI specification makes it clear that the operating system is
0227  * free to do whatever it wants with boot services code after
0228  * ExitBootServices() has been called. Ignoring this recommendation a
0229  * significant bunch of EFI implementations continue calling into boot
0230  * services code (SetVirtualAddressMap). In order to work around such
0231  * buggy implementations we reserve boot services region during EFI
0232  * init and make sure it stays executable. Then, after
0233  * SetVirtualAddressMap(), it is discarded.
0234  *
0235  * However, some boot services regions contain data that is required
0236  * by drivers, so we need to track which memory ranges can never be
0237  * freed. This is done by tagging those regions with the
0238  * EFI_MEMORY_RUNTIME attribute.
0239  *
0240  * Any driver that wants to mark a region as reserved must use
0241  * efi_mem_reserve() which will insert a new EFI memory descriptor
0242  * into efi.memmap (splitting existing regions if necessary) and tag
0243  * it with EFI_MEMORY_RUNTIME.
0244  */
0245 void __init efi_arch_mem_reserve(phys_addr_t addr, u64 size)
0246 {
0247     struct efi_memory_map_data data = { 0 };
0248     struct efi_mem_range mr;
0249     efi_memory_desc_t md;
0250     int num_entries;
0251     void *new;
0252
0253     if (efi_mem_desc_lookup(addr, &md) ||
0254         md.type != EFI_BOOT_SERVICES_DATA) {
0255         pr_err("Failed to lookup EFI memory descriptor for %pa\n", &addr);
0256         return;
0257     }
0258
0259     if (addr + size > md.phys_addr + (md.num_pages << EFI_PAGE_SHIFT)) {
0260         pr_err("Region spans EFI memory descriptors, %pa\n", &addr);
0261         return;
0262     }
0263
0264     size += addr % EFI_PAGE_SIZE;
0265     size = round_up(size, EFI_PAGE_SIZE);
0266     addr = round_down(addr, EFI_PAGE_SIZE);
0267
0268     mr.range.start = addr;
0269     mr.range.end = addr + size - 1;
0270     mr.attribute = md.attribute | EFI_MEMORY_RUNTIME;
0271
0272     num_entries = efi_memmap_split_count(&md, &mr.range);
0273     num_entries += efi.memmap.nr_map;
0274
0275     if (efi_memmap_alloc(num_entries, &data) != 0) {
0276         pr_err("Could not allocate boot services memmap\n");
0277         return;
0278     }
0279
0280     new = early_memremap_prot(data.phys_map, data.size,
0281                   pgprot_val(pgprot_encrypted(FIXMAP_PAGE_NORMAL)));
0282     if (!new) {
0283         pr_err("Failed to map new boot services memmap\n");
0284         return;
0285     }
0286
0287     efi_memmap_insert(&efi.memmap, new, &mr);
0288     early_memunmap(new, data.size);
0289
0290     efi_memmap_install(&data);
0291     e820__range_update(addr, size, E820_TYPE_RAM, E820_TYPE_RESERVED);
0292     e820__update_table(e820_table);
0293 }
0294
0295 /*
0296  * Helper function for efi_reserve_boot_services() to figure out if we
0297  * can free regions in efi_free_boot_services().
0298  *
0299  * Use this function to ensure we do not free regions owned by somebody
0300  * else. We must only reserve (and then free) regions:
0301  *
0302  * - Not within any part of the kernel
0303  * - Not the BIOS reserved area (E820_TYPE_RESERVED, E820_TYPE_NVS, etc)
0304  */
0305 static __init bool can_free_region(u64 start, u64 size)
0306 {
0307     if (start + size > __pa_symbol(_text) && start <= __pa_symbol(_end))
0308         return false;
0309
0310     if (!e820__mapped_all(start, start+size, E820_TYPE_RAM))
0311         return false;
0312
0313     return true;
0314 }
0315
0316 void __init efi_reserve_boot_services(void)
0317 {
0318     efi_memory_desc_t *md;
0319
0320     if (!efi_enabled(EFI_MEMMAP))
0321         return;
0322
0323     for_each_efi_memory_desc(md) {
0324         u64 start = md->phys_addr;
0325         u64 size = md->num_pages << EFI_PAGE_SHIFT;
0326         bool already_reserved;
0327
0328         if (md->type != EFI_BOOT_SERVICES_CODE &&
0329             md->type != EFI_BOOT_SERVICES_DATA)
0330             continue;
0331
0332         already_reserved = memblock_is_region_reserved(start, size);
0333
0334         /*
0335          * Because the following memblock_reserve() is paired
0336          * with memblock_free_late() for this region in
0337          * efi_free_boot_services(), we must be extremely
0338          * careful not to reserve, and subsequently free,
0339          * critical regions of memory (like the kernel image) or
0340          * those regions that somebody else has already
0341          * reserved.
