lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20190312005004.19182-1-bhe@redhat.com>
Date:   Tue, 12 Mar 2019 08:50:01 +0800
From:   Baoquan He <bhe@...hat.com>
To:     linux-kernel@...r.kernel.org
Cc:     tglx@...utronix.de, kirill.shutemov@...ux.intel.com,
        mingo@...nel.org, bp@...en8.de, hpa@...or.com, dyoung@...hat.com,
        x86@...nel.org, Baoquan He <bhe@...hat.com>
Subject: [PATCH v2 0/3] Add restrictions for kexec/kdump jumping between 5-level and 4-level kernel

This is v2 post.

The original v1 post can be found here:
http://lkml.kernel.org/r/20180829141624.13985-1-bhe@redhat.com

Later a v1 RESEND version:
http://lkml.kernel.org/r/20190125022817.29506-1-bhe@redhat.com

This patchset is trying to fix several issues for kexec/kdump when
dynamic switching of paging mode is enabled in x86_64. The current
kernel supports 5-level paging mode, and supports dynamically choosing
paging mode during bootup according to kernel image, hardware and
kernel parameter setting. This flexibility brings several issues for
kexec/kdump:

Issues:
1)
Dynamic switching between paging mode requires code change in target
kernel. So we can't kexec jump from 5-level kernel to old 4-level
kernel which lacks the code change.

2)
Switching from 5-level paging to 4-level paging kernel would fail, if
kexec() put kernel image above 64TiB of memory.

3)
Kdump jumping has similar issue as 2). This require us to only
reserve crashkernel below 64TB, otherwise jumping from 5-level to
4-level kernel will fail.

Note:
Since we have two interfaces kexec_load() and kexec_file_load() to load
kexec/kdump kernel, handling for them is a little different. For
kexec_load(), most of the loading job is done in user space utility
kexec_tools. However, for kexec_file_load(), most of the loading codes
have moved into kernel because of kernel image verification.

Fixes:
a) For issue 1), we need check if XLF_5LEVEL is set, otherwise error out
a message. 
  -This need be done in both kernel and kexec_tools utility.
  -Patch 2/3 is the handling of kernel part.
  -Will post user space patch to kexec mailing list later.

b) For issue 2), we need check if both XLF_5LEVEL and XLF_5LEVEL_ENABLED
are set, otherwise error out a message.
  -This only need be done in kexec_tools utility. Because for
   kexec_file_load(), the current code searches area to put kernel from
   bottom to up in system RAM, we usually can always find an area below
   4 GB, no need to worry about 5-level kernel jumping to 4-level
   kernel. While for kexec_load(), it's top down seraching area for kernel
   loading, and implemented in user space. We need make sure that
   5-level kernel find an area under 64 TB for a kexec-ed kernel of
   4-level.
  -Will post user space patch to kexec mailing list later.

c) For issues 3), just limit kernel to reserve crashkernel below 64 TB.
  -This only need be done in kernel.
  -It doesn't need to check bit XLF_5LEVEL or XLF_5LEVEL_ENABLED, we
   just simply limit it below 64 TB which should be enough. Because
   crashernel is reserved during the 1st kernel's bootup, we don't know
   what kernel will be loaded for kdump usage.
  -Patch 3/3 handles this.

Concerns from reviewing comments:
1)
In v1, hpa raised concern that why the paging mode checking is not done
before kexec jumping, the discussion can be found here:

http://lkml.kernel.org/r/alpine.DEB.2.21.1809051002020.1416@nanos.tec.linutronix.de

As tglx said, it might be not doable for kdump since kdump kernel's
reserved crashkernel region only owns a portion of memory, may
be above 4G; and might be not safer to do paging mode checking and
switching thing after crash.

2)
In v1 RESEND post, tglx asked why only bit XLF_5LEVEL is checked, even
though two bits XLF_5LEVEL or XLF_5LEVEL_ENABLED. So add sentences to
explain this in *Fixes* b).

v1->v2:
  Correct the subject of patch 1 according to tglx's comment;
  Add more information to cover-letter to address reviewers' concerns;

Baoquan He (3):
  x86/boot: Add xloadflags bits for 5-level kernel checking
  x86/kexec/64: Error out if try to jump to old 4-level kernel from
    5-level kernel
  x86/kdump/64: Change the upper limit of crashkernel reservation

 arch/x86/boot/header.S                | 12 +++++++++++-
 arch/x86/include/uapi/asm/bootparam.h |  2 ++
 arch/x86/kernel/kexec-bzimage64.c     |  5 +++++
 arch/x86/kernel/setup.c               | 18 ++++++++++++++----
 4 files changed, 32 insertions(+), 5 deletions(-)

-- 
2.17.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