1 /* 2 * EFI Test Driver for Runtime Services 3 * 4 * Copyright(C) 2012-2016 Canonical Ltd. 5 * 6 * This driver exports EFI runtime services interfaces into userspace, which 7 * allow to use and test UEFI runtime services provided by firmware. 8 * 9 */ 10 11 #include <linux/miscdevice.h> 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/proc_fs.h> 15 #include <linux/efi.h> 16 #include <linux/slab.h> 17 #include <linux/uaccess.h> 18 19 #include "efi_test.h" 20 21 MODULE_AUTHOR("Ivan Hu <ivan.hu@canonical.com>"); 22 MODULE_DESCRIPTION("EFI Test Driver"); 23 MODULE_LICENSE("GPL"); 24 25 /* 26 * Count the bytes in 'str', including the terminating NULL. 27 * 28 * Note this function returns the number of *bytes*, not the number of 29 * ucs2 characters. 30 */ 31 static inline size_t user_ucs2_strsize(efi_char16_t __user *str) 32 { 33 efi_char16_t *s = str, c; 34 size_t len; 35 36 if (!str) 37 return 0; 38 39 /* Include terminating NULL */ 40 len = sizeof(efi_char16_t); 41 42 if (get_user(c, s++)) { 43 /* Can't read userspace memory for size */ 44 return 0; 45 } 46 47 while (c != 0) { 48 if (get_user(c, s++)) { 49 /* Can't read userspace memory for size */ 50 return 0; 51 } 52 len += sizeof(efi_char16_t); 53 } 54 return len; 55 } 56 57 /* 58 * Allocate a buffer and copy a ucs2 string from user space into it. 59 */ 60 static inline int 61 copy_ucs2_from_user_len(efi_char16_t **dst, efi_char16_t __user *src, 62 size_t len) 63 { 64 efi_char16_t *buf; 65 66 if (!src) { 67 *dst = NULL; 68 return 0; 69 } 70 71 if (!access_ok(VERIFY_READ, src, 1)) 72 return -EFAULT; 73 74 buf = kmalloc(len, GFP_KERNEL); 75 if (!buf) { 76 *dst = NULL; 77 return -ENOMEM; 78 } 79 *dst = buf; 80 81 if (copy_from_user(*dst, src, len)) { 82 kfree(buf); 83 return -EFAULT; 84 } 85 86 return 0; 87 } 88 89 /* 90 * Count the bytes in 'str', including the terminating NULL. 91 * 92 * Just a wrap for user_ucs2_strsize 93 */ 94 static inline int 95 get_ucs2_strsize_from_user(efi_char16_t __user *src, size_t *len) 96 { 97 if (!access_ok(VERIFY_READ, src, 1)) 98 return -EFAULT; 99 100 *len = user_ucs2_strsize(src); 101 if (*len == 0) 102 return -EFAULT; 103 104 return 0; 105 } 106 107 /* 108 * Calculate the required buffer allocation size and copy a ucs2 string 109 * from user space into it. 110 * 111 * This function differs from copy_ucs2_from_user_len() because it 112 * calculates the size of the buffer to allocate by taking the length of 113 * the string 'src'. 114 * 115 * If a non-zero value is returned, the caller MUST NOT access 'dst'. 116 * 117 * It is the caller's responsibility to free 'dst'. 118 */ 119 static inline int 120 copy_ucs2_from_user(efi_char16_t **dst, efi_char16_t __user *src) 121 { 122 size_t len; 123 124 if (!access_ok(VERIFY_READ, src, 1)) 125 return -EFAULT; 126 127 len = user_ucs2_strsize(src); 128 if (len == 0) 129 return -EFAULT; 130 return copy_ucs2_from_user_len(dst, src, len); 131 } 132 133 /* 134 * Copy a ucs2 string to a user buffer. 