lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sat, 6 Apr 2019 09:43:17 +0800
From:   Baoquan He <>
Subject: Re: [PATCH v3 0/3] Add restrictions for kexec/kdump jumping between
 5-level and 4-level kernel

On 03/12/19 at 06:30pm, Baoquan He wrote:
> This is v3 post.
> The original v1 post can be found here:
> Later a v1 RESEND version:
> V2 post is here:
> This patchset is trying to fix several issues for kexec/kdump when
> dynamic switching of paging mode is enabled in x86_64. The current
> kernel supports 5-level paging mode, and supports dynamically choosing
> paging mode during bootup according to kernel image, hardware and
> kernel parameter setting. This flexibility brings several issues for
> kexec/kdump:
> Issues:
> 1)
> Dynamic switching between paging mode requires code change in target
> kernel. So we can't kexec jump from 5-level kernel to old 4-level
> kernel which lacks the code change.
> 2)
> Switching from 5-level paging to 4-level paging kernel would fail, if
> kexec() put kernel image above 64TiB of memory.
> 3)
> Kdump jumping has similar issue as 2). This require us to only
> reserve crashkernel below 64TB, otherwise jumping from 5-level to
> 4-level kernel will fail.
> Note:
> Since we have two interfaces kexec_load() and kexec_file_load() to load
> kexec/kdump kernel, handling for them is a little different. For
> kexec_load(), most of the loading job is done in user space utility
> kexec_tools. However, for kexec_file_load(), most of the loading codes
> have moved into kernel because of kernel image verification.
> Fixes:
> a) For issue 1), we need check if XLF_5LEVEL is set, otherwise error out
>    a message. 
>   -This need be done in both kernel and kexec_tools utility.
>   -Patch 2/3 is the handling of kernel part.
>   -Will post user space patch to kexec mailing list later.
> b) For issue 2), we need check if both XLF_5LEVEL and XLF_5LEVEL_ENABLED
>    are set, otherwise error out a message.
>   -This only need be done in kexec_tools utility. Because for
>    kexec_file_load(), the current code searches area to put kernel from
>    bottom to up in system RAM, we usually can always find an area below
>    4 GB, no need to worry about 5-level kernel jumping to 4-level
>    kernel. While for kexec_load(), it's top down seraching area for kernel
>    loading, and implemented in user space. We need make sure that
>    5-level kernel find an area under 64 TB for a kexec-ed kernel of
>    4-level.

This paragraph is used to explain why XLF_5LEVEL_ENABLED is not checked
in kernel. I will add these information to log of patch 1/3.

>   -Will post user space patch to kexec mailing list later.
> c) For issues 3), just limit kernel to reserve crashkernel below 64 TB.
>   -This only need be done in kernel.
>   -It doesn't need to check bit XLF_5LEVEL or XLF_5LEVEL_ENABLED, we
>    just simply limit it below 64 TB which should be enough. Because
>    crashernel is reserved during the 1st kernel's bootup, we don't know
>    what kernel will be loaded for kdump usage.
>   -Patch 3/3 handles this.
> Concerns from reviewing comments:
> 1)
> In v1, hpa raised concern that why the paging mode checking is not done
> before kexec jumping, the discussion can be found here:
> As tglx said, it might be not doable for kdump since kdump kernel's
> reserved crashkernel region only owns a portion of memory, may
> be above 4G; and might be not safer to do paging mode checking and
> switching thing after crash.
> 2)
> In v1 RESEND post, tglx asked why only bit XLF_5LEVEL is checked, even
> though two bits XLF_5LEVEL or XLF_5LEVEL_ENABLED added. So add more
> words to explain it in *Fixes* b).
> Changelog:
> v2->v3:
>   Change the constant to match the notation for the rest of defines as
>   Kirill suggested;
> v1->v2:
>   Correct the subject of patch 1 according to tglx's comment;
>   Add more information to cover-letter to address reviewers' concerns;
> Baoquan He (3):
>   x86/boot: Add xloadflags bits for 5-level kernel checking
>   x86/kexec/64: Error out if try to jump to old 4-level kernel from
>     5-level kernel
>   x86/kdump/64: Change the upper limit of crashkernel reservation
>  arch/x86/boot/header.S                | 12 +++++++++++-
>  arch/x86/include/uapi/asm/bootparam.h |  2 ++
>  arch/x86/kernel/kexec-bzimage64.c     |  5 +++++
>  arch/x86/kernel/setup.c               | 18 ++++++++++++++----
>  4 files changed, 32 insertions(+), 5 deletions(-)
> -- 
> 2.17.2

Powered by blists - more mailing lists