lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.2.02.1502110607250.29696@kaball.uk.xensource.com>
Date:	Wed, 11 Feb 2015 06:33:13 +0000
From:	Stefano Stabellini <stefano.stabellini@...citrix.com>
To:	Ard Biesheuvel <ard.biesheuvel@...aro.org>
CC:	Mark Rutland <mark.rutland@....com>,
	"hanjun.guo@...aro.org" <hanjun.guo@...aro.org>,
	"graeme.gregory@...aro.org" <graeme.gregory@...aro.org>,
	Leif Lindholm <leif.lindholm@...aro.org>,
	Mark Langsdorf <mlangsdo@...hat.com>,
	"linaro-acpi@...ts.linaro.org" <linaro-acpi@...ts.linaro.org>,
	Catalin Marinas <Catalin.Marinas@....com>,
	Will Deacon <Will.Deacon@....com>,
	"wangyijing@...wei.com" <wangyijing@...wei.com>,
	Rob Herring <robh@...nel.org>,
	Lorenzo Pieralisi <Lorenzo.Pieralisi@....com>,
	Jonathan Corbet <corbet@....net>,
	Timur Tabi <timur@...eaurora.org>,
	Daniel Lezcano <daniel.lezcano@...aro.org>,
	"linux-acpi@...r.kernel.org" <linux-acpi@...r.kernel.org>,
	"grant.likely@...aro.org" <grant.likely@...aro.org>,
	Charles Garcia-Tobin <Charles.Garcia-Tobin@....com>,
	"phoenix.liyi@...wei.com" <phoenix.liyi@...wei.com>,
	Robert Richter <rric@...nel.org>,
	Jason Cooper <jason@...edaemon.net>,
	Arnd Bergmann <arnd@...db.de>,
	Marc Zyngier <Marc.Zyngier@....com>,
	"jcm@...hat.com" <jcm@...hat.com>, Mark Brown <broonie@...nel.org>,
	Bjorn Helgaas <bhelgaas@...gle.com>,
	"linux-arm-kernel@...ts.infradead.org" 
	<linux-arm-kernel@...ts.infradead.org>,
	Matt Fleming <matt.fleming@...el.com>,
	Ashwin Chaugule <ashwinc@...eaurora.org>,
	Randy Dunlap <rdunlap@...radead.org>,
	"Rafael J. Wysocki" <rjw@...ysocki.net>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"suravee.suthikulpanit@....com" <suravee.suthikulpanit@....com>,
	Sudeep Holla <Sudeep.Holla@....com>,
	Olof Johansson <olof@...om.net>,
	Stefano Stabellini <stefano.stabellini@...citrix.com>,
	Ian Campbell <ian.campbell@...rix.com>,
	Julien Grall <julien.grall@...aro.org>
Subject: Re: [PATCH v8 08/21] dt / chosen: Add linux,uefi-stub-generated-dtb
 property

On Wed, 11 Feb 2015, Ard Biesheuvel wrote:
> On 9 February 2015 at 19:46, Mark Rutland <mark.rutland@....com> wrote:
> > On Sat, Feb 07, 2015 at 05:03:44AM +0000, Ard Biesheuvel wrote:
> >> On 7 February 2015 at 03:36, Hanjun Guo <hanjun.guo@...aro.org> wrote:
> >> > On 2015年02月06日 18:34, G Gregory wrote:
> >> > [...]
> >> >
> >> >>>>>>
> >> >>>>>> --------------------------------------------------------------------------------
> >> >>>>>>   linux,uefi-stub-kern-ver  | string | Copy of linux_banner from
> >> >>>>>> build.
> >> >>>>>>
> >> >>>>>> --------------------------------------------------------------------------------
> >> >>>>>> +linux,uefi-stub-generated-dtb  | bool | Indication for no DTB
> >> >>>>>> provided by
> >> >>>>>> +                        |      | firmware.
> >> >>>>>>
> >> >>>>>> +--------------------------------------------------------------------------------
> >> >>>>>
> >> >>>>>
> >> >>>>> Apologies for the late bikeshedding, but the discussion on this topic
> >> >>>>> previsously was lively enough that I thought I'd let it die down a bit
> >> >>>>> before seeing if I had anything to add.
> >> >>>>>
> >> >>>>> That, and I just realised something:
> >> >>>>> One alternative to this added DT entry is that we could treat the
> >> >>>>> absence of a registered UEFI configuration table as the indication
> >> >>>>> that no HW description was provided from firmware, since the stub does
> >> >>>>> not call InstallConfigurationTable() on the DT it generates. This does
> >> >>>>> move the ability to detect to after efi_init(), but this should be
> >> >>>>> fine for ACPI-purposes.
> >> >>>>>
> >> >>>> That would not work as expected in the kexec/Xen use case though as they
> >> >>>> may genuinely boot with DT from an ACPI host without UEFI.
> >> >>>
> >> >>>
> >> >>> I'm a little concerned by this case. How do we intend to pass stuff from
> >> >>> Xen to the kernel in this case? When we initially discussed the stub
> >> >>> prior to merging, we weren't quite sure if ACPI without UEFI was
> >> >>> entirely safe.
> >> >>>
> >> >>> The linux,uefi-stub-kern-ver property was originally intended as a
> >> >>> sanity-check feature to ensure nothing (including Xen) masqueraded as
> >> >>> the stub, but for some reason the actual sanity check was never
> >> >>> implemented.
> >> >>>
> >> >>>>> If that is deemed undesirable, I would still prefer Catalin's
> >> >>>>> suggested name ("linux,bare-dtb"), which describes the state rather
> >> >>>>> than the route we took to get there.
> >> >>>>>
> >> >>>> I agree.
> >> >>>
> >> >>>
> >> >>> I guess this would be ok, though it would be nice to know which agent
> >> >>> generated the DTB.
> >> >>>
> >> >>
> >> >> The most obvious scheme then is
> >> >>
> >> >> linux,bare-dtb = "uefi-stub";
> >> >>
> >> >> otherwise we generate a new binding for every component in the boot path.
> >> >
> >> >
> >> > Leif, Mark, any comments on this?
> >> >
> >>
> >> As far as I remember, we did not finalize the decision to go with a
> >> stub generated property instead of some other means to infer that the
> >> device tree is not suitable for booting and ACPI should be preferred.
> >>
> >> We will be discussing the 'stub<->kernel interface as a boot protocol'
> >> topic this week at Connect, so let's discuss it in that context before
> >> signing off on patches like these.
> >
> > As some of us (at least myself) aren't at connect, it would be nice if
> > those discussions could be at least mirrored on the mailing list. I have
> > some concerns regarding how this is going to work long-term, and I'd
> > like to make sure we don't get stuck with something that limits what we
> > can do long-term.
> >
> > Is there a session set aside for this, or is this a hallway track topic?
> >
> 
> Hello all,
> 
> (added team-Xen to cc)
> 
> We had our meeting yesterday: allow me to summarize what we discussed,
> and we can proceed with the discussion on-list if desired.
> 
> Present:
> Grant Likely
> Al Stone
> Hanjun Guo
> Leif Lindholm
> Roy Franz
> Ard Biesheuvel
> 
> Topic #1: booting the arm64 kernel with ACPI but no UEFI
> 
> We have identified Xen as the only use case: there is a need to boot
> dom0 using the host's ACPI tables but without allowing the dom0 kernel
> to interface directly with the UEFI firmware. There may be other valid
> use cases, though, so this use case should be addressed generically
> regardless.
> 
> First, it was proposed to allow the ACPI root pointer to be added to a
> /chosen node property, and the kernel would use this property instead
> of going through the UEFI tables.
> However, there is a similar case that could be made for SMBIOS: unlike
> x86, where there is a 'legacy' method to locate either table by
> scanning some special physical memory regions, the respective
> specifications only provide a single method to perform table
> discovery, which is through UEFI. This means that passing the ACPI
> root pointer to the kernel using a property in the /chosen node
> doesn't scale well, as we would need to do the same for SMBIOS at
> least, and potentially other tables in the future.