135 * 136 * This function is a simple wrapper around copy_to_user() that does 137 * nothing if 'src' is NULL, which is useful for reducing the amount of 138 * NULL checking the caller has to do. 139 * 140 * 'len' specifies the number of bytes to copy. 141 */ 142 static inline int 143 copy_ucs2_to_user_len(efi_char16_t __user *dst, efi_char16_t *src, size_t len) 144 { 145 if (!src) 146 return 0; 147 148 if (!access_ok(VERIFY_WRITE, dst, 1)) 149 return -EFAULT; 150 151 return copy_to_user(dst, src, len); 152 } 153 154 static long efi_runtime_get_variable(unsigned long arg) 155 { 156 struct efi_getvariable __user *getvariable_user; 157 struct efi_getvariable getvariable; 158 unsigned long datasize = 0, prev_datasize, *dz; 159 efi_guid_t vendor_guid, *vd = NULL; 160 efi_status_t status; 161 efi_char16_t *name = NULL; 162 u32 attr, *at; 163 void *data = NULL; 164 int rv = 0; 165 166 getvariable_user = (struct efi_getvariable __user *)arg; 167 168 if (copy_from_user(&getvariable, getvariable_user, 169 sizeof(getvariable))) 170 return -EFAULT; 171 if (getvariable.data_size && 172 get_user(datasize, getvariable.data_size)) 173 return -EFAULT; 174 if (getvariable.vendor_guid) { 175 if (copy_from_user(&vendor_guid, getvariable.vendor_guid, 176 sizeof(vendor_guid))) 177 return -EFAULT; 178 vd = &vendor_guid; 179 } 180 181 if (getvariable.variable_name) { 182 rv = copy_ucs2_from_user(&name, getvariable.variable_name); 183 if (rv) 184 return rv; 185 } 186 187 at = getvariable.attributes ? &attr : NULL; 188 dz = getvariable.data_size ? &datasize : NULL; 189 190 if (getvariable.data_size && getvariable.data) { 191 data = kmalloc(datasize, GFP_KERNEL); 192 if (!data) { 193 kfree(name); 194 return -ENOMEM; 195 } 196 } 197 198 prev_datasize = datasize; 199 status = efi.get_variable(name, vd, at, dz, data); 200 kfree(name); 201 202 if (put_user(status, getvariable.status)) { 203 rv = -EFAULT; 204 goto out; 205 } 206 207 if (status != EFI_SUCCESS) { 208 if (status == EFI_BUFFER_TOO_SMALL) { 209 if (dz && put_user(datasize, getvariable.data_size)) { 210 rv = -EFAULT; 211 goto out; 212 } 213 } 214 rv = -EINVAL; 215 goto out; 216 } 217 218 if (prev_datasize < datasize) { 219 rv = -EINVAL; 220 goto out; 221 } 222 223 if (data) { 224 if (copy_to_user(getvariable.data, data, datasize)) { 225 rv = -EFAULT; 226 goto out; 227 } 228 } 229 230 if (at && put_user(attr, getvariable.attributes)) { 231 rv = -EFAULT; 232 goto out; 233 } 234 235 if (dz && put_user(datasize, getvariable.data_size)) 236 rv = -EFAULT; 237 238 out: 239 kfree(data); 240 return rv; 241 242 } 243 244 static long efi_runtime_set_variable(unsigned long arg) 245 { 246 struct efi_setvariable __user *setvariable_user; 247 struct efi_setvariable setvariable; 248 efi_guid_t vendor_guid; 249 efi_status_t status; 250 efi_char16_t *name = NULL; 251 void *data; 252 int rv = 0; 253 254 setvariable_user = (struct efi_setvariable __user *)arg; 255 256 if (copy_from_user(&setvariable, setvariable_user, sizeof(setvariable))) 257 return -EFAULT; 258 if (copy_from_user(&vendor_guid, setvariable.vendor_guid, 259 sizeof(vendor_guid))) 260 return -EFAULT; 261 262 if (setvariable.variable_name) { 263 rv = copy_ucs2_from_user(&name, setvariable.variable_name); 264 if (rv) 265 return rv; 266 } 267 268 data = memdup_user(setvariable.data, setvariable.data_size); 269 if (IS_ERR(data)) { 270 kfree(name); 271 return PTR_ERR(data); 272 } 273 274 status = efi.set_variable(name, &vendor_guid, 275 setvariable.attributes, 276 setvariable.data_size, data); 277 278 if (put_user(status, setvariable.status)) { 279 rv = -EFAULT; 280 goto out; 281 } 282 283 rv = status == EFI_SUCCESS ? 