Loading...
1// SPDX-License-Identifier: GPL-2.0+
2/*
3 * Originally from efivars.c
4 *
5 * Copyright (C) 2001,2003,2004 Dell <Matt_Domsch@dell.com>
6 * Copyright (C) 2004 Intel Corporation <matthew.e.tolentino@intel.com>
7 */
8
9#include <linux/capability.h>
10#include <linux/types.h>
11#include <linux/errno.h>
12#include <linux/init.h>
13#include <linux/mm.h>
14#include <linux/module.h>
15#include <linux/string.h>
16#include <linux/smp.h>
17#include <linux/efi.h>
18#include <linux/device.h>
19#include <linux/slab.h>
20#include <linux/ctype.h>
21#include <linux/ucs2_string.h>
22
23#include "internal.h"
24
25MODULE_IMPORT_NS("EFIVAR");
26
27static bool
28validate_device_path(efi_char16_t *var_name, int match, u8 *buffer,
29 unsigned long len)
30{
31 struct efi_generic_dev_path *node;
32 int offset = 0;
33
34 node = (struct efi_generic_dev_path *)buffer;
35
36 if (len < sizeof(*node))
37 return false;
38
39 while (offset <= len - sizeof(*node) &&
40 node->length >= sizeof(*node) &&
41 node->length <= len - offset) {
42 offset += node->length;
43
44 if ((node->type == EFI_DEV_END_PATH ||
45 node->type == EFI_DEV_END_PATH2) &&
46 node->sub_type == EFI_DEV_END_ENTIRE)
47 return true;
48
49 node = (struct efi_generic_dev_path *)(buffer + offset);
50 }
51
52 /*
53 * If we're here then either node->length pointed past the end
54 * of the buffer or we reached the end of the buffer without
55 * finding a device path end node.
56 */
57 return false;
58}
59
60static bool
61validate_boot_order(efi_char16_t *var_name, int match, u8 *buffer,
62 unsigned long len)
63{
64 /* An array of 16-bit integers */
65 if ((len % 2) != 0)
66 return false;
67
68 return true;
69}
70
71static bool
72validate_load_option(efi_char16_t *var_name, int match, u8 *buffer,
73 unsigned long len)
74{
75 u16 filepathlength;
76 int i, desclength = 0, namelen;
77
78 namelen = ucs2_strnlen(var_name, EFI_VAR_NAME_LEN);
79
80 /* Either "Boot" or "Driver" followed by four digits of hex */
81 for (i = match; i < match+4; i++) {
82 if (var_name[i] > 127 ||
83 hex_to_bin(var_name[i] & 0xff) < 0)
84 return true;
85 }
86
87 /* Reject it if there's 4 digits of hex and then further content */
88 if (namelen > match + 4)
89 return false;
90
91 /* A valid entry must be at least 8 bytes */
92 if (len < 8)
93 return false;
94
95 filepathlength = buffer[4] | buffer[5] << 8;
96
97 /*
98 * There's no stored length for the description, so it has to be
99 * found by hand
100 */
101 desclength = ucs2_strsize((efi_char16_t *)(buffer + 6), len - 6) + 2;
102
103 /* Each boot entry must have a descriptor */
104 if (!desclength)
105 return false;
106
107 /*
108 * If the sum of the length of the description, the claimed filepath
109 * length and the original header are greater than the length of the
110 * variable, it's malformed
111 */
112 if ((desclength + filepathlength + 6) > len)
113 return false;
114
115 /*
116 * And, finally, check the filepath
117 */
118 return validate_device_path(var_name, match, buffer + desclength + 6,
119 filepathlength);
120}
121
122static bool
123validate_uint16(efi_char16_t *var_name, int match, u8 *buffer,
124 unsigned long len)
125{
126 /* A single 16-bit integer */
127 if (len != 2)
128 return false;
129
130 return true;
131}
132
133static bool
134validate_ascii_string(efi_char16_t *var_name, int match, u8 *buffer,
135 unsigned long len)
136{
137 int i;
138
139 for (i = 0; i < len; i++) {
140 if (buffer[i] > 127)
141 return false;
142
143 if (buffer[i] == 0)
144 return true;
145 }
146
147 return false;
148}
149
150struct variable_validate {
151 efi_guid_t vendor;
152 char *name;
153 bool (*validate)(efi_char16_t *var_name, int match, u8 *data,
154 unsigned long len);
155};
156
157/*
158 * This is the list of variables we need to validate, as well as the
159 * whitelist for what we think is safe not to default to immutable.
160 *
161 * If it has a validate() method that's not NULL, it'll go into the
162 * validation routine. If not, it is assumed valid, but still used for
163 * whitelisting.
164 *
165 * Note that it's sorted by {vendor,name}, but globbed names must come after
166 * any other name with the same prefix.
167 */
168static const struct variable_validate variable_validate[] = {
169 { EFI_GLOBAL_VARIABLE_GUID, "BootNext", validate_uint16 },
170 { EFI_GLOBAL_VARIABLE_GUID, "BootOrder", validate_boot_order },
171 { EFI_GLOBAL_VARIABLE_GUID, "Boot*", validate_load_option },
172 { EFI_GLOBAL_VARIABLE_GUID, "DriverOrder", validate_boot_order },
173 { EFI_GLOBAL_VARIABLE_GUID, "Driver*", validate_load_option },
174 { EFI_GLOBAL_VARIABLE_GUID, "ConIn", validate_device_path },
175 { EFI_GLOBAL_VARIABLE_GUID, "ConInDev", validate_device_path },
176 { EFI_GLOBAL_VARIABLE_GUID, "ConOut", validate_device_path },
177 { EFI_GLOBAL_VARIABLE_GUID, "ConOutDev", validate_device_path },
178 { EFI_GLOBAL_VARIABLE_GUID, "ErrOut", validate_device_path },
179 { EFI_GLOBAL_VARIABLE_GUID, "ErrOutDev", validate_device_path },
180 { EFI_GLOBAL_VARIABLE_GUID, "Lang", validate_ascii_string },
181 { EFI_GLOBAL_VARIABLE_GUID, "OsIndications", NULL },
182 { EFI_GLOBAL_VARIABLE_GUID, "PlatformLang", validate_ascii_string },
183 { EFI_GLOBAL_VARIABLE_GUID, "Timeout", validate_uint16 },
184 { LINUX_EFI_CRASH_GUID, "*", NULL },
185 { NULL_GUID, "", NULL },
186};
187
188/*
189 * Check if @var_name matches the pattern given in @match_name.
