lkdtm: Add case to provoke a crash in EFI runtime services

Add a lkdtm test case that triggers a fault during the execution of a
EFI runtime service by passing a read-only variable as a by-ref argument
that the firmware is supposed to update.

This is useful for testing the graceful handling of faults/exception in
EFI platform firmware, which is implemented on x86 and arm64.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://patch.msgid.link/20260501170156.2833364-2-ardb+git@google.com
Signed-off-by: Kees Cook <kees@kernel.org>

diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c
index e0098f314570dd984fdb45b57885d6d24826c3b6..3eca2ef64afff9cba42d41a156648f2e3b7ada36 100644 (file)
--- a/drivers/misc/lkdtm/bugs.c
+++ b/drivers/misc/lkdtm/bugs.c
@@ -7,6 +7,7 @@
  */
 #include "lkdtm.h"
 #include <linux/cpu.h>
+#include <linux/efi.h>
 #include <linux/list.h>
 #include <linux/hrtimer.h>
 #include <linux/sched.h>
@@ -817,6 +818,29 @@ static noinline void lkdtm_CORRUPT_PAC(void)
 #endif
 }
 
+static void __maybe_unused lkdtm_EFI_RUNTIME_CRASH(void)
+{
+       static unsigned long size __ro_after_init = sizeof(efi_char16_t);
+       efi_status_t status;
+
+       if (!efi.get_next_variable ||
+           !efi_enabled(EFI_RUNTIME_SERVICES) ||
+           !efi_rt_services_supported(EFI_RT_SUPPORTED_GET_NEXT_VARIABLE_NAME)) {
+               pr_err("FAIL: EFI GetNextVariableName() is not available\n");
+               return;
+       }
+
+       /*
+        * Provoke a fault by asking the firmware to write to a read-only
+        * variable.
+        */
+       status = efi.get_next_variable(&size, L"", &(efi_guid_t){});
+
+       if (status != EFI_ABORTED || efi_enabled(EFI_RUNTIME_SERVICES))
+               pr_err("FAIL: EFI GetNextVariable() did not abort (%#lx)\n",
+                      status);
+}
+
 static struct crashtype crashtypes[] = {
        CRASHTYPE(PANIC),
        CRASHTYPE(PANIC_STOP_IRQOFF),
@@ -850,6 +874,9 @@ static struct crashtype crashtypes[] = {
        CRASHTYPE(UNSET_SMEP),
        CRASHTYPE(DOUBLE_FAULT),
        CRASHTYPE(CORRUPT_PAC),
+#ifdef CONFIG_EFI
+       CRASHTYPE(EFI_RUNTIME_CRASH),
+#endif
 };
 
 struct crashtype_category bugs_crashtypes = {