0 : -EINVAL; 284 285 out: 286 kfree(data); 287 kfree(name); 288 289 return rv; 290 } 291 292 static long efi_runtime_get_time(unsigned long arg) 293 { 294 struct efi_gettime __user *gettime_user; 295 struct efi_gettime gettime; 296 efi_status_t status; 297 efi_time_cap_t cap; 298 efi_time_t efi_time; 299 300 gettime_user = (struct efi_gettime __user *)arg; 301 if (copy_from_user(&gettime, gettime_user, sizeof(gettime))) 302 return -EFAULT; 303 304 status = efi.get_time(gettime.time ? &efi_time : NULL, 305 gettime.capabilities ? &cap : NULL); 306 307 if (put_user(status, gettime.status)) 308 return -EFAULT; 309 310 if (status != EFI_SUCCESS) 311 return -EINVAL; 312 313 if (gettime.capabilities) { 314 efi_time_cap_t __user *cap_local; 315 316 cap_local = (efi_time_cap_t *)gettime.capabilities; 317 if (put_user(cap.resolution, &(cap_local->resolution)) || 318 put_user(cap.accuracy, &(cap_local->accuracy)) || 319 put_user(cap.sets_to_zero, &(cap_local->sets_to_zero))) 320 return -EFAULT; 321 } 322 if (gettime.time) { 323 if (copy_to_user(gettime.time, &efi_time, sizeof(efi_time_t))) 324 return -EFAULT; 325 } 326 327 return 0; 328 } 329 330 static long efi_runtime_set_time(unsigned long arg) 331 { 332 struct efi_settime __user *settime_user; 333 struct efi_settime settime; 334 efi_status_t status; 335 efi_time_t efi_time; 336 337 settime_user = (struct efi_settime __user *)arg; 338 if (copy_from_user(&settime, settime_user, sizeof(settime))) 339 return -EFAULT; 340 if (copy_from_user(&efi_time, settime.time, 341 sizeof(efi_time_t))) 342 return -EFAULT; 343 status = efi.set_time(&efi_time); 344 345 if (put_user(status, settime.status)) 346 return -EFAULT; 347 348 return status == EFI_SUCCESS ? 0 : -EINVAL; 349 } 350 351 static long efi_runtime_get_waketime(unsigned long arg) 352 { 353 struct efi_getwakeuptime __user *getwakeuptime_user; 354 struct efi_getwakeuptime getwakeuptime; 355 efi_bool_t enabled, pending; 356 efi_status_t status; 357 efi_time_t efi_time; 358 359 getwakeuptime_user = (struct efi_getwakeuptime __user *)arg; 360 if (copy_from_user(&getwakeuptime, getwakeuptime_user, 361 sizeof(getwakeuptime))) 362 return -EFAULT; 363 364 status = efi.get_wakeup_time( 365 getwakeuptime.enabled ? (efi_bool_t *)&enabled : NULL, 366 getwakeuptime.pending ? (efi_bool_t *)&pending : NULL, 367 getwakeuptime.time ? &efi_time : NULL); 368 369 if (put_user(status, getwakeuptime.status)) 370 return -EFAULT; 371 372 if (status != EFI_SUCCESS) 373 return -EINVAL; 374 375 if (getwakeuptime.enabled && put_user(enabled, 376 getwakeuptime.enabled)) 377 return -EFAULT; 378 379 if (getwakeuptime.time) { 380 if (copy_to_user(getwakeuptime.time, &efi_time, 