| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230116231711.cudsnxvnfg6aef3w@box.shutemov.name>
Date: Tue, 17 Jan 2023 02:17:11 +0300
From: "Kirill A. Shutemov" <kirill@...temov.name>
To: Dionna Amalie Glaze <dionnaglaze@...gle.com>
Cc: Ard Biesheuvel <ardb@...nel.org>,
Gerd Hoffmann <kraxel@...hat.com>,
"Kirill A. Shutemov" <kirill.shutemov@...ux.intel.com>,
linux-kernel@...r.kernel.org, linux-efi@...r.kernel.org,
x86@...nel.org, jiewen.yao@...el.com, devel@...2.groups.io,
"Min M. Xu" <min.m.xu@...el.org>,
James Bottomley <jejb@...ux.ibm.com>,
Tom Lendacky <Thomas.Lendacky@....com>,
Erdem Aktas <erdemaktas@...gle.com>,
Dave Hansen <dave.hansen@...ux.intel.com>
Subject: Re: [PATCH v2] x86/efi: Safely enable unaccepted memory in UEFI
On Mon, Jan 16, 2023 at 11:43:15AM -0800, Dionna Amalie Glaze wrote:
> > > I still don't understand why we need to support every imaginable
> > > combination of firmware, bootloader and OS. Unaccepted memory only
> > > exists on a special kind of virtual machine, which provides very
> > > little added value unless you opt into the security and attestation
> > > features, which are all heavily based on firmware protocols. So why
> > > should care about a EFI-aware bootloader calling ExitBootServices()
> > > and subsequently doing a legacy boot of Linux on such systems?
> >
> > Why break what works? Some users want it.
> >
>
> The users that want legacy boot features will not be broken,
Why do you call boot with a bootloader a legacy feature?
> they'll only get a safe view of the memory map. I don't think it's right
> to choose unsafe behavior for a legacy setup.
Present memory map with unaccepted memory to OS that doesn't about it is
perfectly safe. This portion of the memory will be ignored. It is "feature
not [yet] implemented" case.
> > This patch adds complexity, breaks what works and the only upside will
> > turn into a dead weight soon.
> >
> > There's alternative to add option to instruct firmware to accept all
> > memory from VMM side. It will serve legacy OS that doesn't know about
> > unaccepted memory and it is also can be use by latency-sensitive users
> > later on (analog of qemu -mem-prealloc).
> >
>
> This means that users of a distro that has not enabled unaccepted
> memory support cannot simply start a VM with the usual command, but
> instead have to know a baroque extra flag to get access to all the
> memory that they configured the machine (and for a CSP customer, paid
> for). That's not a good experience.
New features require enabling. It is not something new.
> With GCE at least, you can't (shouldn't) associate the boot feature
> flag with a disk image because disks are mutable. If a customer
> upgrades their kernel after initially starting their VM, they can't
> remove the flag due to the way image annotations work.
I guess a new VM has to be created, right? Doesn't sound like a big deal
to me.
The old will not break with upgraded kernel. Just not get benefit of the
feature.
> All of this headache goes away by adopting a small patch to the kernel
> that calls a 0-ary protocol interface and keeping safe acceptance
> behavior in the firmware. I think Gerd is right here that we should
> treat it as a transition feature that we can remove later.
Removing a feature is harder than adding one. How do you define that
"later" has come?
Anyway, I think we walk in a circle. I consider it a misfeature. If you
want still go this path, please add my
Nacked-by: Kirill A. Shutemov <kirill.shutemov@...ux.intel.com>
--
Kiryl Shutsemau / Kirill A. Shutemov
Powered by blists - more mailing lists