lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAKv+Gu_uXs7tto3JdEOoEfqFpjUKdwFo4dSN3X3399uc+sJKrQ@mail.gmail.com>
Date:	Wed, 11 Feb 2015 14:53:21 +0800
From:	Ard Biesheuvel <ard.biesheuvel@...aro.org>
To:	Stefano Stabellini <stefano.stabellini@...citrix.com>
Cc:	Mark Rutland <mark.rutland@....com>,
	"hanjun.guo@...aro.org" <hanjun.guo@...aro.org>,
	"graeme.gregory@...aro.org" <graeme.gregory@...aro.org>,
	Leif Lindholm <leif.lindholm@...aro.org>,
	Mark Langsdorf <mlangsdo@...hat.com>,
	"linaro-acpi@...ts.linaro.org" <linaro-acpi@...ts.linaro.org>,
	Catalin Marinas <Catalin.Marinas@....com>,
	Will Deacon <Will.Deacon@....com>,
	"wangyijing@...wei.com" <wangyijing@...wei.com>,
	Rob Herring <robh@...nel.org>,
	Lorenzo Pieralisi <Lorenzo.Pieralisi@....com>,
	Jonathan Corbet <corbet@....net>,
	Timur Tabi <timur@...eaurora.org>,
	Daniel Lezcano <daniel.lezcano@...aro.org>,
	"linux-acpi@...r.kernel.org" <linux-acpi@...r.kernel.org>,
	"grant.likely@...aro.org" <grant.likely@...aro.org>,
	Charles Garcia-Tobin <Charles.Garcia-Tobin@....com>,
	"phoenix.liyi@...wei.com" <phoenix.liyi@...wei.com>,
	Robert Richter <rric@...nel.org>,
	Jason Cooper <jason@...edaemon.net>,
	Arnd Bergmann <arnd@...db.de>,
	Marc Zyngier <Marc.Zyngier@....com>,
	"jcm@...hat.com" <jcm@...hat.com>, Mark Brown <broonie@...nel.org>,
	Bjorn Helgaas <bhelgaas@...gle.com>,
	"linux-arm-kernel@...ts.infradead.org" 
	<linux-arm-kernel@...ts.infradead.org>,
	Matt Fleming <matt.fleming@...el.com>,
	Ashwin Chaugule <ashwinc@...eaurora.org>,
	Randy Dunlap <rdunlap@...radead.org>,
	"Rafael J. Wysocki" <rjw@...ysocki.net>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	"suravee.suthikulpanit@....com" <suravee.suthikulpanit@....com>,
	Sudeep Holla <Sudeep.Holla@....com>,
	Olof Johansson <olof@...om.net>,
	Ian Campbell <ian.campbell@...rix.com>,
	Julien Grall <julien.grall@...aro.org>
Subject: Re: [PATCH v8 08/21] dt / chosen: Add linux,uefi-stub-generated-dtb property