381 sizeof(efi_time_t))) 382 return -EFAULT; 383 } 384 385 return 0; 386 } 387 388 static long efi_runtime_set_waketime(unsigned long arg) 389 { 390 struct efi_setwakeuptime __user *setwakeuptime_user; 391 struct efi_setwakeuptime setwakeuptime; 392 efi_bool_t enabled; 393 efi_status_t status; 394 efi_time_t efi_time; 395 396 setwakeuptime_user = (struct efi_setwakeuptime __user *)arg; 397 398 if (copy_from_user(&setwakeuptime, setwakeuptime_user, 399 sizeof(setwakeuptime))) 400 return -EFAULT; 401 402 enabled = setwakeuptime.enabled; 403 if (setwakeuptime.time) { 404 if (copy_from_user(&efi_time, setwakeuptime.time, 405 sizeof(efi_time_t))) 406 return -EFAULT; 407 408 status = efi.set_wakeup_time(enabled, &efi_time); 409 } else 410 status = efi.set_wakeup_time(enabled, NULL); 411 412 if (put_user(status, setwakeuptime.status)) 413 return -EFAULT; 414 415 return status == EFI_SUCCESS ? 0 : -EINVAL; 416 } 417 418 static long efi_runtime_get_nextvariablename(unsigned long arg) 419 { 420 struct efi_getnextvariablename __user *getnextvariablename_user; 421 struct efi_getnextvariablename getnextvariablename; 422 unsigned long name_size, prev_name_size = 0, *ns = NULL; 423 efi_status_t status; 424 efi_guid_t *vd = NULL; 425 efi_guid_t vendor_guid; 426 efi_char16_t *name = NULL; 427 int rv = 0; 428 429 getnextvariablename_user = (struct efi_getnextvariablename __user *)arg; 430 431 if (copy_from_user(&getnextvariablename, getnextvariablename_user, 432 sizeof(getnextvariablename))) 433 return -EFAULT; 434 435 if (getnextvariablename.variable_name_size) { 436 if (get_user(name_size, getnextvariablename.variable_name_size)) 437 return -EFAULT; 438 ns = &name_size; 439 prev_name_size = name_size; 440 } 441 442 if (getnextvariablename.vendor_guid) { 443 if (copy_from_user(&vendor_guid, 444 getnextvariablename.vendor_guid, 445 sizeof(vendor_guid))) 446 return -EFAULT; 447 vd = &vendor_guid; 448 } 449 450 if (getnextvariablename.variable_name) { 451 size_t name_string_size = 0; 452 453 rv = get_ucs2_strsize_from_user( 454 getnextvariablename.variable_name, 455 &name_string_size); 456 if (rv) 457 return rv; 458 /* 459 * The name_size may be smaller than the real buffer size where 460 * variable name located in some use cases. The most typical 461 * case is passing a 0 to get the required buffer size for the 462 * 1st time call. So we need to copy the content from user 463 * space for at least the string size of variable name, or else 464 * the name passed to UEFI may not be terminated as we expected. 465 */ 466 rv = copy_ucs2_from_user_len(&name, 467 getnextvariablename.variable_name, 468 prev_name_size > name_string_size ? 