190 *
191 * @var_name: an array of @len non-NUL characters.
192 * @match_name: a NUL-terminated pattern string, optionally ending in "*". A
193 * final "*" character matches any trailing characters @var_name,
194 * including the case when there are none left in @var_name.
195 * @match: on output, the number of non-wildcard characters in @match_name
196 * that @var_name matches, regardless of the return value.
197 * @return: whether @var_name fully matches @match_name.
198 */
199static bool
200variable_matches(const char *var_name, size_t len, const char *match_name,
201 int *match)
202{
203 for (*match = 0; ; (*match)++) {
204 char c = match_name[*match];
205
206 switch (c) {
207 case '*':
208 /* Wildcard in @match_name means we've matched. */
209 return true;
210
211 case '\0':
212 /* @match_name has ended. Has @var_name too? */
213 return (*match == len);
214
215 default:
216 /*
217 * We've reached a non-wildcard char in @match_name.
218 * Continue only if there's an identical character in
219 * @var_name.
220 */
221 if (*match < len && c == var_name[*match])
222 continue;
223 return false;
224 }
225 }
226}
227
228bool
229efivar_validate(efi_guid_t vendor, efi_char16_t *var_name, u8 *data,
230 unsigned long data_size)
231{
232 int i;
233 unsigned long utf8_size;
234 u8 *utf8_name;
235
236 utf8_size = ucs2_utf8size(var_name);
237 utf8_name = kmalloc(utf8_size + 1, GFP_KERNEL);
238 if (!utf8_name)
239 return false;
240
241 ucs2_as_utf8(utf8_name, var_name, utf8_size);
242 utf8_name[utf8_size] = '\0';
243
244 for (i = 0; variable_validate[i].name[0] != '\0'; i++) {
245 const char *name = variable_validate[i].name;
246 int match = 0;
247
248 if (efi_guidcmp(vendor, variable_validate[i].vendor))
249 continue;
250
251 if (variable_matches(utf8_name, utf8_size+1, name, &match)) {
252 if (variable_validate[i].validate == NULL)
253 break;
254 kfree(utf8_name);
255 return variable_validate[i].validate(var_name, match,
256 data, data_size);
257 }
258 }
259 kfree(utf8_name);
260 return true;
261}
262
263bool
264efivar_variable_is_removable(efi_guid_t vendor, const char *var_name,
265 size_t len)
266{
267 int i;
268 bool found = false;
269 int match = 0;
270
271 /*
272 * Check if our variable is in the validated variables list
273 */
274 for (i = 0; variable_validate[i].name[0] != '\0'; i++) {
275 if (efi_guidcmp(variable_validate[i].vendor, vendor))
276 continue;
277
278 if (variable_matches(var_name, len,
279 variable_validate[i].name, &match)) {
280 found = true;
281 break;
282 }
283 }
284
285 /*
286 * If it's in our list, it is removable.
287 */
288 return found;
289}
290
291static bool variable_is_present(efi_char16_t *variable_name, efi_guid_t *vendor,
292 struct list_head *head)
293{
294 struct efivar_entry *entry, *n;
295 unsigned long strsize1, strsize2;
296 bool found = false;
297
298 strsize1 = ucs2_strsize(variable_name, EFI_VAR_NAME_LEN);
299 list_for_each_entry_safe(entry, n, head, list) {
300 strsize2 = ucs2_strsize(entry->var.VariableName, EFI_VAR_NAME_LEN);
301 if (strsize1 == strsize2 &&
302 !memcmp(variable_name, &(entry->var.VariableName),
303 strsize2) &&
304 !efi_guidcmp(entry->var.VendorGuid,
305 *vendor)) {
306 found = true;
307 break;
308 }
309 }
310 return found;
311}
312
313/*
314 * Returns the size of variable_name, in bytes, including the
315 * terminating NULL character, or variable_name_size if no NULL
316 * character is found among the first variable_name_size bytes.
317 */
318static unsigned long var_name_strnsize(efi_char16_t *variable_name,
319 unsigned long variable_name_size)
320{
321 unsigned long len;
322 efi_char16_t c;
323
324 /*
325 * The variable name is, by definition, a NULL-terminated
326 * string, so make absolutely sure that variable_name_size is
327 * the value we expect it to be. If not, return the real size.
328 */
329 for (len = 2; len <= variable_name_size; len += sizeof(c)) {
330 c = variable_name[(len / sizeof(c)) - 1];
331 if (!c)
332 break;
333 }
334
335 return min(len, variable_name_size);
336}
337
338/*
339 * Print a warning when duplicate EFI variables are encountered and
340 * disable the sysfs workqueue since the firmware is buggy.
