lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20221124091246.4957-1-zelin.deng@linux.alibaba.com>
Date:   Thu, 24 Nov 2022 17:12:44 +0800
From:   Zelin Deng <zelin.deng@...ux.alibaba.com>
To:     x86@...nel.org, linux-kernel@...r.kernel.org
Cc:     Tom Lendacky <thomas.lendacky@....com>,
        Thomas Gleixner <tglx@...utronix.de>,
        Borislav Petkov <bp@...en8.de>,
        Zelin Deng <zelin.deng@...ux.alibaba.com>
Subject: [PATCH 0/2] Map initrd as encrypted when relocating if SME is enabled

I found an issue on SME enabled AMD machine when initrd is relocated if
it was located in e820 reserved area.
For example key dmesg output:
...
[mem 0x000000005aafe000-0x000000006005ffff] reserved //e820 mapping
Move RAMDISK from [mem 0x5aafe000-0x5ccd5167] //relocate_initrd()
...

Early initrd will be copied by copy_from_early_mem() which will clear
encrypted pgprot flag as initrd source address is not in kernel usable
area. As initrd has been encrypted at earlier stage, encrypted data is
copied, which leads new initrd cannot be unpacked, then rootfs cannot be
mounted.
dmesg output:
...
[   11.296725] Trying to unpack rootfs image as initramfs...
[   11.302127] Initramfs unpacking failed: invalid magic at start of compressed archive
...
[   16.698152] /dev/root: Can't open blockdev
[   16.702255] VFS: Cannot open root device "PARTUUID=0ad58d87-05c7-43f8-b147-93140ad315e5" or unknown-block(0,0): error -6
[   16.713114] Please append a correct "root=" boot option; here are the available partitions:
[   16.721462] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(0,0)
[   16.729716] CPU: 9 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc5-next-20221114 #3
[   16.737099] Hardware name: AMD Corporation DAYTONA_X/DAYTONA_X, BIOS RYM1008B 01/19/2022
[   16.745175] Call Trace:
[   16.747623]  <TASK>
[   16.749727]  dump_stack_lvl+0x38/0x4c
[   16.753393]  panic+0xfb/0x28a
[   16.771999]  ? _printk+0x4c/0x52
[   16.775224]  mount_block_root+0x143/0x1dd
[   16.779237]  prepare_namespace+0x13f/0x16e
[   16.783334]  kernel_init_freeable+0x15a/0x164
[   16.787687]  ? __pfx_kernel_init+0x10/0x10
[   16.791785]  kernel_init+0x1a/0x130
[   16.795268]  ret_from_fork+0x29/0x50
[   16.798840]  </TASK>

To fix this issue, early initrd must be mapped as encrypted when it is
being relocated.

Zelin Deng (2):
  mm/early_ioremap.c: Always build early_memremap_prot() in x86
  x86/setup: Preserve _ENC flag when initrd is being relocated

 arch/x86/Kconfig                    |  1 +
 arch/x86/kernel/setup.c             | 30 ++++++++++++++++++++++++++++-
 include/asm-generic/early_ioremap.h |  6 ------
 mm/early_ioremap.c                  | 21 --------------------
 4 files changed, 30 insertions(+), 28 deletions(-)

-- 
2.27.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