469 prev_name_size : name_string_size); 470 if (rv) 471 return rv; 472 } 473 474 status = efi.get_next_variable(ns, name, vd); 475 476 if (put_user(status, getnextvariablename.status)) { 477 rv = -EFAULT; 478 goto out; 479 } 480 481 if (status != EFI_SUCCESS) { 482 if (status == EFI_BUFFER_TOO_SMALL) { 483 if (ns && put_user(*ns, 484 getnextvariablename.variable_name_size)) { 485 rv = -EFAULT; 486 goto out; 487 } 488 } 489 rv = -EINVAL; 490 goto out; 491 } 492 493 if (name) { 494 if (copy_ucs2_to_user_len(getnextvariablename.variable_name, 495 name, prev_name_size)) { 496 rv = -EFAULT; 497 goto out; 498 } 499 } 500 501 if (ns) { 502 if (put_user(*ns, getnextvariablename.variable_name_size)) { 503 rv = -EFAULT; 504 goto out; 505 } 506 } 507 508 if (vd) { 509 if (copy_to_user(getnextvariablename.vendor_guid, vd, 510 sizeof(efi_guid_t))) 511 rv = -EFAULT; 512 } 513 514 out: 515 kfree(name); 516 return rv; 517 } 518 519 static long efi_runtime_get_nexthighmonocount(unsigned long arg) 520 { 521 struct efi_getnexthighmonotoniccount __user *getnexthighmonocount_user; 522 struct efi_getnexthighmonotoniccount getnexthighmonocount; 523 efi_status_t status; 524 u32 count; 525 526 getnexthighmonocount_user = (struct 527 efi_getnexthighmonotoniccount __user *)arg; 528 529 if (copy_from_user(&getnexthighmonocount, 530 getnexthighmonocount_user, 531 sizeof(getnexthighmonocount))) 532 return -EFAULT; 533 534 status = efi.get_next_high_mono_count( 535 getnexthighmonocount.high_count ? &count : NULL); 536 537 if (put_user(status, getnexthighmonocount.status)) 538 return -EFAULT; 539 540 if (status != EFI_SUCCESS) 541 return -EINVAL; 542 543 if (getnexthighmonocount.high_count && 544 put_user(count, getnexthighmonocount.high_count)) 545 return -EFAULT; 546 547 return 0; 548 } 549 550 static long efi_runtime_query_variableinfo(unsigned long arg) 551 { 552 struct efi_queryvariableinfo __user *queryvariableinfo_user; 553 struct efi_queryvariableinfo queryvariableinfo; 554 efi_status_t status; 555 u64 max_storage, remaining, max_size; 556 557 queryvariableinfo_user = (struct efi_queryvariableinfo __user *)arg; 558 559 if (copy_from_user(&queryvariableinfo, queryvariableinfo_user, 560 sizeof(queryvariableinfo))) 561 return -EFAULT; 562 563 status = efi.query_variable_info(queryvariableinfo.attributes, 564 &max_storage, &remaining, &max_size); 565 566 if (put_user(status, queryvariableinfo.status)) 567 return -EFAULT; 568 569 if (status != EFI_SUCCESS) 570 return -EINVAL; 571 572 if (put_user(max_storage, 573 queryvariableinfo.maximum_variable_storage_size)) 574 return -EFAULT; 575 576 if (put_user(remaining, 577 queryvariableinfo.remaining_variable_storage_size)) 578 return -EFAULT; 579 580 if (put_user(max_size, queryvariableinfo.maximum_variable_size)) 581 return -EFAULT; 582 583 return 0; 584 } 585 586 static long efi_runtime_query_capsulecaps(unsigned long arg) 587 { 588 struct efi_querycapsulecapabilities __user *qcaps_user; 589 struct efi_querycapsulecapabilities qcaps; 590 efi_capsule_header_t *capsules; 591 efi_status_t status; 592 u64 max_size; 593 int i, reset_type; 594 int rv = 0; 595 596 qcaps_user = (struct efi_querycapsulecapabilities __user *)arg; 597 598 if (copy_from_user(&qcaps, qcaps_user, sizeof(qcaps))) 599 return -EFAULT; 600 601 capsules = kcalloc(qcaps.capsule_count + 1, 602 sizeof(efi_capsule_header_t), GFP_KERNEL); 603 if (!capsules) 604 return -ENOMEM; 605 606 for (i = 0; i < qcaps.capsule_count; i++) { 607 efi_capsule_header_t *c; 608 /* 609 * We cannot dereference