Re: [RFC PATCH] arm64/efi: use id mapping for Runtime Services
On 6 August 2014 16:36, Will Deacon will.dea...@arm.com wrote: On Thu, Jul 31, 2014 at 03:11:49PM +0100, Ard Biesheuvel wrote: There are 2 interesting pieces of information in the UEFI spec section 2.3.6 regarding the mapping of runtime regions: (a) the firmware should not request a virtual mapping for configuration tables, even though they are marked as EfiRuntimeServicesData; (b) calling SetVirtualAddressMap() is optional, and it is equally appropriate to call Runtime Services using an identity mapping. So we can eliminate some of the complexity around UEFI Runtime Services by not using a virtual mapping at all, and calling the services at their physical address. This is especially useful under kexec, as SetVirtualAddressMap() may only be called once, and there is no guarantee that mappings are stable between different kexec'd kernels. The fallout for other in-kernel users of UEFI data structures should be negligible, as they cannot legally access those data structures through pre-existing virtual mappings anyway (point (a) above) It should also be noted that, as the kernel side of the address space (TTBR1) is retained, the stack and pointer function arguments remain accessible to the runtime service while the id mapping is active. Signed-off-by: Ard Biesheuvel ard.biesheu...@linaro.org --- arch/arm64/include/asm/efi.h | 24 -- arch/arm64/kernel/efi.c | 106 ++- 2 files changed, 23 insertions(+), 107 deletions(-) diff --git a/arch/arm64/include/asm/efi.h b/arch/arm64/include/asm/efi.h index a34fd3b12e2b..d42a21e79b39 100644 --- a/arch/arm64/include/asm/efi.h +++ b/arch/arm64/include/asm/efi.h @@ -1,8 +1,10 @@ #ifndef _ASM_EFI_H #define _ASM_EFI_H +#include asm/cacheflush.h #include asm/io.h #include asm/neon.h +#include asm/tlbflush.h #ifdef CONFIG_EFI extern void efi_init(void); @@ -12,23 +14,37 @@ extern void efi_idmap_init(void); #define efi_idmap_init() #endif +static inline void switch_pgd(pgd_t *pgd, struct mm_struct *mm) +{ + cpu_switch_mm(pgd, mm); + flush_tlb_all(); + if (icache_is_aivivt()) + __flush_icache_all(); +} + #define efi_call_virt(f, ...) \ ({ \ - efi_##f##_t *__f = efi.systab-runtime-f; \ + efi_##f##_t *__f; \ efi_status_t __s; \ \ - kernel_neon_begin();\ + kernel_neon_begin(); /* disables preemption */ \ + switch_pgd(idmap_pg_dir, init_mm); \ + __f = efi.systab-runtime-f; \ __s = __f(__VA_ARGS__); \ + switch_pgd(current-active_mm-pgd, current-active_mm);\ kernel_neon_end(); \ __s;\ }) This scares the bejesus out of me, but I can't put my finger on exactly why. I think it does what you intend and I can't break it myself, so it would be really good if the EFI folks could confirm that this looks good to them. There is something similar in the x86 code (arch/x86/platform/efi/efi.c) * The new method does a pagetable switch in a preemption-safe manner * so that we're in a different address space when calling a runtime * function. For function arguments passing we do copy the PGDs of the * kernel page table into -trampoline_pgd prior to each call. How exactly this will turn out for arm64 (and ARM) is still under discussion, though. My position is that if you are going to switch pgd's anyway, why not just use the id mapping? And even if you feel it is mandatory to install a virtual address mapping into UEFI (which I think is /not/ the case), you could install an id mapping as well, which means all the related machinery still gets invoked. The alternative to using a TTBR0 mapping would be to reserve a slice of kernel virtual memory so that the Runtime Services are guaranteed to live at the same virtual address after a kexec, ideally the same region on 4k and 64k pages ... We are planning to discuss this further at Linaro Connect next month. -- Ard. -- To unsubscribe from this list: send the line unsubscribe linux-efi in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC PATCH] arm64/efi: use id mapping for Runtime Services
