lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 2 Feb 2022 13:40:33 +0100
From:   Krzysztof Adamski <krzysztof.adamski@...ia.com>
To:     Mark Rutland <mark.rutland@....com>
Cc:     Catalin Marinas <catalin.marinas@....com>,
        Will Deacon <will@...nel.org>,
        Peter Collingbourne <pcc@...gle.com>,
        Guenter Roeck <linux@...ck-us.net>,
        Wolfram Sang <wsa+renesas@...g-engineering.com>,
        Alexander Sverdlin <alexander.sverdlin@...ia.com>,
        Matija Glavinic-Pecotic <matija.glavinic-pecotic.ext@...ia.com>,
        linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] arm64: move efi_reboot to restart handler

Dnia Tue, Feb 01, 2022 at 01:58:29PM +0000, Mark Rutland napisaƂ(a):
>> If we use the restart handlers only to reset the system, this is indeed
>> true. But technically, restart handlers support the scenario where the
>> handler does some action that does not do reset of the whole system and
>> passes the control further down the chain, eventually reaching a handler
>> that will reset the whole system.
>> This can be done on non-uefi systems without problems but it doesn't
>> work on UEFI bases arm64 systems and this is a problem for us.
>>
>> In other words, I would like to be able to run a restart handler on EFI
>> based ARM64 systems, just like I can on other systems, just for its
>> "side effects", not to do the actual reboot. Current code disables this
>> possibility on an ARM64 EFI system.
>
>It sounds like two things are being conflated here:
>
>1) A *notification* that a restart will subsequently occur.
>2) A *request* to initiate a restart.
>
>IIUC (1) is supposed to be handled by the existing reboot notifier mechanism
>(see the reboot_notifier_list) which *is* invoked prior to the EFI reboot
>today.
>
>IMO, using restart handlers as notifiers is an abuse of the interface, and
>that's the fundamental problem.
>
>What am I missing?

You are completly right. It is possible that I would like to be able to
*abuse* the restart handlers as notifier. You are right that we have a
reboot_notifier but it is not good enough for my usecase - it is only
called, well, on reboot. It is not called in case of emergency_restart()
so in case of a panic, this won't happen. It also is called much earlier
than restart handlers which also makes a difference in some cases. So I
see no other choice than to abuse the restart_handler mechanism for that.

So, ideally, for that usecase, we would need a restart notifier that is
called immidietely before restart handlers, is basically done in the
same way as reset_handlers mechanism, but would simply be called
differently and would use separate chain. But does it make sense to have
that?

Apart from this simple usecase that I have focused so far, I also have
another one that I didn't mention before. As you know, even efi_reboot()
has several types of resets it can trigger (warm, cold), depending on
how "deep" the reset should be. In some cases, however, we have a need to
escalate the reset/reboot even deeper, into full board reset which is
performed by an external component - this cannot be done from EFI
firmware so we have to do this from Linux, before efi_reboot is called.
This has to be done also in case of a emergency_restart(). And obviosly
we do not call efi_reboot() in this case, as the whole board goes into
reset, including the CPU. This reset is, however, conditional -
it does not replace the efi_reboot() which is still used in most cases.
We use restart_handlers also for that, but this doesn't work on ARM64 with
EFI.

>> > Otherwise this patch is making this logic more complicated *and* making it
>> > possible to have problems which we avoid by construction today, without any
>> > actual benefit.
>>
>> The benefit for me is this added flexibility and unification between
>> architectures. On other systems, like ARM32 or non-EFI ARM64 I can
>> insert a custom reset handler to do some actions just before restart and
>> on EFI based ARM64, I can't.
>>
>> You could argue that restart handlers were not created for that but they
>> suit this purpose ideally and it wouldn't make much sense (in my
>> opinion) to add yet another notifier chain that would run before reset
>> notifiers, for code that is not supposed to reset the whole system and
>> this is exacly what I would have to do if efi_reboot() is forced to be
>> called before all handlers.
>
>As above, I think that's just using the wrong interface, and the reboot
>notifier mechanism *already* exists, so I'm really confused here.
>
>Have I misunderstood what you're trying to achieve?
>
>Is there some problem with the reboot notifier mechanism that I am unaware of?
>e.g. do we bypass them in some case where you think they're needed?
>
>Are you simply unaware of reboot notifiers?

As explained above, I am aware of them but they have their limitation.
They were designed for slightly different usecase. The are designed
around blocking_notfier and are supposed to be called only in still safe
environment during graceful reboot, quite early in the reboot process.
If you need to do something just before reset and/or in case of a panic,
you are out of luck.
Of course reset_handlers have their limitations too. For one, they are
called in the context of atomic_notifier and we can't assume the system
is in good condition when it is called but trying to flip a GPIO line or
do a write to MMIO register is a sane thing to do here.

Krzysztof

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