qcaps.capsule_header_array directly to 610 * obtain the address of the capsule as it resides in the 611 * user space 612 */ 613 if (get_user(c, qcaps.capsule_header_array + i)) { 614 rv = -EFAULT; 615 goto out; 616 } 617 if (copy_from_user(&capsules[i], c, 618 sizeof(efi_capsule_header_t))) { 619 rv = -EFAULT; 620 goto out; 621 } 622 } 623 624 qcaps.capsule_header_array = &capsules; 625 626 status = efi.query_capsule_caps((efi_capsule_header_t **) 627 qcaps.capsule_header_array, 628 qcaps.capsule_count, 629 &max_size, &reset_type); 630 631 if (put_user(status, qcaps.status)) { 632 rv = -EFAULT; 633 goto out; 634 } 635 636 if (status != EFI_SUCCESS) { 637 rv = -EINVAL; 638 goto out; 639 } 640 641 if (put_user(max_size, qcaps.maximum_capsule_size)) { 642 rv = -EFAULT; 643 goto out; 644 } 645 646 if (put_user(reset_type, qcaps.reset_type)) 647 rv = -EFAULT; 648 649 out: 650 kfree(capsules); 651 return rv; 652 } 653 654 static long efi_test_ioctl(struct file *file, unsigned int cmd, 655 unsigned long arg) 656 { 657 switch (cmd) { 658 case EFI_RUNTIME_GET_VARIABLE: 659 return efi_runtime_get_variable(arg); 660 661 case EFI_RUNTIME_SET_VARIABLE: 662 return efi_runtime_set_variable(arg); 663 664 case EFI_RUNTIME_GET_TIME: 665 return efi_runtime_get_time(arg); 666 667 case EFI_RUNTIME_SET_TIME: 668 return efi_runtime_set_time(arg); 669 670 case EFI_RUNTIME_GET_WAKETIME: 671 return efi_runtime_get_waketime(arg); 672 673 case EFI_RUNTIME_SET_WAKETIME: 674 return efi_runtime_set_waketime(arg); 675 676 case EFI_RUNTIME_GET_NEXTVARIABLENAME: 677 return efi_runtime_get_nextvariablename(arg); 678 679 case EFI_RUNTIME_GET_NEXTHIGHMONOTONICCOUNT: 680 return efi_runtime_get_nexthighmonocount(arg); 681 682 case EFI_RUNTIME_QUERY_VARIABLEINFO: 683 return efi_runtime_query_variableinfo(arg); 684 685 case EFI_RUNTIME_QUERY_CAPSULECAPABILITIES: 686 return efi_runtime_query_capsulecaps(arg); 687 } 688 689 return -ENOTTY; 690 } 691 692 static int efi_test_open(struct inode *inode, struct file *file) 693 { 694 /* 695 * nothing special to do here 696 * We do accept multiple open files at the same time as we 697 * synchronize on the per call operation. 698 */ 699 return 0; 700 } 701 702 static int efi_test_close(struct inode *inode, struct file *file) 703 { 704 return 0; 705 } 706 707 /* 708 * The various file operations we support. 709 */ 710 static const struct file_operations efi_test_fops = { 711 .owner = THIS_MODULE, 712 .unlocked_ioctl = efi_test_ioctl, 713 .open = efi_test_open, 714 .release = efi_test_close, 715 .llseek = no_llseek, 716 }; 717 718 static struct miscdevice efi_test_dev = { 719 MISC_DYNAMIC_MINOR, 720 "efi_test", 721 &efi_test_fops 722 }; 723 724 static int __init efi_test_init(void) 725 { 726 int ret; 727 728 ret = misc_register(&efi_test_dev); 729 if (ret) { 730 pr_err("efi_test: can't misc_register on minor=%d\n", 731 MISC_DYNAMIC_MINOR); 732 return ret; 733 } 734 735 return 0; 736 } 737 738 static void __exit efi_test_exit(void) 739 { 740 misc_deregister(&efi_test_dev); 741 } 742 743 module_init(efi_test_init); 744 module_exit(efi_test_exit); 745