TBH there are no other tables and even if there were, this method would
still scale linearly with the number of tables, that is not bad in my
view.


> There are two other concerns related to passing the ACPI root pointer directly:
> - the actual discovery occurs in core code, and we are reluctant to
> change it to accommodate arm64 specific behavior
> - it would create separate paths through the early boot code which
> complicates testing and validation

OK


> So instead, we think it is reasonable to mandate a minimal subset of
> the UEFI environment to be present, either natively or emulated/mocked
> up by Xen, kexec etc.

No emulation please :-)


> - an EFI system table (and a /chosen/linux,uefi-system-table that
> points to it) containing at least
>   * a fully populated header with version >= 2.0 and correct CRC
>   * populated fw_vendor string
>   * configuration table pointer and count, pointing to the ACPI and
> SMBIOS configuration tables with their respective GUIDs
>   * NULL runtime services function table pointer
> 
> - an EFI format memory map (and the /chosen/linux,uefi-mmap-*
> properties that go with it) covering all of system RAM, with ACPI and
> SMBIOS reserved regions marked as appropriate

Runtime services actually are going to be available via hypercalls, see
drivers/xen/efi.c, but Boot Services are not going to be.

Given that Dom0 is not booted via EFI but as zImage, how are we going to
pass the two EFI table pointers to Linux? Via Device Tree? It doesn't
look like a great improvement to me.

Generating those two EFI tables shouldn't be a problem though.


> As this basically promotes the stub<->kernel interface to an external
> ABI, the current documentation about the /chosen node properties
> should also be promoted to a proper binding, with the above mandated
> minimal subset added as well.
> 
> There are some minimal changes required to the current kernel code to
> adhere to the above: primarlly to deal with a NULL runtime services
> pointer, which is arguably an improvement anyway.

This is not needed, if not for the first generation of patches


> Topic #2: how to identify an 'empty' DTB
> 
> The proposed policy regarding whether DT or ACPI should be preferred
> if both methods are available hinges on being able to identify a DTB
> as containing a platform description or not. One suggested way of
> doing this is to make the stub add a /chosen node property that
> indicates that it didn't receive a DTB from the firmware, nor loaded
> one from the file system, but created an empty one from scratch.
> 
> Considering the previous topic, i.e., the promotion of the
> stub<->kernel interface to external ABI, we should not be frivolous
> about adding new properties, and adding a 'stub-generated-dtb'
> property should be avoided if there is a better way to deal with this.
> Also, e.g., when booting via GRUB, it may in fact be GRUB and not the
> stub that creates the DTB (when booting with an initrd, for instance)
> so GRUB would have to be modified as well. (If not, simply adding a
> initrd= property to the command line would result in the kernel
> preferring DT over ACPI all of a sudden, which surely, we all agree is
> undesirable behavior)
> 
> So instead, we propose to use a heuristic to decide whether a DTB
> should be considered empty or not:
> If /chosen is the only level 1 node in the tree, the DTB is empty,
> otherwise it is not.
> 
> This can be trivially implemented into the existing EFI early FDT
> discovery code, and does not require any other changes to the stub or
> GRUB.
> 
> Please, could those affected by this comment whether this is feasible
> or not? Other comments/remarks also highly appreciated, of course,
 
Wouldn't it make sense to use the same interface between Xen and Dom0
and between stub and kernel?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