Re: [PATCH] lkdtm: Add case to provoke a crash in EFI runtime services

[Ard Biesheuvel]

On Fri, 1 May 2026, at 19:01, Ard Biesheuvel wrote:
> From: Ard Biesheuvel <ardb@xxxxxxxxxx>
>
> Add a lkdtm test case that triggers a fault during the execution of a
> EFI runtime service by passing a read-only variable as a by-ref argument
> that the firmware is supposed to update.
>
> This is useful for testing the graceful handling of faults/exception in
> EFI platform firmware, which is implemented on x86 and arm64.
>
> Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx>
> ---
>  drivers/misc/lkdtm/bugs.c | 27 +++++++++++++++++++++++++++
>  1 file changed, 27 insertions(+)
>

Ping?

> diff --git a/drivers/misc/lkdtm/bugs.c b/drivers/misc/lkdtm/bugs.c
> index e0098f314570..3eca2ef64aff 100644
> --- a/drivers/misc/lkdtm/bugs.c
> +++ b/drivers/misc/lkdtm/bugs.c
> @@ -7,6 +7,7 @@
>   */
>  #include "lkdtm.h"
>  #include <linux/cpu.h>
> +#include <linux/efi.h>
>  #include <linux/list.h>
>  #include <linux/hrtimer.h>
>  #include <linux/sched.h>
> @@ -817,6 +818,29 @@ static noinline void lkdtm_CORRUPT_PAC(void)
>  #endif
>  }
> 
> +static void __maybe_unused lkdtm_EFI_RUNTIME_CRASH(void)
> +{
> +	static unsigned long size __ro_after_init = sizeof(efi_char16_t);
> +	efi_status_t status;
> +
> +	if (!efi.get_next_variable ||
> +	    !efi_enabled(EFI_RUNTIME_SERVICES) ||
> +	    !efi_rt_services_supported(EFI_RT_SUPPORTED_GET_NEXT_VARIABLE_NAME)) {
> +		pr_err("FAIL: EFI GetNextVariableName() is not available\n");
> +		return;
> +	}
> +
> +	/*
> +	 * Provoke a fault by asking the firmware to write to a read-only
> +	 * variable.
> +	 */
> +	status = efi.get_next_variable(&size, L"", &(efi_guid_t){});
> +
> +	if (status != EFI_ABORTED || efi_enabled(EFI_RUNTIME_SERVICES))
> +		pr_err("FAIL: EFI GetNextVariable() did not abort (%#lx)\n",
> +		       status);
> +}
> +
>  static struct crashtype crashtypes[] = {
>  	CRASHTYPE(PANIC),
>  	CRASHTYPE(PANIC_STOP_IRQOFF),
> @@ -850,6 +874,9 @@ static struct crashtype crashtypes[] = {
>  	CRASHTYPE(UNSET_SMEP),
>  	CRASHTYPE(DOUBLE_FAULT),
>  	CRASHTYPE(CORRUPT_PAC),
> +#ifdef CONFIG_EFI
> +	CRASHTYPE(EFI_RUNTIME_CRASH),
> +#endif
>  };
> 
>  struct crashtype_category bugs_crashtypes = {
> -- 
> 2.54.0.545.g6539524ca2-goog