0342          *
0343          * A good example of a critical region that must not be
0344          * freed is page zero (first 4Kb of memory), which may
0345          * contain boot services code/data but is marked
0346          * E820_TYPE_RESERVED by trim_bios_range().
0347          */
0348         if (!already_reserved) {
0349             memblock_reserve(start, size);
0350
0351             /*
0352              * If we are the first to reserve the region, no
0353              * one else cares about it. We own it and can
0354              * free it later.
0355              */
0356             if (can_free_region(start, size))
0357                 continue;
0358         }
0359
0360         /*
0361          * We don't own the region. We must not free it.
0362          *
0363          * Setting this bit for a boot services region really
0364          * doesn't make sense as far as the firmware is
0365          * concerned, but it does provide us with a way to tag
0366          * those regions that must not be paired with
0367          * memblock_free_late().
0368          */
0369         md->attribute |= EFI_MEMORY_RUNTIME;
0370     }
0371 }
0372
0373 /*
0374  * Apart from having VA mappings for EFI boot services code/data regions,
0375  * (duplicate) 1:1 mappings were also created as a quirk for buggy firmware. So,
0376  * unmap both 1:1 and VA mappings.
0377  */
0378 static void __init efi_unmap_pages(efi_memory_desc_t *md)
0379 {
0380     pgd_t *pgd = efi_mm.pgd;
0381     u64 pa = md->phys_addr;
0382     u64 va = md->virt_addr;
0383
0384     /*
0385      * EFI mixed mode has all RAM mapped to access arguments while making
0386      * EFI runtime calls, hence don't unmap EFI boot services code/data
0387      * regions.
0388      */
0389     if (efi_is_mixed())
0390         return;
0391
0392     if (kernel_unmap_pages_in_pgd(pgd, pa, md->num_pages))
0393         pr_err("Failed to unmap 1:1 mapping for 0x%llx\n", pa);
0394
0395     if (kernel_unmap_pages_in_pgd(pgd, va, md->num_pages))
0396         pr_err("Failed to unmap VA mapping for 0x%llx\n", va);
0397 }
0398
0399 void __init efi_free_boot_services(void)
0400 {
0401     struct efi_memory_map_data data = { 0 };
0402     efi_memory_desc_t *md;
0403     int num_entries = 0;
0404     void *new, *new_md;
0405
0406     /* Keep all regions for /sys/kernel/debug/efi */
0407     if (efi_enabled(EFI_DBG))
0408         return;
0409
0410     for_each_efi_memory_desc(md) {
0411         unsigned long long start = md->phys_addr;
0412         unsigned long long size = md->num_pages << EFI_PAGE_SHIFT;
0413         size_t rm_size;
0414
0415         if (md->type != EFI_BOOT_SERVICES_CODE &&
0416             md->type != EFI_BOOT_SERVICES_DATA) {
0417             num_entries++;
0418             continue;
0419         }
0420
0421         /* Do not free, someone else owns it: */
0422         if (md->attribute & EFI_MEMORY_RUNTIME) {
0423             num_entries++;
0424             continue;
0425         }
0426
0427         /*
0428          * Before calling set_virtual_address_map(), EFI boot services
0429          * code/data regions were mapped as a quirk for buggy firmware.
0430          * Unmap them from efi_pgd before freeing them up.
