[PATCH] efi: Add missing __nocfi annotations to runtime wrappers
Linus Walleij
linus.walleij at linaro.org
Tue Jun 4 14:05:08 PDT 2024
On Tue, Jun 4, 2024 at 5:56 PM Ard Biesheuvel <ardb+git at google.com> wrote:
> From: Ard Biesheuvel <ardb at kernel.org>
>
> The EFI runtime wrappers are a sandbox for calling into EFI runtime
> services, which are invoked using indirect calls. When running with kCFI
> enabled, the compiler will require the target of any indirect call to be
> type annotated.
>
> Given that the EFI runtime services prototypes and calling convention
> are governed by the EFI spec, not the Linux kernel, adding such type
> annotations for firmware routines is infeasible, and so the compiler
> must be informed that prototype validation should be omitted.
>
> Add the __nocfi annotation at the appropriate places in the EFI runtime
> wrapper code to achieve this.
>
> Note that this currently only affects 32-bit ARM, given that other
> architectures that support both kCFI and EFI use an asm wrapper to call
> EFI runtime services, and this hides the indirect call from the
> compiler.
>
> Cc: Kees Cook <keescook at chromium.org>
> Cc: Sami Tolvanen <samitolvanen at google.com>
> Cc: Linus Walleij <linus.walleij at linaro.org>
> Cc: Nathan Chancellor <nathan at kernel.org>
> Signed-off-by: Ard Biesheuvel <ardb at kernel.org>
Thanks for looking into this Ard!
Reviewed-by: Linus Walleij <linus.walleij at linaro.org>
Maybe tag on:
Fixes: 1a4fec49efe5 ("ARM: 9392/2: Support CLANG CFI")
So it goes into the v6.10-rc:s.
Yours,
Linus Walleij
More information about the linux-arm-kernel
mailing list