On 11 February 2015 at 14:33, Stefano Stabellini
<stefano.stabellini@...citrix.com> wrote:
> On Wed, 11 Feb 2015, Ard Biesheuvel wrote:
>> On 9 February 2015 at 19:46, Mark Rutland <mark.rutland@....com> wrote:
>> > On Sat, Feb 07, 2015 at 05:03:44AM +0000, Ard Biesheuvel wrote:
>> >> On 7 February 2015 at 03:36, Hanjun Guo <hanjun.guo@...aro.org> wrote:
>> >> > On 2015年02月06日 18:34, G Gregory wrote:
>> >> > [...]
>> >> >
>> >> >>>>>>
>> >> >>>>>> --------------------------------------------------------------------------------
>> >> >>>>>>   linux,uefi-stub-kern-ver  | string | Copy of linux_banner from
>> >> >>>>>> build.
>> >> >>>>>>
>> >> >>>>>> --------------------------------------------------------------------------------
>> >> >>>>>> +linux,uefi-stub-generated-dtb  | bool | Indication for no DTB
>> >> >>>>>> provided by
>> >> >>>>>> +                        |      | firmware.
>> >> >>>>>>
>> >> >>>>>> +--------------------------------------------------------------------------------
>> >> >>>>>
>> >> >>>>>
>> >> >>>>> Apologies for the late bikeshedding, but the discussion on this topic
>> >> >>>>> previsously was lively enough that I thought I'd let it die down a bit
>> >> >>>>> before seeing if I had anything to add.
>> >> >>>>>
>> >> >>>>> That, and I just realised something:
>> >> >>>>> One alternative to this added DT entry is that we could treat the
>> >> >>>>> absence of a registered UEFI configuration table as the indication
>> >> >>>>> that no HW description was provided from firmware, since the stub does
>> >> >>>>> not call InstallConfigurationTable() on the DT it generates. This does
>> >> >>>>> move the ability to detect to after efi_init(), but this should be
>> >> >>>>> fine for ACPI-purposes.
>> >> >>>>>
>> >> >>>> That would not work as expected in the kexec/Xen use case though as they
>> >> >>>> may genuinely boot with DT from an ACPI host without UEFI.
>> >> >>>
>> >> >>>
>> >> >>> I'm a little concerned by this case. How do we intend to pass stuff from
>> >> >>> Xen to the kernel in this case? When we initially discussed the stub
>> >> >>> prior to merging, we weren't quite sure if ACPI without UEFI was
>> >> >>> entirely safe.
>> >> >>>
>> >> >>> The linux,uefi-stub-kern-ver property was originally intended as a
>> >> >>> sanity-check feature to ensure nothing (including Xen) masqueraded as
>> >> >>> the stub, but for some reason the actual sanity check was never
>> >> >>> implemented.
>> >> >>>
>> >> >>>>> If that is deemed undesirable, I would still prefer Catalin's
>> >> >>>>> suggested name ("linux,bare-dtb"), which describes the state rather
>> >> >>>>> than the route we took to get there.
>> >> >>>>>
>> >> >>>> I agree.
>> >> >>>
>> >> >>>
>> >> >>> I guess this would be ok, though it would be nice to know which agent
>> >> >>> generated the DTB.
>> >> >>>
>> >> >>
>> >> >> The most obvious scheme then is
>> >> >>
>> >> >> linux,bare-dtb = "uefi-stub";
>> >> >>
>> >> >> otherwise we generate a new binding for every component in the boot path.
>> >> >
>> >> >
>> >> > Leif, Mark, any comments on this?
>> >> >
>> >>
>> >> As far as I remember, we did not finalize the decision to go with a
>> >> stub generated property instead of some other means to infer that the
>> >> device tree is not suitable for booting and ACPI should be preferred.
>> >>
>> >> We will be discussing the 'stub<->kernel interface as a boot protocol'
>> >> topic this week at Connect, so let's discuss it in that context before
>> >> signing off on patches like these.
>> >
>> > As some of us (at least myself) aren't at connect, it would be nice if
>> > those discussions could be at least mirrored on the mailing list. I have
>> > some concerns regarding how this is going to work long-term, and I'd
>> > like to make sure we don't get stuck with something that limits what we
>> > can do long-term.
>> >
>> > Is there a session set aside for this, or is this a hallway track topic?
>> >
>>
>> Hello all,
>>
>> (added team-Xen to cc)
>>
>> We had our meeting yesterday: allow me to summarize what we discussed,
>> and we can proceed with the discussion on-list if desired.
>>
>> Present:
>> Grant Likely
>> Al Stone
>> Hanjun Guo
>> Leif Lindholm
>> Roy Franz
>> Ard Biesheuvel
>>
>> Topic #1: booting the arm64 kernel with ACPI but no UEFI
>>
>> We have identified Xen as the only use case: there is a need to boot
>> dom0 using the host's ACPI tables but without allowing the dom0 kernel
>> to interface directly with the UEFI firmware. There may be other valid
>> use cases, though, so this use case should be addressed generically
>> regardless.
>>
>> First, it was proposed to allow the ACPI root pointer to be added to a
>> /chosen node property, and the kernel would use this property instead
>> of going through the UEFI tables.
>> However, there is a similar case that could be made for SMBIOS: unlike
>> x86, where there is a 'legacy' method to locate either table by
>> scanning some special physical memory regions, the respective
>> specifications only provide a single method to perform table
>> discovery, which is through UEFI. This means that passing the ACPI
>> root pointer to the kernel using a property in the /chosen node
>> doesn't scale well, as we would need to do the same for SMBIOS at
>> least, and potentially other tables in the future.
>
> TBH there are no other tables and even if there were, this method would
> still scale linearly with the number of tables, that is not bad in my
> view.
>

Fair enough

>
>> There are two other concerns related to passing the ACPI root pointer directly:
>> - the actual discovery occurs in core code, and we are reluctant to
>> change it to accommodate arm64 specific behavior
>> - it would create separate paths through the early boot code which
>> complicates testing and validation
>
> OK
>
>
>> So instead, we think it is reasonable to mandate a minimal subset of
>> the UEFI environment to be present, either natively or emulated/mocked
>> up by Xen, kexec etc.
>
> No emulation please :-)
>