0431          */
0432         efi_unmap_pages(md);
0433
0434         /*
0435          * Nasty quirk: if all sub-1MB memory is used for boot
0436          * services, we can get here without having allocated the
0437          * real mode trampoline.  It's too late to hand boot services
0438          * memory back to the memblock allocator, so instead
0439          * try to manually allocate the trampoline if needed.
0440          *
0441          * I've seen this on a Dell XPS 13 9350 with firmware
0442          * 1.4.4 with SGX enabled booting Linux via Fedora 24's
0443          * grub2-efi on a hard disk.  (And no, I don't know why
0444          * this happened, but Linux should still try to boot rather
0445          * panicking early.)
0446          */
0447         rm_size = real_mode_size_needed();
0448         if (rm_size && (start + rm_size) < (1<<20) && size >= rm_size) {
0449             set_real_mode_mem(start);
0450             start += rm_size;
0451             size -= rm_size;
0452         }
0453
0454         /*
0455          * Don't free memory under 1M for two reasons:
0456          * - BIOS might clobber it
0457          * - Crash kernel needs it to be reserved
0458          */
0459         if (start + size < SZ_1M)
0460             continue;
0461         if (start < SZ_1M) {
0462             size -= (SZ_1M - start);
0463             start = SZ_1M;
0464         }
0465
0466         memblock_free_late(start, size);
0467     }
0468
0469     if (!num_entries)
0470         return;
0471
0472     if (efi_memmap_alloc(num_entries, &data) != 0) {
0473         pr_err("Failed to allocate new EFI memmap\n");
0474         return;
0475     }
0476
0477     new = memremap(data.phys_map, data.size, MEMREMAP_WB);
0478     if (!new) {
0479         pr_err("Failed to map new EFI memmap\n");
0480         return;
0481     }
0482
0483     /*
0484      * Build a new EFI memmap that excludes any boot services
0485      * regions that are not tagged EFI_MEMORY_RUNTIME, since those
0486      * regions have now been freed.
0487      */
0488     new_md = new;
0489     for_each_efi_memory_desc(md) {
0490         if (!(md->attribute & EFI_MEMORY_RUNTIME) &&
0491             (md->type == EFI_BOOT_SERVICES_CODE ||
0492              md->type == EFI_BOOT_SERVICES_DATA))
0493             continue;
0494
0495         memcpy(new_md, md, efi.memmap.desc_size);
0496         new_md += efi.memmap.desc_size;
0497     }
0498
0499     memunmap(new);
0500
0501     if (efi_memmap_install(&data) != 0) {
0502         pr_err("Could not install new EFI memmap\n");
0503         return;
0504     }
0505 }
0506
0507 /*
0508  * A number of config table entries get remapped to virtual addresses
0509  * after entering EFI virtual mode. However, the kexec kernel requires
0510  * their physical addresses therefore we pass them via setup_data and
0511  * correct those entries to their respective physical addresses here.
0512  *
0513  * Currently only handles smbios which is necessary for some firmware
0514  * implementation.
0515  */
0516 int __init efi_reuse_config(u64 tables, int nr_tables)
0517 {
0518     int i, sz, ret = 0;
0519     void *p, *tablep;
0520     struct efi_setup_data *data;
0521
0522     if (nr_tables == 0)
0523         return 0;
0524
0525     if (!efi_setup)
0526         return 0;
0527
0528     if (!efi_enabled(EFI_64BIT))
0529         return 0;
0530
0531     data = early_memremap(efi_setup, sizeof(*data));
0532     if (!data) {
0533         ret = -ENOMEM;
0534         goto out;
0535     }
0536
0537     if (!data->smbios)
0538         goto out_memremap;
0539
0540     sz = sizeof(efi_config_table_64_t);
0541
0542     p = tablep = early_memremap(tables, nr_tables * sz);
0543     if (!p) {
0544         pr_err("Could not map Configuration table!\n");
0545         ret = -ENOMEM;
0546         goto out_memremap;
0547     }
0548
0549     for (i = 0; i < nr_tables; i++) {
0550         efi_guid_t guid;
0551
0552         guid = ((efi_config_table_64_t *)p)->guid;
0553
0554         if (!efi_guidcmp(guid, SMBIOS_TABLE_GUID))
0555             ((efi_config_table_64_t *)p)->table = data->smbios;
0556         p += sz;
0557     }
0558     early_memunmap(tablep, nr_tables * sz);
0559
0560 out_memremap:
0561     early_memunmap(data, sizeof(*data));
0562 out:
0563     return ret;
0564 }
0565
0566 void __init efi_apply_memmap_quirks(void)
0567 {
0568     /*
0569      * Once setup is done earlier, unmap the EFI memory map on mismatched
0570      * firmware/kernel architectures since there is no support for runtime
0571      * services.
