| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Jul 2022 16:38:54 +0800
From: Albert Huang <huangjie.albert@...edance.com>
To: unlisted-recipients:; (no To-header on input)
Cc: "huangjie.albert" <huangjie.albert@...edance.com>,
Thomas Gleixner <tglx@...utronix.de>,
Ingo Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>,
Dave Hansen <dave.hansen@...ux.intel.com>, x86@...nel.org,
"H. Peter Anvin" <hpa@...or.com>,
Eric Biederman <ebiederm@...ssion.com>,
Masahiro Yamada <masahiroy@...nel.org>,
Michal Marek <michal.lkml@...kovi.net>,
Nick Desaulniers <ndesaulniers@...gle.com>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
Brijesh Singh <brijesh.singh@....com>,
Michael Roth <michael.roth@....com>,
Nathan Chancellor <nathan@...nel.org>,
Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@...ux.intel.com>,
Ard Biesheuvel <ardb@...nel.org>,
Peter Zijlstra <peterz@...radead.org>,
Sean Christopherson <seanjc@...gle.com>,
Joerg Roedel <jroedel@...e.de>,
Mark Rutland <mark.rutland@....com>,
Kees Cook <keescook@...omium.org>,
linux-kernel@...r.kernel.org, kexec@...ts.infradead.org,
linux-kbuild@...r.kernel.org
Subject: [PATCH 2/4] kexec: add CONFING_KEXEC_PURGATORY_SKIP_SIG
From: "huangjie.albert" <huangjie.albert@...edance.com>
the verify_sha256_digest may cost 300+ ms in my test environment:
bzImage: 53M initramfs:28M
We can add a macro to control whether to enable this check. If we
can confirm that the data in this will not change, we can turn off
the check and get a faster startup.
Signed-off-by: huangjie.albert <huangjie.albert@...edance.com>
---
arch/x86/Kconfig | 9 +++++++++
arch/x86/purgatory/purgatory.c | 7 +++++++
2 files changed, 16 insertions(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 52a7f91527fe..adbd3a2bd60f 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2052,6 +2052,15 @@ config KEXEC_BZIMAGE_VERIFY_SIG
help
Enable bzImage signature verification support.
+config KEXEC_PURGATORY_SKIP_SIG
+ bool "skip kexec purgatory signature verification"
+ depends on ARCH_HAS_KEXEC_PURGATORY
+ help
+ this options makes the kexec purgatory do not signature verification
+ which would get hundreds of milliseconds saved during kexec boot. If we can
+ confirm that the data of each segment loaded by kexec will not change we may
+ enable this option
+
config CRASH_DUMP
bool "kernel crash dumps"
depends on X86_64 || (X86_32 && HIGHMEM)
diff --git a/arch/x86/purgatory/purgatory.c b/arch/x86/purgatory/purgatory.c
index 7558139920f8..b3f15774d86d 100644
--- a/arch/x86/purgatory/purgatory.c
+++ b/arch/x86/purgatory/purgatory.c
@@ -20,6 +20,12 @@ u8 purgatory_sha256_digest[SHA256_DIGEST_SIZE] __section(".kexec-purgatory");
struct kexec_sha_region purgatory_sha_regions[KEXEC_SEGMENT_MAX] __section(".kexec-purgatory");
+#ifdef CONFIG_KEXEC_PURGATORY_SKIP_SIG
+static int verify_sha256_digest(void)
+{
+ return 0;
+}
+#else
static int verify_sha256_digest(void)
{
struct kexec_sha_region *ptr, *end;
@@ -39,6 +45,7 @@ static int verify_sha256_digest(void)
return 0;
}
+#endif
void purgatory(void)
{
--
2.31.1
Powered by blists - more mailing lists