We never run any code at EL0, and so it would seem that any access
permissions set for EL0 (via the AP[1] attribute in the page tables) are
irrelevant. We currently set EL0 and EL1 permissions to the same value
arbitrarily.
However, this causes problems on hardware like the Apple M1 running the
MacOS hypervisor framework, which enters EL1 with SCTLR_EL1.SPAN
enabled, causing the Privileged Access Never (PAN) feature to be enabled
on any exception taken to EL1, including the IRQ exceptions that handle
our timer interrupt. When PAN is enabled, EL1 has no access to any
mappings that are also accessible to EL0, causing the firmware to crash
if it attempts to access such a mapping.
Even though it is debatable whether or not SCTLR_EL1.SPAN should be
disabled at entry or whether the firmware should put all UNKNOWN bits in
all system registers in a consistent state (which it should), using EL0
permissions serves no purpose whatsoever so let's fix that regardless.
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Tested-by: Alexander Graf <agraf@csgraf.de>
Acked-by: Leif Lindholm <leif@nuviainc.com>
\r
// Determine protection attributes\r
if ((EfiAttributes & EFI_MEMORY_RO) != 0) {\r
- ArmAttributes |= TT_AP_RO_RO;\r
+ ArmAttributes |= TT_AP_NO_RO;\r
}\r
\r
// Process eXecute Never attribute\r
}\r
\r
if ((GcdAttributes & EFI_MEMORY_RO) != 0) {\r
- PageAttributes |= TT_AP_RO_RO;\r
+ PageAttributes |= TT_AP_NO_RO;\r
}\r
\r
return PageAttributes | TT_AF;\r
return SetMemoryRegionAttribute (\r
BaseAddress,\r
Length,\r
- TT_AP_RO_RO,\r
+ TT_AP_NO_RO,\r
~TT_ADDRESS_MASK_BLOCK_ENTRY\r
);\r
}\r
return SetMemoryRegionAttribute (\r
BaseAddress,\r
Length,\r
- TT_AP_RW_RW,\r
+ TT_AP_NO_RW,\r
~(TT_ADDRESS_MASK_BLOCK_ENTRY | TT_AP_MASK)\r
);\r
}\r
projects / mirror_edk2.git / commitdiff