1 // SPDX-License-Identifier: GPL-2.0+ 2 /* 3 * EFI Test Driver for Runtime Services 4 * 5 * Copyright(C) 2012-2016 Canonical Ltd. 6 * 7 * This driver exports EFI runtime services interfaces into userspace, which 8 * allow to use and test UEFI runtime services provided by firmware. 9 * 10 */ 11 12 #include <linux/miscdevice.h> 13 #include <linux/module.h> 14 #include <linux/init.h> 15 #include <linux/proc_fs.h> 16 #include <linux/efi.h> 17 #include <linux/security.h> 18 #include <linux/slab.h> 19 #include <linux/uaccess.h> 20 21 #include "efi_test.h" 22 23 MODULE_AUTHOR("Ivan Hu <ivan.hu@canonical.com>"); 24 MODULE_DESCRIPTION("EFI Test Driver"); 25 MODULE_LICENSE("GPL"); 26 27 /* 28 * Count the bytes in 'str', including the terminating NULL. 29 * 30 * Note this function returns the number of *bytes*, not the number of 31 * ucs2 characters. 32 */ 33 static inline size_t user_ucs2_strsize(efi_char16_t __user *str) 34 { 35 efi_char16_t *s = str, c; 36 size_t len; 37 38 if (!str) 39 return 0; 40 41 /* Include terminating NULL */ 42 len = sizeof(efi_char16_t); 43 44 if (get_user(c, s++)) { 45 /* Can't read userspace memory for size */ 46 return 0; 47 } 48 49 while (c != 0) { 50 if (get_user(c, s++)) { 51 /* Can't read userspace memory for size */ 52 return 0; 53 } 54 len += sizeof(efi_char16_t); 55 } 56 return len; 57 } 58 59 /* 60 * Allocate a buffer and copy a ucs2 string from user space into it. 61 */ 62 static inline int 63 copy_ucs2_from_user_len(efi_char16_t **dst, efi_char16_t __user *src, 64 size_t len) 65 { 66 efi_char16_t *buf; 67 68 if (!src) { 69 *dst = NULL; 70 return 0; 71 } 72 73 buf = memdup_user(src, len); 74 if (IS_ERR(buf)) { 75 *dst = NULL; 76 return PTR_ERR(buf); 77 } 78 *dst = buf; 79 80 return 0; 81 } 82 83 /* 84 * Count the bytes in 'str', including the terminating NULL. 85 * 86 * Just a wrap for user_ucs2_strsize 87 */ 88 static inline int 89 get_ucs2_strsize_from_user(efi_char16_t __user *src, size_t *len) 90 { 91 *len = user_ucs2_strsize(src); 92 if (*len == 0) 93 return -EFAULT; 94 95 return 0; 96 } 97 98 /* 99 * Calculate the required buffer allocation size and copy a ucs2 string 100 * from user space into it. 101 * 102 * This function differs from copy_ucs2_from_user_len() because it 103 * calculates the size of the buffer to allocate by taking the length of 104 * the string 'src'. 105 * 106 * If a non-zero value is returned, the caller MUST NOT access 'dst'. 107 * 108 * It is the caller's responsibility to free 'dst'. 109 */ 110 static inline int 111 copy_ucs2_from_user(efi_char16_t **dst, efi_char16_t __user *src) 112 { 113 size_t len; 114 115 len = user_ucs2_strsize(src); 116 if (len == 0) 117 return -EFAULT; 118 return copy_ucs2_from_user_len(dst, src, len); 119 } 120 121 /* 122 * Copy a ucs2 string to a user buffer. 