On Wed, Aug 06, 2014 at 04:15:23PM +0100, Ard Biesheuvel wrote: On 6 August 2014 16:36, Will Deacon will.dea...@arm.com wrote: On Thu, Jul 31, 2014 at 03:11:49PM +0100, Ard Biesheuvel wrote: #define efi_call_virt(f, ...) \ ({ \ - efi_##f##_t *__f = efi.systab-runtime-f; \ + efi_##f##_t *__f; \ efi_status_t __s; \ \ - kernel_neon_begin();\ + kernel_neon_begin(); /* disables preemption */ \ + switch_pgd(idmap_pg_dir, init_mm); \ + __f = efi.systab-runtime-f; \ __s = __f(__VA_ARGS__); \ + switch_pgd(current-active_mm-pgd, current-active_mm);\ kernel_neon_end(); \ __s;\ }) This scares the bejesus out of me, but I can't put my finger on exactly why. I think it does what you intend and I can't break it myself, so it would be really good if the EFI folks could confirm that this looks good to them. There is something similar in the x86 code (arch/x86/platform/efi/efi.c) * The new method does a pagetable switch in a preemption-safe manner * so that we're in a different address space when calling a runtime * function. For function arguments passing we do copy the PGDs of the * kernel page table into -trampoline_pgd prior to each call. How exactly this will turn out for arm64 (and ARM) is still under discussion, though. My position is that if you are going to switch pgd's anyway, why not just use the id mapping? And even if you feel it is mandatory to install a virtual address mapping into UEFI (which I think is /not/ the case), you could install an id mapping as well, which means all the related machinery still gets invoked. The alternative to using a TTBR0 mapping would be to reserve a slice of kernel virtual memory so that the Runtime Services are guaranteed to live at the same virtual address after a kexec, ideally the same region on 4k and 64k pages ... We are planning to discuss this further at Linaro Connect next month. Ok, thanks for the update. I'll hold off on this until you've discussed it some more. Cheers, Will -- To unsubscribe from this list: send the line unsubscribe linux-efi in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[RFC PATCH] arm64/efi: use id mapping for Runtime Services
There are 2 interesting pieces of information in the UEFI spec section 2.3.6 regarding the mapping of runtime regions: (a) the firmware should not request a virtual mapping for configuration tables, even though they are marked as EfiRuntimeServicesData; (b) calling SetVirtualAddressMap() is optional, and it is equally appropriate to call Runtime Services using an identity mapping. So we can eliminate some of the complexity around UEFI Runtime Services by not using a virtual mapping at all, and calling the services at their physical address. This is especially useful under kexec, as SetVirtualAddressMap() may only be called once, and there is no guarantee that mappings are stable between different kexec'd kernels. The fallout for other in-kernel users of UEFI data structures should be negligible, as they cannot legally access those data structures through pre-existing virtual mappings anyway (point (a) above) It should also be noted that, as the kernel side of the address space (TTBR1) is retained, the stack and pointer function arguments remain accessible to the runtime service while the id mapping is active. Signed-off-by: Ard Biesheuvel ard.biesheu...@linaro.org --- arch/arm64/include/asm/efi.h | 24 -- arch/arm64/kernel/efi.c | 106 ++- 2 files changed, 23 insertions(+), 107 deletions(-) diff --git a/arch/arm64/include/asm/efi.h b/arch/arm64/include/asm/efi.h index a34fd3b12e2b..d42a21e79b39 100644 --- a/arch/arm64/include/asm/efi.h +++ b/arch/arm64/include/asm/efi.h @@ -1,8 +1,10 @@ #ifndef _ASM_EFI_H #define _ASM_EFI_H +#include asm/cacheflush.h #include asm/io.h #include asm/neon.h +#include asm/tlbflush.h #ifdef CONFIG_EFI extern void efi_init(void); @@ -12,23 +14,37 @@ extern void efi_idmap_init(void); #define efi_idmap_init() #endif +static inline void switch_pgd(pgd_t *pgd, struct mm_struct *mm) +{ + cpu_switch_mm(pgd, mm); + flush_tlb_all(); + if (icache_is_aivivt()) + __flush_icache_all(); +} + #define efi_call_virt(f, ...) \ ({ \ - efi_##f##_t *__f = efi.systab-runtime-f; \ + efi_##f##_t *__f; \ efi_status_t __s; \ \ - kernel_neon_begin();\ + kernel_neon_begin(); /* disables preemption */ \ + switch_pgd(idmap_pg_dir, init_mm); \ + __f = efi.systab-runtime-f; \ __s = __f(__VA_ARGS__); \ + switch_pgd(current-active_mm-pgd, current-active_mm);\ kernel_neon_end(); \ __s;\ }) #define __efi_call_virt(f, ...) \ ({ \ - efi_##f##_t *__f = efi.systab-runtime-f; \ + efi_##f##_t *__f; \ \ - kernel_neon_begin();\ + kernel_neon_begin(); /* disables preemption */ \ + switch_pgd(idmap_pg_dir, init_mm); \ + __f = efi.systab-runtime-f; \ __f(__VA_ARGS__); \ + switch_pgd(current-active_mm-pgd, current-active_mm);\ kernel_neon_end(); \ }) diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c