341 */
342static void dup_variable_bug(efi_char16_t *str16, efi_guid_t *vendor_guid,
343 unsigned long len16)
344{
345 size_t i, len8 = len16 / sizeof(efi_char16_t);
346 char *str8;
347
348 str8 = kzalloc(len8, GFP_KERNEL);
349 if (!str8)
350 return;
351
352 for (i = 0; i < len8; i++)
353 str8[i] = str16[i];
354
355 printk(KERN_WARNING "efivars: duplicate variable: %s-%pUl\n",
356 str8, vendor_guid);
357 kfree(str8);
358}
359
360/**
361 * efivar_init - build the initial list of EFI variables
362 * @func: callback function to invoke for every variable
363 * @data: function-specific data to pass to @func
364 * @head: initialised head of variable list
365 *
366 * Get every EFI variable from the firmware and invoke @func. @func
367 * should call efivar_entry_add() to build the list of variables.
368 *
369 * Returns 0 on success, or a kernel error code on failure.
370 */
371int efivar_init(int (*func)(efi_char16_t *, efi_guid_t, unsigned long, void *,
372 struct list_head *),
373 void *data, struct list_head *head)
374{
375 unsigned long variable_name_size = 512;
376 efi_char16_t *variable_name;
377 efi_status_t status;
378 efi_guid_t vendor_guid;
379 int err = 0;
380
381 variable_name = kzalloc(variable_name_size, GFP_KERNEL);
382 if (!variable_name) {
383 printk(KERN_ERR "efivars: Memory allocation failed.\n");
384 return -ENOMEM;
385 }
386
387 err = efivar_lock();
388 if (err)
389 goto free;
390
391 /*
392 * A small set of old UEFI implementations reject sizes
393 * above a certain threshold, the lowest seen in the wild
394 * is 512.
395 */
396
397 do {
398 variable_name_size = 512;
399 BUILD_BUG_ON(EFI_VAR_NAME_LEN < 512);
400
401 status = efivar_get_next_variable(&variable_name_size,
402 variable_name,
403 &vendor_guid);
404 switch (status) {
405 case EFI_SUCCESS:
406 variable_name_size = var_name_strnsize(variable_name,
407 variable_name_size);
408
409 /*
410 * Some firmware implementations return the
411 * same variable name on multiple calls to
412 * get_next_variable(). Terminate the loop
413 * immediately as there is no guarantee that
414 * we'll ever see a different variable name,
415 * and may end up looping here forever.
416 */
417 if (variable_is_present(variable_name, &vendor_guid,
418 head)) {
419 dup_variable_bug(variable_name, &vendor_guid,
420 variable_name_size);
421 status = EFI_NOT_FOUND;
422 } else {
423 err = func(variable_name, vendor_guid,
424 variable_name_size, data, head);
425 if (err)
426 status = EFI_NOT_FOUND;
427 }
428 break;
429 case EFI_UNSUPPORTED:
430 err = -EOPNOTSUPP;
431 status = EFI_NOT_FOUND;
432 break;
433 case EFI_NOT_FOUND:
434 break;
435 case EFI_BUFFER_TOO_SMALL:
436 pr_warn("efivars: Variable name size exceeds maximum (%lu > 512)\n",
437 variable_name_size);
438 status = EFI_NOT_FOUND;
439 break;
440 default:
441 pr_warn("efivars: get_next_variable: status=%lx\n", status);
442 status = EFI_NOT_FOUND;
443 break;
444 }
445
446 } while (status != EFI_NOT_FOUND);
447
448 efivar_unlock();
449free:
450 kfree(variable_name);
451
452 return err;
453}
454
455/**
456 * efivar_entry_add - add entry to variable list
457 * @entry: entry to add to list
458 * @head: list head
459 *
460 * Returns 0 on success, or a kernel error code on failure.
461 */
462int efivar_entry_add(struct efivar_entry *entry, struct list_head *head)
463{
464 int err;
465
466 err = efivar_lock();
467 if (err)
468 return err;
469 list_add(&entry->list, head);
470 efivar_unlock();
471
472 return 0;
473}
474
475/**
476 * __efivar_entry_add - add entry to variable list
477 * @entry: entry to add to list
478 * @head: list head
479 */
480void __efivar_entry_add(struct efivar_entry *entry, struct list_head *head)
481{
482 list_add(&entry->list, head);
483}
484
485/**
486 * efivar_entry_remove - remove entry from variable list
487 * @entry: entry to remove from list
488 *
489 * Returns 0 on success, or a kernel error code on failure.
490 */
491void efivar_entry_remove(struct efivar_entry *entry)
492{
493 list_del(&entry->list);
494}
495
496/*
497 * efivar_entry_list_del_unlock - remove entry from variable list
498 * @entry: entry to remove
499 *
500 * Remove @entry from the variable list and release the list lock.
501 *
502 * NOTE: slightly weird locking semantics here - we expect to be
503 * called with the efivars lock already held, and we release it before
504 * returning. This is because this function is usually called after
505 * set_variable() while the lock is still held.
506 */
507static void efivar_entry_list_del_unlock(struct efivar_entry *entry)
508{
509 list_del(&entry->list);
510 efivar_unlock();
511}
512
513/**
514 * efivar_entry_delete - delete variable and remove entry from list
515 * @entry: entry containing variable to delete
516 *
517 * Delete the variable from the firmware and remove @entry from the
518 * variable list. It is the caller's responsibility to free @entry
519 * once we return.
520 *
521 * Returns 0 on success, -EINTR if we can't grab the semaphore,
522 * converted EFI status code if set_variable() fails.