123 * 124 * This function is a simple wrapper around copy_to_user() that does 125 * nothing if 'src' is NULL, which is useful for reducing the amount of 126 * NULL checking the caller has to do. 127 * 128 * 'len' specifies the number of bytes to copy. 129 */ 130 static inline int 131 copy_ucs2_to_user_len(efi_char16_t __user *dst, efi_char16_t *src, size_t len) 132 { 133 if (!src) 134 return 0; 135 136 return copy_to_user(dst, src, len); 137 } 138 139 static long efi_runtime_get_variable(unsigned long arg) 140 { 141 struct efi_getvariable __user *getvariable_user; 142 struct efi_getvariable getvariable; 143 unsigned long datasize = 0, prev_datasize, *dz; 144 efi_guid_t vendor_guid, *vd = NULL; 145 efi_status_t status; 146 efi_char16_t *name = NULL; 147 u32 attr, *at; 148 void *data = NULL; 149 int rv = 0; 150 151 getvariable_user = (struct efi_getvariable __user *)arg; 152 153 if (copy_from_user(&getvariable, getvariable_user, 154 sizeof(getvariable))) 155 return -EFAULT; 156 if (getvariable.data_size && 157 get_user(datasize, getvariable.data_size)) 158 return -EFAULT; 159 if (getvariable.vendor_guid) { 160 if (copy_from_user(&vendor_guid, getvariable.vendor_guid, 161 sizeof(vendor_guid))) 162 return -EFAULT; 163 vd = &vendor_guid; 164 } 165 166 if (getvariable.variable_name) { 167 rv = copy_ucs2_from_user(&name, getvariable.variable_name); 168 if (rv) 169 return rv; 170 } 171 172 at = getvariable.attributes ? &attr : NULL; 173 dz = getvariable.data_size ? &datasize : NULL; 174 175 if (getvariable.data_size && getvariable.data) { 176 data = kmalloc(datasize, GFP_KERNEL); 177 if (!data) { 178 kfree(name); 179 return -ENOMEM; 180 } 181 } 182 183 prev_datasize = datasize; 184 status = efi.get_variable(name, vd, at, dz, data); 185 kfree(name); 186 187 if (put_user(status, getvariable.status)) { 188 rv = -EFAULT; 189 goto out; 190 } 191 192 if (status != EFI_SUCCESS) { 193 if (status == EFI_BUFFER_TOO_SMALL) { 194 if (dz && put_user(datasize, getvariable.data_size)) { 195 rv = -EFAULT; 196 goto out; 197 } 198 } 199 rv = -EINVAL; 200 goto out; 201 } 202 203 if (prev_datasize < datasize) { 204 rv = -EINVAL; 205 goto out; 206 } 207 208 if (data) { 209 if (copy_to_user(getvariable.data, data, datasize)) { 210 rv = -EFAULT; 211 goto out; 212 } 213 } 214 215 if (at && put_user(attr, getvariable.attributes)) { 216 rv = -EFAULT; 217 goto out; 218 } 219 220 if (dz && put_user(datasize, getvariable.data_size)) 221 rv = -EFAULT; 222 223 out: 224 kfree(data); 225 return rv; 226 227 } 228 229 static long efi_runtime_set_variable(unsigned long arg) 230 { 231 struct efi_setvariable __user *setvariable_user; 232 struct efi_setvariable setvariable; 233 efi_guid_t vendor_guid; 234 efi_status_t status; 235 efi_char16_t *name = NULL; 236 void *data; 237 int rv = 0; 238 239 setvariable_user = (struct efi_setvariable __user *)arg; 240 241 if (copy_from_user(&setvariable, setvariable_user, sizeof(setvariable))) 242 return -EFAULT; 243 if (copy_from_user(&vendor_guid, setvariable.vendor_guid, 244 sizeof(vendor_guid))) 245 return -EFAULT; 246 247 if (setvariable.variable_name) { 248 rv = copy_ucs2_from_user(&name, setvariable.variable_name); 249 if (rv) 250 return rv; 251 } 252 253 data = memdup_user(setvariable.data, setvariable.data_size); 254 if (IS_ERR(data)) { 255 kfree(name); 256 return PTR_ERR(data); 257 } 258 259 status = efi.set_variable(name, &vendor_guid, 260 setvariable.attributes, 261 setvariable.data_size, data); 262 263 if (put_user(status, setvariable.status)) { 264 rv = -EFAULT; 265 goto out; 266 } 267 268 rv = status == EFI_SUCCESS ? 