| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 25 Jul 2022 20:56:19 +0800
From: 黄杰 <huangjie.albert@...edance.com>
To: linux-kernel <linux-kernel@...r.kernel.org>
Subject: Fwd: [PATCH 2/4] kexec: add CONFING_KEXEC_PURGATORY_SKIP_SIG
---------- Forwarded message ---------
发件人: Albert Huang <huangjie.albert@...edance.com>
Date: 2022年7月25日周一 16:40
Subject: [PATCH 2/4] kexec: add CONFING_KEXEC_PURGATORY_SKIP_SIG
To:
Cc: huangjie.albert <huangjie.albert@...edance.com>, Thomas Gleixner
<tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>, Borislav Petkov
<bp@...en8.de>, Dave Hansen <dave.hansen@...ux.intel.com>,
<x86@...nel.org>, H. Peter Anvin <hpa@...or.com>, Eric Biederman
<ebiederm@...ssion.com>, Masahiro Yamada <masahiroy@...nel.org>,
Michal Marek <michal.lkml@...kovi.net>, Nick Desaulniers
<ndesaulniers@...gle.com>, Kirill A. Shutemov
<kirill.shutemov@...ux.intel.com>, Brijesh Singh
<brijesh.singh@....com>, Michael Roth <michael.roth@....com>, Nathan
Chancellor <nathan@...nel.org>, Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@...ux.intel.com>, Ard Biesheuvel
<ardb@...nel.org>, Peter Zijlstra <peterz@...radead.org>, Sean
Christopherson <seanjc@...gle.com>, Joerg Roedel <jroedel@...e.de>,
Mark Rutland <mark.rutland@....com>, Kees Cook
<keescook@...omium.org>, <linux-kernel@...r.kernel.org>,
<kexec@...ts.infradead.org>, <linux-kbuild@...r.kernel.org>
From: "huangjie.albert" <huangjie.albert@...edance.com>
the verify_sha256_digest may cost 300+ ms in my test environment:
bzImage: 53M initramfs:28M
We can add a macro to control whether to enable this check. If we
can confirm that the data in this will not change, we can turn off
the check and get a faster startup.
Signed-off-by: huangjie.albert <huangjie.albert@...edance.com>
---
arch/x86/Kconfig | 9 +++++++++
arch/x86/purgatory/purgatory.c | 7 +++++++
2 files changed, 16 insertions(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 52a7f91527fe..adbd3a2bd60f 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2052,6 +2052,15 @@ config KEXEC_BZIMAGE_VERIFY_SIG
help
Enable bzImage signature verification support.
+config KEXEC_PURGATORY_SKIP_SIG
+ bool "skip kexec purgatory signature verification"
+ depends on ARCH_HAS_KEXEC_PURGATORY
+ help
+ this options makes the kexec purgatory do not signature verification
+ which would get hundreds of milliseconds saved during kexec
boot. If we can
+ confirm that the data of each segment loaded by kexec will
not change we may
+ enable this option
+
config CRASH_DUMP
bool "kernel crash dumps"
depends on X86_64 || (X86_32 && HIGHMEM)
diff --git a/arch/x86/purgatory/purgatory.c b/arch/x86/purgatory/purgatory.c
index 7558139920f8..b3f15774d86d 100644
--- a/arch/x86/purgatory/purgatory.c
+++ b/arch/x86/purgatory/purgatory.c
@@ -20,6 +20,12 @@ u8 purgatory_sha256_digest[SHA256_DIGEST_SIZE]
__section(".kexec-purgatory");
struct kexec_sha_region purgatory_sha_regions[KEXEC_SEGMENT_MAX]
__section(".kexec-purgatory");
+#ifdef CONFIG_KEXEC_PURGATORY_SKIP_SIG
+static int verify_sha256_digest(void)
+{
+ return 0;
+}
+#else
static int verify_sha256_digest(void)
{
struct kexec_sha_region *ptr, *end;
@@ -39,6 +45,7 @@ static int verify_sha256_digest(void)
return 0;
}
+#endif
void purgatory(void)
{
--
2.31.1
Powered by blists - more mailing lists