523 */
524int efivar_entry_delete(struct efivar_entry *entry)
525{
526 efi_status_t status;
527 int err;
528
529 err = efivar_lock();
530 if (err)
531 return err;
532
533 status = efivar_set_variable_locked(entry->var.VariableName,
534 &entry->var.VendorGuid,
535 0, 0, NULL, false);
536 if (!(status == EFI_SUCCESS || status == EFI_NOT_FOUND)) {
537 efivar_unlock();
538 return efi_status_to_err(status);
539 }
540
541 efivar_entry_list_del_unlock(entry);
542 return 0;
543}
544
545/**
546 * efivar_entry_size - obtain the size of a variable
547 * @entry: entry for this variable
548 * @size: location to store the variable's size
549 */
550int efivar_entry_size(struct efivar_entry *entry, unsigned long *size)
551{
552 efi_status_t status;
553 int err;
554
555 *size = 0;
556
557 err = efivar_lock();
558 if (err)
559 return err;
560
561 status = efivar_get_variable(entry->var.VariableName,
562 &entry->var.VendorGuid, NULL, size, NULL);
563 efivar_unlock();
564
565 if (status != EFI_BUFFER_TOO_SMALL)
566 return efi_status_to_err(status);
567
568 return 0;
569}
570
571/**
572 * __efivar_entry_get - call get_variable()
573 * @entry: read data for this variable
574 * @attributes: variable attributes
575 * @size: size of @data buffer
576 * @data: buffer to store variable data
577 *
578 * The caller MUST call efivar_entry_iter_begin() and
579 * efivar_entry_iter_end() before and after the invocation of this
580 * function, respectively.
581 */
582int __efivar_entry_get(struct efivar_entry *entry, u32 *attributes,
583 unsigned long *size, void *data)
584{
585 efi_status_t status;
586
587 status = efivar_get_variable(entry->var.VariableName,
588 &entry->var.VendorGuid,
589 attributes, size, data);
590
591 return efi_status_to_err(status);
592}
593
594/**
595 * efivar_entry_get - call get_variable()
596 * @entry: read data for this variable
597 * @attributes: variable attributes
598 * @size: size of @data buffer
599 * @data: buffer to store variable data
600 */
601int efivar_entry_get(struct efivar_entry *entry, u32 *attributes,
602 unsigned long *size, void *data)
603{
604 int err;
605
606 err = efivar_lock();
607 if (err)
608 return err;
609 err = __efivar_entry_get(entry, attributes, size, data);
610 efivar_unlock();
611
612 return 0;
613}
614
615/**
616 * efivar_entry_set_get_size - call set_variable() and get new size (atomic)
617 * @entry: entry containing variable to set and get
618 * @attributes: attributes of variable to be written
619 * @size: size of data buffer
620 * @data: buffer containing data to write
621 * @set: did the set_variable() call succeed?
622 *
623 * This is a pretty special (complex) function. See efivarfs_file_write().
624 *
625 * Atomically call set_variable() for @entry and if the call is
626 * successful, return the new size of the variable from get_variable()
627 * in @size. The success of set_variable() is indicated by @set.
628 *
629 * Returns 0 on success, -EINVAL if the variable data is invalid,
630 * -ENOSPC if the firmware does not have enough available space, or a
631 * converted EFI status code if either of set_variable() or
632 * get_variable() fail.
633 *
634 * If the EFI variable does not exist when calling set_variable()
635 * (EFI_NOT_FOUND), @entry is removed from the variable list.
636 */
637int efivar_entry_set_get_size(struct efivar_entry *entry, u32 attributes,
638 unsigned long *size, void *data, bool *set)
639{
640 efi_char16_t *name = entry->var.VariableName;
641 efi_guid_t *vendor = &entry->var.VendorGuid;
642 efi_status_t status;
643 int err;
644
645 *set = false;
646
647 if (efivar_validate(*vendor, name, data, *size) == false)
648 return -EINVAL;
649
650 /*
651 * The lock here protects the get_variable call, the conditional
652 * set_variable call, and removal of the variable from the efivars
653 * list (in the case of an authenticated delete).
654 */
655 err = efivar_lock();
656 if (err)
657 return err;
658
659 status = efivar_set_variable_locked(name, vendor, attributes, *size,
660 data, false);
661 if (status != EFI_SUCCESS) {
662 err = efi_status_to_err(status);
663 goto out;
664 }
665
666 *set = true;
667
668 /*
669 * Writing to the variable may have caused a change in size (which
670 * could either be an append or an overwrite), or the variable to be
671 * deleted. Perform a GetVariable() so we can tell what actually
672 * happened.
673 */
674 *size = 0;
675 status = efivar_get_variable(entry->var.VariableName,
676 &entry->var.VendorGuid,
677 NULL, size, NULL);
678
679 if (status == EFI_NOT_FOUND)
680 efivar_entry_list_del_unlock(entry);
681 else
682 efivar_unlock();
683
684 if (status && status != EFI_BUFFER_TOO_SMALL)
685 return efi_status_to_err(status);
686
687 return 0;
688
689out:
690 efivar_unlock();
691 return err;
692
693}
694
695/**
696 * efivar_entry_iter - iterate over variable list
697 * @func: callback function
698 * @head: head of variable list
699 * @data: function-specific data to pass to callback
700 *
701 * Iterate over the list of EFI variables and call @func with every
702 * entry on the list. It is safe for @func to remove entries in the
703 * list via efivar_entry_delete() while iterating.