0 : -EINVAL; 269 270 out: 271 kfree(data); 272 kfree(name); 273 274 return rv; 275 } 276 277 static long efi_runtime_get_time(unsigned long arg) 278 { 279 struct efi_gettime __user *gettime_user; 280 struct efi_gettime gettime; 281 efi_status_t status; 282 efi_time_cap_t cap; 283 efi_time_t efi_time; 284 285 gettime_user = (struct efi_gettime __user *)arg; 286 if (copy_from_user(&gettime, gettime_user, sizeof(gettime))) 287 return -EFAULT; 288 289 status = efi.get_time(gettime.time ? &efi_time : NULL, 290 gettime.capabilities ? &cap : NULL); 291 292 if (put_user(status, gettime.status)) 293 return -EFAULT; 294 295 if (status != EFI_SUCCESS) 296 return -EINVAL; 297 298 if (gettime.capabilities) { 299 efi_time_cap_t __user *cap_local; 300 301 cap_local = (efi_time_cap_t *)gettime.capabilities; 302 if (put_user(cap.resolution, &(cap_local->resolution)) || 303 put_user(cap.accuracy, &(cap_local->accuracy)) || 304 put_user(cap.sets_to_zero, &(cap_local->sets_to_zero))) 305 return -EFAULT; 306 } 307 if (gettime.time) { 308 if (copy_to_user(gettime.time, &efi_time, sizeof(efi_time_t))) 309 return -EFAULT; 310 } 311 312 return 0; 313 } 314 315 static long efi_runtime_set_time(unsigned long arg) 316 { 317 struct efi_settime __user *settime_user; 318 struct efi_settime settime; 319 efi_status_t status; 320 efi_time_t efi_time; 321 322 settime_user = (struct efi_settime __user *)arg; 323 if (copy_from_user(&settime, settime_user, sizeof(settime))) 324 return -EFAULT; 325 if (copy_from_user(&efi_time, settime.time, 326 sizeof(efi_time_t))) 327 return -EFAULT; 328 status = efi.set_time(&efi_time); 329 330 if (put_user(status, settime.status)) 331 return -EFAULT; 332 333 return status == EFI_SUCCESS ? 0 : -EINVAL; 334 } 335 336 static long efi_runtime_get_waketime(unsigned long arg) 337 { 338 struct efi_getwakeuptime __user *getwakeuptime_user; 339 struct efi_getwakeuptime getwakeuptime; 340 efi_bool_t enabled, pending; 341 efi_status_t status; 342 efi_time_t efi_time; 343 344 getwakeuptime_user = (struct efi_getwakeuptime __user *)arg; 345 if (copy_from_user(&getwakeuptime, getwakeuptime_user, 346 sizeof(getwakeuptime))) 347 return -EFAULT; 348 349 status = efi.get_wakeup_time( 350 getwakeuptime.enabled ? (efi_bool_t *)&enabled : NULL, 351 getwakeuptime.pending ? (efi_bool_t *)&pending : NULL, 352 getwakeuptime.time ? &efi_time : NULL); 353 354 if (put_user(status, getwakeuptime.status)) 355 return -EFAULT; 356 357 if (status != EFI_SUCCESS) 358 return -EINVAL; 359 360 if (getwakeuptime.enabled && put_user(enabled, 361 getwakeuptime.enabled)) 362 return -EFAULT; 363 364 if (getwakeuptime.time) { 365 if (copy_to_user(getwakeuptime.time, &efi_time, 366 sizeof(efi_time_t))) 367 return -EFAULT; 368 } 369 370 return 0; 371 } 372 373 static long efi_runtime_set_waketime(unsigned long arg) 374 { 375 struct efi_setwakeuptime __user *setwakeuptime_user; 376 struct efi_setwakeuptime setwakeuptime; 377 efi_bool_t enabled; 378 efi_status_t status; 379 efi_time_t efi_time; 380 381 setwakeuptime_user = (struct efi_setwakeuptime __user *)arg; 382 383 if (copy_from_user(&setwakeuptime, setwakeuptime_user, 384 sizeof(setwakeuptime))) 385 return -EFAULT; 386 387 enabled = setwakeuptime.enabled; 388 if (setwakeuptime.time) { 389 if (copy_from_user(&efi_time, setwakeuptime.time, 390 sizeof(efi_time_t))) 391 return -EFAULT; 392 393 status = efi.set_wakeup_time(enabled, &efi_time); 394 } else 395 status = efi.set_wakeup_time(enabled, NULL); 396 397 if (put_user(status, setwakeuptime.status)) 398 return -EFAULT; 399 400 return status == EFI_SUCCESS ? 