0572      */
0573     if (!efi_runtime_supported()) {
0574         pr_info("Setup done, disabling due to 32/64-bit mismatch\n");
0575         efi_memmap_unmap();
0576     }
0577 }
0578
0579 /*
0580  * For most modern platforms the preferred method of powering off is via
0581  * ACPI. However, there are some that are known to require the use of
0582  * EFI runtime services and for which ACPI does not work at all.
0583  *
0584  * Using EFI is a last resort, to be used only if no other option
0585  * exists.
0586  */
0587 bool efi_reboot_required(void)
0588 {
0589     if (!acpi_gbl_reduced_hardware)
0590         return false;
0591
0592     efi_reboot_quirk_mode = EFI_RESET_WARM;
0593     return true;
0594 }
0595
0596 bool efi_poweroff_required(void)
0597 {
0598     return acpi_gbl_reduced_hardware || acpi_no_s5;
0599 }
0600
0601 #ifdef CONFIG_EFI_CAPSULE_QUIRK_QUARK_CSH
0602
0603 static int qrk_capsule_setup_info(struct capsule_info *cap_info, void **pkbuff,
0604                   size_t hdr_bytes)
0605 {
0606     struct quark_security_header *csh = *pkbuff;
0607
0608     /* Only process data block that is larger than the security header */
0609     if (hdr_bytes < sizeof(struct quark_security_header))
0610         return 0;
0611
0612     if (csh->csh_signature != QUARK_CSH_SIGNATURE ||
0613         csh->headersize != QUARK_SECURITY_HEADER_SIZE)
0614         return 1;
0615
0616     /* Only process data block if EFI header is included */
0617     if (hdr_bytes < QUARK_SECURITY_HEADER_SIZE +
0618             sizeof(efi_capsule_header_t))
0619         return 0;
0620
0621     pr_debug("Quark security header detected\n");
0622
0623     if (csh->rsvd_next_header != 0) {
0624         pr_err("multiple Quark security headers not supported\n");
0625         return -EINVAL;
0626     }
0627
0628     *pkbuff += csh->headersize;
0629     cap_info->total_size = csh->headersize;
0630
0631     /*
0632      * Update the first page pointer to skip over the CSH header.
0633      */
0634     cap_info->phys[0] += csh->headersize;
0635
0636     /*
0637      * cap_info->capsule should point at a virtual mapping of the entire
0638      * capsule, starting at the capsule header. Our image has the Quark
0639      * security header prepended, so we cannot rely on the default vmap()
0640      * mapping created by the generic capsule code.
0641      * Given that the Quark firmware does not appear to care about the
0642      * virtual mapping, let's just point cap_info->capsule at our copy
0643      * of the capsule header.