704 *
705 * Some notes for the callback function:
706 * - a non-zero return value indicates an error and terminates the loop
707 * - @func is called from atomic context
708 */
709int efivar_entry_iter(int (*func)(struct efivar_entry *, void *),
710 struct list_head *head, void *data)
711{
712 struct efivar_entry *entry, *n;
713 int err = 0;
714
715 err = efivar_lock();
716 if (err)
717 return err;
718
719 list_for_each_entry_safe(entry, n, head, list) {
720 err = func(entry, data);
721 if (err)
722 break;
723 }
724 efivar_unlock();
725
726 return err;
727}
1// SPDX-License-Identifier: GPL-2.0+
2/*
3 * Originally from efivars.c
4 *
5 * Copyright (C) 2001,2003,2004 Dell <Matt_Domsch@dell.com>
6 * Copyright (C) 2004 Intel Corporation <matthew.e.tolentino@intel.com>
7 */
8
9#include <linux/capability.h>
10#include <linux/types.h>
11#include <linux/errno.h>
12#include <linux/init.h>
13#include <linux/mm.h>
14#include <linux/module.h>
15#include <linux/string.h>
16#include <linux/smp.h>
17#include <linux/efi.h>
18#include <linux/device.h>
19#include <linux/slab.h>
20#include <linux/ctype.h>
21#include <linux/ucs2_string.h>
22
23#include "internal.h"
24
25MODULE_IMPORT_NS(EFIVAR);
26
27static bool
28validate_device_path(efi_char16_t *var_name, int match, u8 *buffer,
29 unsigned long len)
30{
31 struct efi_generic_dev_path *node;
32 int offset = 0;
33
34 node = (struct efi_generic_dev_path *)buffer;
35
36 if (len < sizeof(*node))
37 return false;
38
39 while (offset <= len - sizeof(*node) &&
40 node->length >= sizeof(*node) &&
41 node->length <= len - offset) {
42 offset += node->length;
43
44 if ((node->type == EFI_DEV_END_PATH ||
45 node->type == EFI_DEV_END_PATH2) &&
46 node->sub_type == EFI_DEV_END_ENTIRE)
47 return true;
48
49 node = (struct efi_generic_dev_path *)(buffer + offset);
50 }
51
52 /*
53 * If we're here then either node->length pointed past the end
54 * of the buffer or we reached the end of the buffer without
55 * finding a device path end node.
56 */
57 return false;
58}
59
60static bool
61validate_boot_order(efi_char16_t *var_name, int match, u8 *buffer,
62 unsigned long len)
63{
64 /* An array of 16-bit integers */
65 if ((len % 2) != 0)
66 return false;
67
68 return true;
69}
70
71static bool
72validate_load_option(efi_char16_t *var_name, int match, u8 *buffer,
73 unsigned long len)
74{
75 u16 filepathlength;
76 int i, desclength = 0, namelen;
77
78 namelen = ucs2_strnlen(var_name, EFI_VAR_NAME_LEN);
79
80 /* Either "Boot" or "Driver" followed by four digits of hex */
81 for (i = match; i < match+4; i++) {
82 if (var_name[i] > 127 ||
83 hex_to_bin(var_name[i] & 0xff) < 0)
84 return true;
85 }
86
87 /* Reject it if there's 4 digits of hex and then further content */
88 if (namelen > match + 4)
89 return false;
90
91 /* A valid entry must be at least 8 bytes */
92 if (len < 8)
93 return false;
94
95 filepathlength = buffer[4] | buffer[5] << 8;
96
97 /*
98 * There's no stored length for the description, so it has to be
99 * found by hand
100 */
101 desclength = ucs2_strsize((efi_char16_t *)(buffer + 6), len - 6) + 2;
102
103 /* Each boot entry must have a descriptor */
104 if (!desclength)
105 return false;
106
107 /*
108 * If the sum of the length of the description, the claimed filepath
109 * length and the original header are greater than the length of the
110 * variable, it's malformed
111 */
112 if ((desclength + filepathlength + 6) > len)
113 return false;
114
115 /*
116 * And, finally, check the filepath
117 */
118 return validate_device_path(var_name, match, buffer + desclength + 6,
119 filepathlength);
120}
121
122static bool
123validate_uint16(efi_char16_t *var_name, int match, u8 *buffer,
124 unsigned long len)
125{
126 /* A single 16-bit integer */
127 if (len != 2)
128 return false;
129
130 return true;
131}
132
133static bool
134validate_ascii_string(efi_char16_t *var_name, int match, u8 *buffer,
135 unsigned long len)
136{
137 int i;
138
139 for (i = 0; i < len; i++) {
140 if (buffer[i] > 127)
141 return false;
142
143 if (buffer[i] == 0)
144 return true;
145 }
146
147 return false;
148}
149
150struct variable_validate {
151 efi_guid_t vendor;
152 char *name;
153 bool (*validate)(efi_char16_t *var_name, int match, u8 *data,
154 unsigned long len);
155};
156
157/*
158 * This is the list of variables we need to validate, as well as the
159 * whitelist for what we think is safe not to default to immutable.
160 *
161 * If it has a validate() method that's not NULL, it'll go into the
162 * validation routine. If not, it is assumed valid, but still used for
163 * whitelisting.
164 *
165 * Note that it's sorted by {vendor,name}, but globbed names must come after
166 * any other name with the same prefix.