0 : -EINVAL; 401 } 402 403 static long efi_runtime_get_nextvariablename(unsigned long arg) 404 { 405 struct efi_getnextvariablename __user *getnextvariablename_user; 406 struct efi_getnextvariablename getnextvariablename; 407 unsigned long name_size, prev_name_size = 0, *ns = NULL; 408 efi_status_t status; 409 efi_guid_t *vd = NULL; 410 efi_guid_t vendor_guid; 411 efi_char16_t *name = NULL; 412 int rv = 0; 413 414 getnextvariablename_user = (struct efi_getnextvariablename __user *)arg; 415 416 if (copy_from_user(&getnextvariablename, getnextvariablename_user, 417 sizeof(getnextvariablename))) 418 return -EFAULT; 419 420 if (getnextvariablename.variable_name_size) { 421 if (get_user(name_size, getnextvariablename.variable_name_size)) 422 return -EFAULT; 423 ns = &name_size; 424 prev_name_size = name_size; 425 } 426 427 if (getnextvariablename.vendor_guid) { 428 if (copy_from_user(&vendor_guid, 429 getnextvariablename.vendor_guid, 430 sizeof(vendor_guid))) 431 return -EFAULT; 432 vd = &vendor_guid; 433 } 434 435 if (getnextvariablename.variable_name) { 436 size_t name_string_size = 0; 437 438 rv = get_ucs2_strsize_from_user( 439 getnextvariablename.variable_name, 440 &name_string_size); 441 if (rv) 442 return rv; 443 /* 444 * The name_size may be smaller than the real buffer size where 445 * variable name located in some use cases. The most typical 446 * case is passing a 0 to get the required buffer size for the 447 * 1st time call. So we need to copy the content from user 448 * space for at least the string size of variable name, or else 449 * the name passed to UEFI may not be terminated as we expected. 450 */ 451 rv = copy_ucs2_from_user_len(&name, 452 getnextvariablename.variable_name, 453 prev_name_size > name_string_size ? 454 prev_name_size : name_string_size); 455 if (rv) 456 return rv; 457 } 458 459 status = efi.get_next_variable(ns, name, vd); 460 461 if (put_user(status, getnextvariablename.status)) { 462 rv = -EFAULT; 463 goto out; 464 } 465 466 if (status != EFI_SUCCESS) { 467 if (status == EFI_BUFFER_TOO_SMALL) { 468 if (ns && put_user(*ns, 469 getnextvariablename.variable_name_size)) { 470 rv = -EFAULT; 471 goto out; 472 } 473 } 474 rv = -EINVAL; 475 goto out; 476 } 477 478 if (name) { 479 if (copy_ucs2_to_user_len(getnextvariablename.variable_name, 480 name, prev_name_size)) { 481 rv = -EFAULT; 482 goto out; 483 } 484 } 485 486 if (ns) { 487 if (put_user(*ns, getnextvariablename.variable_name_size)) { 488 rv = -EFAULT; 489 goto out; 490 } 491 } 492 493 if (vd) { 494 if (copy_to_user(getnextvariablename.vendor_guid, vd, 495 sizeof(efi_guid_t))) 496 rv = -EFAULT; 497 } 498 499 out: 500 kfree(name); 501 return rv; 502 } 503 504 static long efi_runtime_get_nexthighmonocount(unsigned long arg) 505 { 506 struct efi_getnexthighmonotoniccount __user *getnexthighmonocount_user; 507 struct efi_getnexthighmonotoniccount getnexthighmonocount; 508 efi_status_t status; 