index e72f3100958f..d620a031e7bf 100644 --- a/arch/arm64/kernel/efi.c +++ b/arch/arm64/kernel/efi.c @@ -27,8 +27,6 @@ struct efi_memory_map memmap; -static efi_runtime_services_t *runtime; - static u64 efi_system_table; static int uefi_debug __initdata; @@ -340,51 +338,9 @@ void __init efi_idmap_init(void) efi_setup_idmap(); } -static int __init remap_region(efi_memory_desc_t *md, void **new) -{ - u64 paddr, vaddr, npages, size; - - paddr = md-phys_addr; - npages = md-num_pages; - memrange_efi_to_native(paddr, npages); - size = npages PAGE_SHIFT; - - if (is_normal_ram(md)) - vaddr = (__force u64)ioremap_cache(paddr, size); - else - vaddr = (__force u64)ioremap(paddr, size); - - if (!vaddr) { - pr_err(Unable to remap 0x%llx pages @ %p\n, - npages, (void *)paddr); - return 0; - } - -
Re: [RFC PATCH] arm64/efi: use id mapping for Runtime Services
On Thu, 2014-07-31 at 16:11 +0200, Ard Biesheuvel wrote: There are 2 interesting pieces of information in the UEFI spec section 2.3.6 regarding the mapping of runtime regions: (a) the firmware should not request a virtual mapping for configuration tables, even though they are marked as EfiRuntimeServicesData; (b) calling SetVirtualAddressMap() is optional, and it is equally appropriate to call Runtime Services using an identity mapping. So we can eliminate some of the complexity around UEFI Runtime Services by not using a virtual mapping at all, and calling the services at their physical address. This is especially useful under kexec, as SetVirtualAddressMap() may only be called once, and there is no guarantee that mappings are stable between different kexec'd kernels. The fallout for other in-kernel users of UEFI data structures should be negligible, as they cannot legally access those data structures through pre-existing virtual mappings anyway (point (a) above) It should also be noted that, as the kernel side of the address space (TTBR1) is retained, the stack and pointer function arguments remain accessible to the runtime service while the id mapping is active. Signed-off-by: Ard Biesheuvel ard.biesheu...@linaro.org --- arch/arm64/include/asm/efi.h | 24 -- arch/arm64/kernel/efi.c | 106 ++- 2 files changed, 23 insertions(+), 107 deletions(-) diff --git a/arch/arm64/include/asm/efi.h b/arch/arm64/include/asm/efi.h index a34fd3b12e2b..d42a21e79b39 100644 --- a/arch/arm64/include/asm/efi.h +++ b/arch/arm64/include/asm/efi.h @@ -1,8 +1,10 @@ #ifndef _ASM_EFI_H #define _ASM_EFI_H +#include asm/cacheflush.h #include asm/io.h #include asm/neon.h +#include asm/tlbflush.h #ifdef CONFIG_EFI extern void efi_init(void); @@ -12,23 +14,37 @@ extern void efi_idmap_init(void); #define efi_idmap_init() #endif +static inline void switch_pgd(pgd_t *pgd, struct mm_struct *mm) +{ + cpu_switch_mm(pgd, mm); + flush_tlb_all(); + if (icache_is_aivivt()) + __flush_icache_all(); +} + #define efi_call_virt(f, ...) \ ({ \ - efi_##f##_t *__f = efi.systab-runtime-f; \ + efi_##f##_t *__f; \ efi_status_t __s; \ \ - kernel_neon_begin();\ + kernel_neon_begin(); /* disables preemption */ \ + switch_pgd(idmap_pg_dir, init_mm); \ + __f = efi.systab-runtime-f; \ __s = __f(__VA_ARGS__); \ + switch_pgd(current-active_mm-pgd, current-active_mm);\ kernel_neon_end(); \ __s;\ }) #define __efi_call_virt(f, ...) \ ({ \ - efi_##f##_t *__f = efi.systab-runtime-f; \ + efi_##f##_t *__f; \ \ - kernel_neon_begin();\ + kernel_neon_begin(); /* disables preemption */ \ + switch_pgd(idmap_pg_dir, init_mm); \ + __f = efi.systab-runtime-f; \ __f(__VA_ARGS__); \ + switch_pgd(current-active_mm-pgd, current-active_mm);\ kernel_neon_end(); \ }) If you replace the current user pgd with idmap pgd and there is an exception in the firmware which would lead to the user task being killed, what happens? diff --git a/arch/arm64/kernel/efi.c b/arch/arm64/kernel/efi.c index e72f3100958f..d620a031e7bf 100644 --- a/arch/arm64/kernel/efi.c +++ b/arch/arm64/kernel/efi.c @@ -27,8 +27,6 @@ struct efi_memory_map memmap; -static efi_runtime_services_t *runtime; - static u64 efi_system_table; static int uefi_debug __initdata; @@ -340,51 +338,9 @@ void __init efi_idmap_init(void) efi_setup_idmap(); } -static int __init remap_region(efi_memory_desc_t *md, void **new) -{ - u64 paddr, vaddr, npages, size; - - paddr = md-phys_addr; - npages = md-num_pages; - memrange_efi_to_native(paddr, npages); - size = npages PAGE_SHIFT; - - if (is_normal_ram(md)) - vaddr = (__force