167 */
168static const struct variable_validate variable_validate[] = {
169 { EFI_GLOBAL_VARIABLE_GUID, "BootNext", validate_uint16 },
170 { EFI_GLOBAL_VARIABLE_GUID, "BootOrder", validate_boot_order },
171 { EFI_GLOBAL_VARIABLE_GUID, "Boot*", validate_load_option },
172 { EFI_GLOBAL_VARIABLE_GUID, "DriverOrder", validate_boot_order },
173 { EFI_GLOBAL_VARIABLE_GUID, "Driver*", validate_load_option },
174 { EFI_GLOBAL_VARIABLE_GUID, "ConIn", validate_device_path },
175 { EFI_GLOBAL_VARIABLE_GUID, "ConInDev", validate_device_path },
176 { EFI_GLOBAL_VARIABLE_GUID, "ConOut", validate_device_path },
177 { EFI_GLOBAL_VARIABLE_GUID, "ConOutDev", validate_device_path },
178 { EFI_GLOBAL_VARIABLE_GUID, "ErrOut", validate_device_path },
179 { EFI_GLOBAL_VARIABLE_GUID, "ErrOutDev", validate_device_path },
180 { EFI_GLOBAL_VARIABLE_GUID, "Lang", validate_ascii_string },
181 { EFI_GLOBAL_VARIABLE_GUID, "OsIndications", NULL },
182 { EFI_GLOBAL_VARIABLE_GUID, "PlatformLang", validate_ascii_string },
183 { EFI_GLOBAL_VARIABLE_GUID, "Timeout", validate_uint16 },
184 { LINUX_EFI_CRASH_GUID, "*", NULL },
185 { NULL_GUID, "", NULL },
186};
187
188/*
189 * Check if @var_name matches the pattern given in @match_name.
190 *
191 * @var_name: an array of @len non-NUL characters.
192 * @match_name: a NUL-terminated pattern string, optionally ending in "*". A
193 * final "*" character matches any trailing characters @var_name,
194 * including the case when there are none left in @var_name.
195 * @match: on output, the number of non-wildcard characters in @match_name
196 * that @var_name matches, regardless of the return value.
197 * @return: whether @var_name fully matches @match_name.
198 */
199static bool
200variable_matches(const char *var_name, size_t len, const char *match_name,
201 int *match)
202{
203 for (*match = 0; ; (*match)++) {
204 char c = match_name[*match];
205
206 switch (c) {
207 case '*':
208 /* Wildcard in @match_name means we've matched. */
209 return true;
210
211 case '\0':
212 /* @match_name has ended. Has @var_name too? */
213 return (*match == len);
214
215 default:
216 /*
217 * We've reached a non-wildcard char in @match_name.
218 * Continue only if there's an identical character in
219 * @var_name.
220 */
221 if (*match < len && c == var_name[*match])
222 continue;
223 return false;
224 }
225 }
226}
227
228bool
229efivar_validate(efi_guid_t vendor, efi_char16_t *var_name, u8 *data,
230 unsigned long data_size)
231{
232 int i;
233 unsigned long utf8_size;
234 u8 *utf8_name;
235
236 utf8_size = ucs2_utf8size(var_name);
237 utf8_name = kmalloc(utf8_size + 1, GFP_KERNEL);
238 if (!utf8_name)
239 return false;
240
241 ucs2_as_utf8(utf8_name, var_name, utf8_size);
242 utf8_name[utf8_size] = '\0';
243
244 for (i = 0; variable_validate[i].name[0] != '\0'; i++) {
245 const char *name = variable_validate[i].name;
246 int match = 0;
247
248 if (efi_guidcmp(vendor, variable_validate[i].vendor))
249 continue;
250
251 if (variable_matches(utf8_name, utf8_size+1, name, &match)) {
252 if (variable_validate[i].validate == NULL)
253 break;
254 kfree(utf8_name);
255 return variable_validate[i].validate(var_name, match,
256 data, data_size);
257 }
258 }
259 kfree(utf8_name);
260 return true;
261}
262
263bool
264efivar_variable_is_removable(efi_guid_t vendor, const char *var_name,
265 size_t len)
266{
267 int i;
268 bool found = false;
269 int match = 0;
270
271 /*
272 * Check if our variable is in the validated variables list
273 */
274 for (i = 0; variable_validate[i].name[0] != '\0'; i++) {
275 if (efi_guidcmp(variable_validate[i].vendor, vendor))
276 continue;
277
278 if (variable_matches(var_name, len,
279 variable_validate[i].name, &match)) {
280 found = true;
281 break;
282 }
283 }
284
285 /*
286 * If it's in our list, it is removable.
287 */
288 return found;
289}
290
291static bool variable_is_present(efi_char16_t *variable_name, efi_guid_t *vendor,
292 struct list_head *head)
293{
294 struct efivar_entry *entry, *n;
295 unsigned long strsize1, strsize2;
296 bool found = false;
297
298 strsize1 = ucs2_strsize(variable_name, 1024);
299 list_for_each_entry_safe(entry, n, head, list) {
300 strsize2 = ucs2_strsize(entry->var.VariableName, 1024);
301 if (strsize1 == strsize2 &&
302 !memcmp(variable_name, &(entry->var.VariableName),
303 strsize2) &&
304 !efi_guidcmp(entry->var.VendorGuid,
305 *vendor)) {
306 found = true;
307 break;
308 }
309 }
310 return found;
311}
312
313/*
314 * Returns the size of variable_name, in bytes, including the
315 * terminating NULL character, or variable_name_size if no NULL
316 * character is found among the first variable_name_size bytes.
317 */
318static unsigned long var_name_strnsize(efi_char16_t *variable_name,
319 unsigned long variable_name_size)
320{
321 unsigned long len;
322 efi_char16_t c;
323
324 /*
325 * The variable name is, by definition, a NULL-terminated
326 * string, so make absolutely sure that variable_name_size is
327 * the value we expect it to be. If not, return the real size.
328 */
329 for (len = 2; len <= variable_name_size; len += sizeof(c)) {
330 c = variable_name[(len / sizeof(c)) - 1];
331 if (!c)
332 break;
333 }
334
335 return min(len, variable_name_size);
336}
337
338/*
339 * Print a warning when duplicate EFI variables are encountered and
340 * disable the sysfs workqueue since the firmware is buggy.
