| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 Apr 2022 19:17:56 -0500
From: Michael Roth <michael.roth@....com>
To: "Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>
CC: Borislav Petkov <bp@...en8.de>, Andy Lutomirski <luto@...nel.org>,
"Sean Christopherson" <seanjc@...gle.com>,
Andrew Morton <akpm@...ux-foundation.org>,
Joerg Roedel <jroedel@...e.de>,
Ard Biesheuvel <ardb@...nel.org>,
Andi Kleen <ak@...ux.intel.com>,
"Kuppuswamy Sathyanarayanan"
<sathyanarayanan.kuppuswamy@...ux.intel.com>,
David Rientjes <rientjes@...gle.com>,
Vlastimil Babka <vbabka@...e.cz>,
Tom Lendacky <thomas.lendacky@....com>,
Thomas Gleixner <tglx@...utronix.de>,
"Peter Zijlstra" <peterz@...radead.org>,
Paolo Bonzini <pbonzini@...hat.com>,
"Ingo Molnar" <mingo@...hat.com>,
Varad Gautam <varad.gautam@...e.com>,
"Dario Faggioli" <dfaggioli@...e.com>,
Dave Hansen <dave.hansen@...el.com>,
"Brijesh Singh" <brijesh.singh@....com>,
Mike Rapoport <rppt@...nel.org>,
"David Hildenbrand" <david@...hat.com>, <x86@...nel.org>,
<linux-mm@...ck.org>, <linux-coco@...ts.linux.dev>,
<linux-efi@...r.kernel.org>, <linux-kernel@...r.kernel.org>
Subject: Re: [PATCHv5 06/12] x86/boot/compressed: Handle unaccepted memory
On Mon, Apr 25, 2022 at 06:39:28AM +0300, Kirill A. Shutemov wrote:
> The firmware will pre-accept the memory used to run the stub. But, the
> stub is responsible for accepting the memory into which it decompresses
> the main kernel. Accept memory just before decompression starts.
>
> The stub is also responsible for choosing a physical address in which to
> place the decompressed kernel image. The KASLR mechanism will randomize
> this physical address. Since the unaccepted memory region is relatively
> small, KASLR would be quite ineffective if it only used the pre-accepted
> area (EFI_CONVENTIONAL_MEMORY). Ensure that KASLR randomizes among the
> entire physical address space by also including EFI_UNACCEPTED_MEMOR
>
> Signed-off-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
> ---
> arch/x86/boot/compressed/Makefile | 2 +-
> arch/x86/boot/compressed/kaslr.c | 14 ++++++++++++--
> arch/x86/boot/compressed/mem.c | 21 +++++++++++++++++++++
> arch/x86/boot/compressed/misc.c | 9 +++++++++
> arch/x86/include/asm/unaccepted_memory.h | 2 ++
> 5 files changed, 45 insertions(+), 3 deletions(-)
>
> diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
> index 7f672f7e2fea..b59007e57cbf 100644
> --- a/arch/x86/boot/compressed/Makefile
> +++ b/arch/x86/boot/compressed/Makefile
> @@ -102,7 +102,7 @@ endif
>
> vmlinux-objs-$(CONFIG_ACPI) += $(obj)/acpi.o
> vmlinux-objs-$(CONFIG_INTEL_TDX_GUEST) += $(obj)/tdx.o $(obj)/tdcall.o
> -vmlinux-objs-$(CONFIG_UNACCEPTED_MEMORY) += $(obj)/bitmap.o $(obj)/mem.o
> +vmlinux-objs-$(CONFIG_UNACCEPTED_MEMORY) += $(obj)/bitmap.o $(obj)/find.o $(obj)/mem.o
Since it's possible to have CONFIG_UNACCEPTED_MEMORY=y while
CONFIG_INTEL_TDX_GUEST=n (e.g. for SNP-only guest kernels), this can
result in mem.o reporting linker errors due to tdx_accept_memory() not
being defined. I think it needs a stub for !CONFIG_INTEL_TDX_GUEST, or
something along that line.
>
> vmlinux-objs-$(CONFIG_EFI_MIXED) += $(obj)/efi_thunk_$(BITS).o
> efi-obj-$(CONFIG_EFI_STUB) = $(objtree)/drivers/firmware/efi/libstub/lib.a
> diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
> index 411b268bc0a2..59db90626042 100644
> --- a/arch/x86/boot/compressed/kaslr.c
> +++ b/arch/x86/boot/compressed/kaslr.c
> @@ -725,10 +725,20 @@ process_efi_entries(unsigned long minimum, unsigned long image_size)
> * but in practice there's firmware where using that memory leads
> * to crashes.
> *
> - * Only EFI_CONVENTIONAL_MEMORY is guaranteed to be free.
> + * Only EFI_CONVENTIONAL_MEMORY and EFI_UNACCEPTED_MEMORY (if
> + * supported) are guaranteed to be free.
> */
> - if (md->type != EFI_CONVENTIONAL_MEMORY)
> +
> + switch (md->type) {
> + case EFI_CONVENTIONAL_MEMORY:
> + break;
> + case EFI_UNACCEPTED_MEMORY:
Just FYI, but with latest tip boot/compressed now relies on a separate header
in arch/x86/boot/compressed/efi.h where this need to be defined again.
Powered by blists - more mailing lists