[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH 2/3] efi: Protect against unnecessary image unloading

  • To: Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • From: Alejandro Vallejo <alejandro.garciavallejo@xxxxxxx>
  • Date: Thu, 11 Sep 2025 19:20:33 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 165.204.84.17) smtp.rcpttodomain=cloud.com smtp.mailfrom=amd.com; dmarc=pass (p=quarantine sp=quarantine pct=100) action=none header.from=amd.com; dkim=none (message not signed); arc=none (0)
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KtD0HXiA6kfML2R5w42sJk/0LJZtoVkpc5kiCLJuFaI=; b=lHManHIRfza+6Dda0wOx62y6liPuxYLFDEvZcDsnq4ffZX0u8eurPQZmEQ9RRNriSGfbm5LZ9bkVydTVKXsZSdHDnkS0jZtEik+l4FTCRU4EPqseITHtVzYydgpT0K63DX7J0OkRVjv9ecQi0UZGFp3e5w0TYO7/akFdPfDH+H/iZ1r5LqHHZoWe8v+oKZXiVRY9VIT6OZiE/tQVDNVyfk87mqmzdymaH9RF297LtEAGcn4ZnfluOduUE/gGN+NPOC3HUO/9f7+hKdb2KyAc0a1jWJh3V5SyNTHNp9dJvb/X/nwHgHRkROdUK9qqBC61i0C19YukuDz51y80ojF0ww==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=pgjlpbR0y9F406TNN3Xslshdwpeso0jAIfY08Pj8F+1NYs6179iLFdUoI6FhfE4CHszaW5WRxWH79WhY/ZuOe33utbVdXBguiY2KX+AhivOi1VZvbQsNsG2Dk6CBesiH+m71j6H3YwIuucqMQbrRniNFFl3025TDjv81x87uxjn/95453vXFBUymCdcVG3Ew62XHdMEIbYoaurwSTaTjnq23WCQxWJQZxO5LmtqgRmn8z1DHL42s1+sXms1QwDeeg7bt4LNrY3g5WxeBxEGqbRisNL6oBGZl/0ZhPySHO3Q3tyR0dI/4FCXYRryAPkjeuaMxvBxFi6N5+9foYNviCQ==
  • Cc: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, "Andrew Cooper" <andrew.cooper3@xxxxxxxxxx>, Anthony PERARD <anthony.perard@xxxxxxxxxx>, Michal Orzel <michal.orzel@xxxxxxx>, "Julien Grall" <julien@xxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Xen-devel <xen-devel-bounces@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Thu, 11 Sep 2025 17:20:58 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu Sep 11, 2025 at 10:24 AM CEST, Gerald Elder-Vass wrote:
> Commit 59a1d6d3ea1e introduced Shim's LoadImage protocol and unloads the
> image after loading it (for verification purposes) regardless of the
> returned status. The protocol API implies this is the correct behaviour
> but we should add a check to protect against the unlikely case this
> frees any memory in use.

Any what memory in use? The function loads an image, it's not a consumer.

It can't free anything because it doesn't know where it came from. It might've
been embedded in your own binary, and it can't compromise its integrity like
that.

>
> Signed-off-by: Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx>
> ---
> CC: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
> CC: "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>
> CC: Jan Beulich <jbeulich@xxxxxxxx>
> CC: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
> CC: Anthony PERARD <anthony.perard@xxxxxxxxxx>
> CC: Michal Orzel <michal.orzel@xxxxxxx>
> CC: Julien Grall <julien@xxxxxxx>
> CC: "Roger Pau Monné" <roger.pau@xxxxxxxxxx>
> CC: Stefano Stabellini <sstabellini@xxxxxxxxxx>
> ---
>  xen/common/efi/boot.c | 11 ++++++-----
>  1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/xen/common/efi/boot.c b/xen/common/efi/boot.c
> index 69fc022c18ab..ca162db0d8d3 100644
> --- a/xen/common/efi/boot.c
> +++ b/xen/common/efi/boot.c
> @@ -1062,7 +1062,7 @@ static void __init efi_verify_kernel(EFI_HANDLE 
> ImageHandle)
>      static EFI_GUID __initdata shim_image_guid = SHIM_IMAGE_LOADER_GUID;
>      static EFI_GUID __initdata shim_lock_guid = SHIM_LOCK_PROTOCOL_GUID;
>      SHIM_IMAGE_LOADER *shim_loader;
> -    EFI_HANDLE loaded_kernel;
> +    EFI_HANDLE loaded_kernel = NULL;

This isn't required if unloading checks for the success case or the only error 
case
that has a successful load. See below.

Furthermore, you don't really know if the callee clobbered it.

>      EFI_SHIM_LOCK_PROTOCOL *shim_lock;
>      EFI_STATUS status;
>      bool verified = false;
> @@ -1078,11 +1078,12 @@ static void __init efi_verify_kernel(EFI_HANDLE 
> ImageHandle)
>              verified = true;
>  
>          /*
> -         * Always unload the image.  We only needed LoadImage() to perform
> -         * verification anyway, and in the case of a failure there may still
> -         * be cleanup needing to be performed.
> +         * If the kernel was loaded, unload it. We only needed LoadImage() to
> +         * perform verification anyway, and in the case of a failure there 
> may
> +         * still be cleanup needing to be performed.
>           */
> -        shim_loader->UnloadImage(loaded_kernel);
> +        if ( loaded_kernel )

Not sure this is what you want. The image needs unloading only when there's no
error OR the error is EFI_SECURITY_VIOLATION. See section 7.4.1:

https://uefi.org/specs/UEFI/2.11/07_Services_Boot_Services.html#efi-boot-services-loadimage

... and shim being a drop-in replacement, it's meant to be spec-compliant.

Trying to unload based on the assumption that loaded_image will remain 
undisturbed is
an assumption waiting to be broken.

IMO, this wants to be instead:

  if ( !EFI_ERROR(status) || (status == EFI_SECURITY_VIOLATION) )
      // unload

Cheers,
Alejandro

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.