341 */
342static void dup_variable_bug(efi_char16_t *str16, efi_guid_t *vendor_guid,
343 unsigned long len16)
344{
345 size_t i, len8 = len16 / sizeof(efi_char16_t);
346 char *str8;
347
348 str8 = kzalloc(len8, GFP_KERNEL);
349 if (!str8)
350 return;
351
352 for (i = 0; i < len8; i++)
353 str8[i] = str16[i];
354
355 printk(KERN_WARNING "efivars: duplicate variable: %s-%pUl\n",
356 str8, vendor_guid);
357 kfree(str8);
358}
359
360/**
361 * efivar_init - build the initial list of EFI variables
362 * @func: callback function to invoke for every variable
363 * @data: function-specific data to pass to @func
364 * @duplicates: error if we encounter duplicates on @head?
365 * @head: initialised head of variable list
366 *
367 * Get every EFI variable from the firmware and invoke @func. @func
368 * should call efivar_entry_add() to build the list of variables.
369 *
370 * Returns 0 on success, or a kernel error code on failure.
371 */
372int efivar_init(int (*func)(efi_char16_t *, efi_guid_t, unsigned long, void *),
373 void *data, bool duplicates, struct list_head *head)
374{
375 unsigned long variable_name_size = 1024;
376 efi_char16_t *variable_name;
377 efi_status_t status;
378 efi_guid_t vendor_guid;
379 int err = 0;
380
381 variable_name = kzalloc(variable_name_size, GFP_KERNEL);
382 if (!variable_name) {
383 printk(KERN_ERR "efivars: Memory allocation failed.\n");
384 return -ENOMEM;
385 }
386
387 err = efivar_lock();
388 if (err)
389 goto free;
390
391 /*
392 * Per EFI spec, the maximum storage allocated for both
393 * the variable name and variable data is 1024 bytes.
394 */
395
396 do {
397 variable_name_size = 1024;
398
399 status = efivar_get_next_variable(&variable_name_size,
400 variable_name,
401 &vendor_guid);
402 switch (status) {
403 case EFI_SUCCESS:
404 variable_name_size = var_name_strnsize(variable_name,
405 variable_name_size);
406
407 /*
408 * Some firmware implementations return the
409 * same variable name on multiple calls to
410 * get_next_variable(). Terminate the loop
411 * immediately as there is no guarantee that
412 * we'll ever see a different variable name,
413 * and may end up looping here forever.
414 */
415 if (duplicates &&
416 variable_is_present(variable_name, &vendor_guid,
417 head)) {
418 dup_variable_bug(variable_name, &vendor_guid,
419 variable_name_size);
420 status = EFI_NOT_FOUND;
421 } else {
422 err = func(variable_name, vendor_guid,
423 variable_name_size, data);
424 if (err)
425 status = EFI_NOT_FOUND;
426 }
427 break;
428 case EFI_UNSUPPORTED:
429 err = -EOPNOTSUPP;
430 status = EFI_NOT_FOUND;
431 break;
432 case EFI_NOT_FOUND:
433 break;
434 default:
435 printk(KERN_WARNING "efivars: get_next_variable: status=%lx\n",
436 status);
437 status = EFI_NOT_FOUND;
438 break;
439 }
440
441 } while (status != EFI_NOT_FOUND);
442
443 efivar_unlock();
444free:
445 kfree(variable_name);
446
447 return err;
448}
449
450/**
451 * efivar_entry_add - add entry to variable list
452 * @entry: entry to add to list
453 * @head: list head
454 *
455 * Returns 0 on success, or a kernel error code on failure.
456 */
457int efivar_entry_add(struct efivar_entry *entry, struct list_head *head)
458{
459 int err;
460
461 err = efivar_lock();
462 if (err)
463 return err;
464 list_add(&entry->list, head);
465 efivar_unlock();
466
467 return 0;
468}
469
470/**
471 * __efivar_entry_add - add entry to variable list
472 * @entry: entry to add to list
473 * @head: list head
474 */
475void __efivar_entry_add(struct efivar_entry *entry, struct list_head *head)
476{
477 list_add(&entry->list, head);
478}
479
480/**
481 * efivar_entry_remove - remove entry from variable list
482 * @entry: entry to remove from list
483 *
484 * Returns 0 on success, or a kernel error code on failure.
485 */
486void efivar_entry_remove(struct efivar_entry *entry)
487{
488 list_del(&entry->list);
489}
490
491/*
492 * efivar_entry_list_del_unlock - remove entry from variable list
493 * @entry: entry to remove
494 *
495 * Remove @entry from the variable list and release the list lock.
496 *
497 * NOTE: slightly weird locking semantics here - we expect to be
498 * called with the efivars lock already held, and we release it before
499 * returning. This is because this function is usually called after
500 * set_variable() while the lock is still held.
501 */
502static void efivar_entry_list_del_unlock(struct efivar_entry *entry)
503{
504 list_del(&entry->list);
505 efivar_unlock();
506}
507
508/**
509 * efivar_entry_delete - delete variable and remove entry from list
510 * @entry: entry containing variable to delete
511 *
512 * Delete the variable from the firmware and remove @entry from the
513 * variable list. It is the caller's responsibility to free @entry
514 * once we return.
515 *
516 * Returns 0 on success, -EINTR if we can't grab the semaphore,
517 * converted EFI status code if set_variable() fails.