Well, perhaps 'emulated' is not the right term to use here. It is just
about presenting a couple of data items in the same way that UEFI
presents them

>
>> - an EFI system table (and a /chosen/linux,uefi-system-table that
>> points to it) containing at least
>>   * a fully populated header with version >= 2.0 and correct CRC
>>   * populated fw_vendor string
>>   * configuration table pointer and count, pointing to the ACPI and
>> SMBIOS configuration tables with their respective GUIDs
>>   * NULL runtime services function table pointer
>>
>> - an EFI format memory map (and the /chosen/linux,uefi-mmap-*
>> properties that go with it) covering all of system RAM, with ACPI and
>> SMBIOS reserved regions marked as appropriate
>
> Runtime services actually are going to be available via hypercalls, see
> drivers/xen/efi.c, but Boot Services are not going to be.
>

I was aware of that, but it does mean that the early UEFI code should
not try to install virtual remappings of the UEFI runtime memory
regions, as all the machinery is either in the kernel or in the
hypervisor. So even if the Xen guest code installs a Runtime Services
dispatch table at some point, the existing code should still be
defused.

In the native UEFI case, the stub calls ExitBootServices() so boot
services are not part of the equation anyway. (They are never
available when running in the kernel proper)

> Given that Dom0 is not booted via EFI but as zImage, how are we going to
> pass the two EFI table pointers to Linux? Via Device Tree? It doesn't
> look like a great improvement to me.
>

The EFI system table and memory map pointers shall be passed to the
kernel in the exact same way as the stub does: via the /chosen node.
This is currently documented in Documentation/arm/uefi.txt but it
should be promoted to a proper binding.

> Generating those two EFI tables shouldn't be a problem though.
>
>

Good.

>> As this basically promotes the stub<->kernel interface to an external
>> ABI, the current documentation about the /chosen node properties
>> should also be promoted to a proper binding, with the above mandated
>> minimal subset added as well.
>>
>> There are some minimal changes required to the current kernel code to
>> adhere to the above: primarlly to deal with a NULL runtime services
>> pointer, which is arguably an improvement anyway.
>
> This is not needed, if not for the first generation of patches
>
>

It is needed: the UEFI code needs to understand that the runtime
pointer in the EFI system table may be NULL, in which case no virtual
remapping or installation of the runtime services should take place.
Whether Xen ends up installing its own runtime services is a separate
matter.

>> Topic #2: how to identify an 'empty' DTB
>>
>> The proposed policy regarding whether DT or ACPI should be preferred
>> if both methods are available hinges on being able to identify a DTB
>> as containing a platform description or not. One suggested way of
>> doing this is to make the stub add a /chosen node property that
>> indicates that it didn't receive a DTB from the firmware, nor loaded
>> one from the file system, but created an empty one from scratch.
>>
>> Considering the previous topic, i.e., the promotion of the
>> stub<->kernel interface to external ABI, we should not be frivolous
>> about adding new properties, and adding a 'stub-generated-dtb'
>> property should be avoided if there is a better way to deal with this.
>> Also, e.g., when booting via GRUB, it may in fact be GRUB and not the
>> stub that creates the DTB (when booting with an initrd, for instance)
>> so GRUB would have to be modified as well. (If not, simply adding a
>> initrd= property to the command line would result in the kernel
>> preferring DT over ACPI all of a sudden, which surely, we all agree is
>> undesirable behavior)
>>
>> So instead, we propose to use a heuristic to decide whether a DTB
>> should be considered empty or not:
>> If /chosen is the only level 1 node in the tree, the DTB is empty,
>> otherwise it is not.
>>
>> This can be trivially implemented into the existing EFI early FDT
>> discovery code, and does not require any other changes to the stub or
>> GRUB.
>>
>> Please, could those affected by this comment whether this is feasible
>> or not? Other comments/remarks also highly appreciated, of course,
>
> Wouldn't it make sense to use the same interface between Xen and Dom0
> and between stub and kernel?

That is exactly the point: the stub communicates the EFI entry points
(system table and memmap) via the device tree. If you are not booting
via UEFI, there is no way you can execute the stub, so Xen needs to
add those properties to the /chosen node directly, and make them point
to data that the UEFI layer can understand.

-- 
Ard.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