0644      */
0645     cap_info->capsule = &cap_info->header;
0646
0647     return 1;
0648 }
0649
0650 static const struct x86_cpu_id efi_capsule_quirk_ids[] = {
0651     X86_MATCH_VENDOR_FAM_MODEL(INTEL, 5, INTEL_FAM5_QUARK_X1000,
0652                    &qrk_capsule_setup_info),
0653     { }
0654 };
0655
0656 int efi_capsule_setup_info(struct capsule_info *cap_info, void *kbuff,
0657                size_t hdr_bytes)
0658 {
0659     int (*quirk_handler)(struct capsule_info *, void **, size_t);
0660     const struct x86_cpu_id *id;
0661     int ret;
0662
0663     if (hdr_bytes < sizeof(efi_capsule_header_t))
0664         return 0;
0665
0666     cap_info->total_size = 0;
0667
0668     id = x86_match_cpu(efi_capsule_quirk_ids);
0669     if (id) {
0670         /*
0671          * The quirk handler is supposed to return
0672          *  - a value > 0 if the setup should continue, after advancing
0673          *    kbuff as needed
0674          *  - 0 if not enough hdr_bytes are available yet
0675          *  - a negative error code otherwise
0676          */
0677         quirk_handler = (typeof(quirk_handler))id->driver_data;
0678         ret = quirk_handler(cap_info, &kbuff, hdr_bytes);
0679         if (ret <= 0)
0680             return ret;
0681     }
0682
0683     memcpy(&cap_info->header, kbuff, sizeof(cap_info->header));
0684
0685     cap_info->total_size += cap_info->header.imagesize;
0686
0687     return __efi_capsule_setup_info(cap_info);
0688 }
0689
0690 #endif
0691
0692 /*
0693  * If any access by any efi runtime service causes a page fault, then,
0694  * 1. If it's efi_reset_system(), reboot through BIOS.
0695  * 2. If any other efi runtime service, then
0696  *    a. Return error status to the efi caller process.
0697  *    b. Disable EFI Runtime Services forever and
0698  *    c. Freeze efi_rts_wq and schedule new process.
0699  *
0700  * @return: Returns, if the page fault is not handled. This function
0701  * will never return if the page fault is handled successfully.
0702  */
0703 void efi_crash_gracefully_on_page_fault(unsigned long phys_addr)
0704 {
0705     if (!IS_ENABLED(CONFIG_X86_64))
0706         return;
0707
0708     /*
0709      * If we get an interrupt/NMI while processing an EFI runtime service
0710      * then this is a regular OOPS, not an EFI failure.
0711      */
0712     if (in_interrupt())
0713         return;
0714
0715     /*
0716      * Make sure that an efi runtime service caused the page fault.
0717      * READ_ONCE() because we might be OOPSing in a different thread,
0718      * and we don't want to trip KTSAN while trying to OOPS.
0719      */
0720     if (READ_ONCE(efi_rts_work.efi_rts_id) == EFI_NONE ||
0721         current_work() != &efi_rts_work.work)
0722         return;
0723
0724     /*
0725      * Address range 0x0000 - 0x0fff is always mapped in the efi_pgd, so
0726      * page faulting on these addresses isn't expected.
0727      */
0728     if (phys_addr <= 0x0fff)
0729         return;
0730
0731     /*
0732      * Print stack trace as it might be useful to know which EFI Runtime
0733      * Service is buggy.
0734      */
0735     WARN(1, FW_BUG "Page fault caused by firmware at PA: 0x%lx\n",
0736          phys_addr);
0737
0738     /*
0739      * Buggy efi_reset_system() is handled differently from other EFI
0740      * Runtime Services as it doesn't use efi_rts_wq. Although,
0741      * native_machine_emergency_restart() says that machine_real_restart()
0742      * could fail, it's better not to complicate this fault handler
0743      * because this case occurs *very* rarely and hence could be improved
0744      * on a need by basis.
0745      */
0746     if (efi_rts_work.efi_rts_id == EFI_RESET_SYSTEM) {
0747         pr_info("efi_reset_system() buggy! Reboot through BIOS\n");
0748         machine_real_restart(MRR_BIOS);
0749         return;
0750     }
0751
0752     /*
0753      * Before calling EFI Runtime Service, the kernel has switched the
0754      * calling process to efi_mm. Hence, switch back to task_mm.
0755      */
0756     arch_efi_call_virt_teardown();
0757
0758     /* Signal error status to the efi caller process */
0759     efi_rts_work.status = EFI_ABORTED;
0760     complete(&efi_rts_work.efi_rts_comp);
0761
0762     clear_bit(EFI_RUNTIME_SERVICES, &efi.flags);
0763     pr_info("Froze efi_rts_wq and disabled EFI Runtime Services\n");
0764
0765     /*
0766      * Call schedule() in an infinite loop, so that any spurious wake ups
0767      * will never run efi_rts_wq again.
0768      */
0769     for (;;) {
0770         set_current_state(TASK_IDLE);
0771         schedule();
0772     }
0773 }