518 */
519int efivar_entry_delete(struct efivar_entry *entry)
520{
521 efi_status_t status;
522 int err;
523
524 err = efivar_lock();
525 if (err)
526 return err;
527
528 status = efivar_set_variable_locked(entry->var.VariableName,
529 &entry->var.VendorGuid,
530 0, 0, NULL, false);
531 if (!(status == EFI_SUCCESS || status == EFI_NOT_FOUND)) {
532 efivar_unlock();
533 return efi_status_to_err(status);
534 }
535
536 efivar_entry_list_del_unlock(entry);
537 return 0;
538}
539
540/**
541 * efivar_entry_size - obtain the size of a variable
542 * @entry: entry for this variable
543 * @size: location to store the variable's size
544 */
545int efivar_entry_size(struct efivar_entry *entry, unsigned long *size)
546{
547 efi_status_t status;
548 int err;
549
550 *size = 0;
551
552 err = efivar_lock();
553 if (err)
554 return err;
555
556 status = efivar_get_variable(entry->var.VariableName,
557 &entry->var.VendorGuid, NULL, size, NULL);
558 efivar_unlock();
559
560 if (status != EFI_BUFFER_TOO_SMALL)
561 return efi_status_to_err(status);
562
563 return 0;
564}
565
566/**
567 * __efivar_entry_get - call get_variable()
568 * @entry: read data for this variable
569 * @attributes: variable attributes
570 * @size: size of @data buffer
571 * @data: buffer to store variable data
572 *
573 * The caller MUST call efivar_entry_iter_begin() and
574 * efivar_entry_iter_end() before and after the invocation of this
575 * function, respectively.
576 */
577int __efivar_entry_get(struct efivar_entry *entry, u32 *attributes,
578 unsigned long *size, void *data)
579{
580 efi_status_t status;
581
582 status = efivar_get_variable(entry->var.VariableName,
583 &entry->var.VendorGuid,
584 attributes, size, data);
585
586 return efi_status_to_err(status);
587}
588
589/**
590 * efivar_entry_get - call get_variable()
591 * @entry: read data for this variable
592 * @attributes: variable attributes
593 * @size: size of @data buffer
594 * @data: buffer to store variable data
595 */
596int efivar_entry_get(struct efivar_entry *entry, u32 *attributes,
597 unsigned long *size, void *data)
598{
599 int err;
600
601 err = efivar_lock();
602 if (err)
603 return err;
604 err = __efivar_entry_get(entry, attributes, size, data);
605 efivar_unlock();
606
607 return 0;
608}
609
610/**
611 * efivar_entry_set_get_size - call set_variable() and get new size (atomic)
612 * @entry: entry containing variable to set and get
613 * @attributes: attributes of variable to be written
614 * @size: size of data buffer
615 * @data: buffer containing data to write
616 * @set: did the set_variable() call succeed?
617 *
618 * This is a pretty special (complex) function. See efivarfs_file_write().
619 *
620 * Atomically call set_variable() for @entry and if the call is
621 * successful, return the new size of the variable from get_variable()
622 * in @size. The success of set_variable() is indicated by @set.
623 *
624 * Returns 0 on success, -EINVAL if the variable data is invalid,
625 * -ENOSPC if the firmware does not have enough available space, or a
626 * converted EFI status code if either of set_variable() or
627 * get_variable() fail.
628 *
629 * If the EFI variable does not exist when calling set_variable()
630 * (EFI_NOT_FOUND), @entry is removed from the variable list.
631 */
632int efivar_entry_set_get_size(struct efivar_entry *entry, u32 attributes,
633 unsigned long *size, void *data, bool *set)
634{
635 efi_char16_t *name = entry->var.VariableName;
636 efi_guid_t *vendor = &entry->var.VendorGuid;
637 efi_status_t status;
638 int err;
639
640 *set = false;
641
642 if (efivar_validate(*vendor, name, data, *size) == false)
643 return -EINVAL;
644
645 /*
646 * The lock here protects the get_variable call, the conditional
647 * set_variable call, and removal of the variable from the efivars
648 * list (in the case of an authenticated delete).
649 */
650 err = efivar_lock();
651 if (err)
652 return err;
653
654 status = efivar_set_variable_locked(name, vendor, attributes, *size,
655 data, false);
656 if (status != EFI_SUCCESS) {
657 err = efi_status_to_err(status);
658 goto out;
659 }
660
661 *set = true;
662
663 /*
664 * Writing to the variable may have caused a change in size (which
665 * could either be an append or an overwrite), or the variable to be
666 * deleted. Perform a GetVariable() so we can tell what actually
667 * happened.
668 */
669 *size = 0;
670 status = efivar_get_variable(entry->var.VariableName,
671 &entry->var.VendorGuid,
672 NULL, size, NULL);
673
674 if (status == EFI_NOT_FOUND)
675 efivar_entry_list_del_unlock(entry);
676 else
677 efivar_unlock();
678
679 if (status && status != EFI_BUFFER_TOO_SMALL)
680 return efi_status_to_err(status);
681
682 return 0;
683
684out:
685 efivar_unlock();
686 return err;
687
688}
689
690/**
691 * efivar_entry_iter - iterate over variable list
692 * @func: callback function
693 * @head: head of variable list
694 * @data: function-specific data to pass to callback
695 *
696 * Iterate over the list of EFI variables and call @func with every
697 * entry on the list. It is safe for @func to remove entries in the
698 * list via efivar_entry_delete() while iterating.
699 *
700 * Some notes for the callback function:
701 * - a non-zero return value indicates an error and terminates the loop
702 * - @func is called from atomic context
703 */
704int efivar_entry_iter(int (*func)(struct efivar_entry *, void *),
705 struct list_head *head, void *data)
706{
707 struct efivar_entry *entry, *n;
708 int err = 0;
709
710 err = efivar_lock();
711 if (err)
712 return err;
713
714 list_for_each_entry_safe(entry, n, head, list) {
715 err = func(entry, data);
716 if (err)
717 break;
718 }
719 efivar_unlock();
720
721 return err;
722}