509 u32 count; 510 511 getnexthighmonocount_user = (struct 512 efi_getnexthighmonotoniccount __user *)arg; 513 514 if (copy_from_user(&getnexthighmonocount, 515 getnexthighmonocount_user, 516 sizeof(getnexthighmonocount))) 517 return -EFAULT; 518 519 status = efi.get_next_high_mono_count( 520 getnexthighmonocount.high_count ? &count : NULL); 521 522 if (put_user(status, getnexthighmonocount.status)) 523 return -EFAULT; 524 525 if (status != EFI_SUCCESS) 526 return -EINVAL; 527 528 if (getnexthighmonocount.high_count && 529 put_user(count, getnexthighmonocount.high_count)) 530 return -EFAULT; 531 532 return 0; 533 } 534 535 static long efi_runtime_reset_system(unsigned long arg) 536 { 537 struct efi_resetsystem __user *resetsystem_user; 538 struct efi_resetsystem resetsystem; 539 void *data = NULL; 540 541 resetsystem_user = (struct efi_resetsystem __user *)arg; 542 if (copy_from_user(&resetsystem, resetsystem_user, 543 sizeof(resetsystem))) 544 return -EFAULT; 545 if (resetsystem.data_size != 0) { 546 data = memdup_user((void *)resetsystem.data, 547 resetsystem.data_size); 548 if (IS_ERR(data)) 549 return PTR_ERR(data); 550 } 551 552 efi.reset_system(resetsystem.reset_type, resetsystem.status, 553 resetsystem.data_size, (efi_char16_t *)data); 554 555 kfree(data); 556 return 0; 557 } 558 559 static long efi_runtime_query_variableinfo(unsigned long arg) 560 { 561 struct efi_queryvariableinfo __user *queryvariableinfo_user; 562 struct efi_queryvariableinfo queryvariableinfo; 563 efi_status_t status; 564 u64 max_storage, remaining, max_size; 565 566 queryvariableinfo_user = (struct efi_queryvariableinfo __user *)arg; 567 568 if (copy_from_user(&queryvariableinfo, queryvariableinfo_user, 569 sizeof(queryvariableinfo))) 570 return -EFAULT; 571 572 status = efi.query_variable_info(queryvariableinfo.attributes, 573 &max_storage, &remaining, &max_size); 574 575 if (put_user(status, queryvariableinfo.status)) 576 return -EFAULT; 577 578 if (status != EFI_SUCCESS) 579 return -EINVAL; 580 581 if (put_user(max_storage, 582 queryvariableinfo.maximum_variable_storage_size)) 583 return -EFAULT; 584 585 if (put_user(remaining, 586 queryvariableinfo.remaining_variable_storage_size)) 587 return -EFAULT; 588 589 if (put_user(max_size, queryvariableinfo.maximum_variable_size)) 590 return -EFAULT; 591 592 return 0; 593 } 594 595 static long efi_runtime_query_capsulecaps(unsigned long arg) 596 { 597 struct efi_querycapsulecapabilities __user *qcaps_user; 598 struct efi_querycapsulecapabilities qcaps; 599 efi_capsule_header_t *capsules; 600 efi_status_t status; 601 u64 max_size; 602 int i, reset_type; 603 int rv = 0; 604 605 qcaps_user = (struct efi_querycapsulecapabilities __user *)arg; 606 607 if (copy_from_user(&qcaps, qcaps_user, sizeof(qcaps))) 608 return -EFAULT; 609 610 if (qcaps.capsule_count == ULONG_MAX) 611 return -EINVAL; 612 613 capsules = kcalloc(qcaps.capsule_count + 1, 614 sizeof(efi_capsule_header_t), GFP_KERNEL); 615 if (!capsules) 616 return -ENOMEM; 617 618 for (i = 0; i < qcaps.capsule_count; i++) { 619 efi_capsule_header_t *c; 620 /* 621 * We cannot dereference qcaps.capsule_header_array directly to 622 * obtain the address of the capsule as it resides in the 623 * user space 624 */ 625 if (get_user(c, qcaps.capsule_header_array + i)) { 626 rv = -EFAULT; 627 goto out; 628 } 629 if (copy_from_user(&capsules[i], c, 630 sizeof(efi_capsule_header_t))) { 631 rv = -EFAULT; 632 goto out; 633 } 634 } 635 636 qcaps.capsule_header_array = &capsules; 637 638 status = efi.query_capsule_caps((efi_capsule_header_t **) 639 qcaps.capsule_header_array, 640 qcaps.capsule_count, 641 &max_size, &reset_type); 642 643 if (put_user(status, qcaps.status)) { 644 rv = -EFAULT; 645 goto out; 646 } 647 648 if (status != EFI_SUCCESS) { 649 rv = -EINVAL; 650 goto out; 651 } 652 653 if (put_user(max_size, qcaps.maximum_capsule_size)) { 654 rv = -EFAULT; 655 goto out; 656 } 657 658 if (put_user(reset_type, qcaps.reset_type)) 659 rv = -EFAULT; 660 661 out: 662 kfree(capsules); 663 return rv; 664 } 665 666 static long efi_test_ioctl(struct file *file, unsigned int cmd, 667 unsigned long arg) 668 { 669 switch (cmd) { 670 case EFI_RUNTIME_GET_VARIABLE: 671 return efi_runtime_get_variable(arg); 672 673 case EFI_RUNTIME_SET_VARIABLE: 674 return efi_runtime_set_variable(arg); 675 676 case EFI_RUNTIME_GET_TIME: 677 return efi_runtime_get_time(arg); 678 679 case EFI_RUNTIME_SET_TIME: 680 return efi_runtime_set_time(arg); 681 682 case EFI_RUNTIME_GET_WAKETIME: 683 return efi_runtime_get_waketime(arg); 684 685 case EFI_RUNTIME_SET_WAKETIME: 686 return efi_runtime_set_waketime(arg); 687 688 case EFI_RUNTIME_GET_NEXTVARIABLENAME: 689 return efi_runtime_get_nextvariablename(arg); 690 691 case EFI_RUNTIME_GET_NEXTHIGHMONOTONICCOUNT: 692 return efi_runtime_get_nexthighmonocount(arg); 693 694 case EFI_RUNTIME_QUERY_VARIABLEINFO: 695 return efi_runtime_query_variableinfo(arg); 696 697 case EFI_RUNTIME_QUERY_CAPSULECAPABILITIES: 698 return efi_runtime_query_capsulecaps(arg); 699 700 case EFI_RUNTIME_RESET_SYSTEM: 701 return efi_runtime_reset_system(arg); 702 } 703 704 return -ENOTTY; 705 } 706 707 static int efi_test_open(struct inode *inode, struct file *file) 708 { 709 int ret = security_locked_down(LOCKDOWN_EFI_TEST); 710 711 if (ret) 712 return ret; 713 714 if (!capable(CAP_SYS_ADMIN)) 715 return -EACCES; 716 /* 717 * nothing special to do here 718 * We do accept multiple open files at the same time as we 719 * synchronize on the per call operation. 720 */ 721 return 0; 722 } 723 724 static int efi_test_close(struct inode *inode, struct file *file) 725 { 726 return 0; 727 } 728 729 /* 730 * The various file operations we support. 731 */ 732 static const struct file_operations efi_test_fops = { 733 .owner = THIS_MODULE, 734 .unlocked_ioctl = efi_test_ioctl, 735 .open = efi_test_open, 736 .release = efi_test_close, 737 .llseek = no_llseek, 738 }; 739 740 static struct miscdevice efi_test_dev = { 741 MISC_DYNAMIC_MINOR, 742 "efi_test", 743 &efi_test_fops 744 }; 745 746 static int __init efi_test_init(void) 747 { 748 int ret; 749 750 ret = misc_register(&efi_test_dev); 751 if (ret) { 752 pr_err("efi_test: can't misc_register on minor=%d\n", 753 MISC_DYNAMIC_MINOR); 754 return ret; 755 } 756 757 return 0; 758 } 759 760 static void __exit efi_test_exit(void) 761 { 762 misc_deregister(&efi_test_dev); 763 } 764 765 module_init(efi_test_init); 766 module_exit(efi_test_exit); 767