lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 11 Sep 2023 07:25:33 +0200
From:   Jan Hendrik Farr <kernel@...rr.cc>
To:     linux-kernel@...r.kernel.org
Cc:     kexec@...ts.infradead.org, x86@...nel.org, tglx@...utronix.de,
        dhowells@...hat.com, vgoyal@...hat.com, keyrings@...r.kernel.org,
        akpm@...ux-foundation.org, bhe@...hat.com, bhelgaas@...gle.com,
        bluca@...ian.org, lennart@...ttering.net,
        Jan Hendrik Farr <kernel@...rr.cc>
Subject: [PATCH v2 0/2] x86/kexec: UKI Support

Hello,

this patch (v2) implements UKI support for kexec_file_load. It will require
support in the kexec-tools userspace utility. For testing purposes the
following can be used: https://github.com/Cydox/kexec-test/

Creating UKIs for testing can be done with ukify (included in systemd),
sbctl, and mkinitcpio, etc.

There has been discussion on this topic in an issue on GitHub that is linked
below for reference.

Changes for v2:
- .cmdline section is now optional
- moving pefile_parse_binary is now in a separate commit for clarity
- parse_pefile.c is now in /lib instead of arch/x86/kernel (not sure if
  this is the best location, but it definetly shouldn't have been in an
  architecture specific location)
- parse_pefile.h is now in include/kernel instead of architecture
  specific location
- if initrd or cmdline is manually supplied EPERM is returned instead of
  being silently ignored
- formatting tweaks


Some links:
- Related discussion: https://github.com/systemd/systemd/issues/28538
- Documentation of UKIs: https://uapi-group.org/specifications/specs/unified_kernel_image/

Jan Hendrik Farr (2):
  move pefile_parse_binary to its own file
  x86/kexec: UKI support

 arch/x86/include/asm/kexec-uki.h       |   7 ++
 arch/x86/kernel/Makefile               |   1 +
 arch/x86/kernel/kexec-uki.c            | 126 +++++++++++++++++++++++++
 arch/x86/kernel/machine_kexec_64.c     |   2 +
 crypto/asymmetric_keys/mscode_parser.c |   2 +-
 crypto/asymmetric_keys/verify_pefile.c | 110 +++------------------
 crypto/asymmetric_keys/verify_pefile.h |  16 ----
 include/linux/parse_pefile.h           |  32 +++++++
 lib/Makefile                           |   3 +
 lib/parse_pefile.c                     | 109 +++++++++++++++++++++
 10 files changed, 292 insertions(+), 116 deletions(-)
 create mode 100644 arch/x86/include/asm/kexec-uki.h
 create mode 100644 arch/x86/kernel/kexec-uki.c
 create mode 100644 include/linux/parse_pefile.h
 create mode 100644 lib/parse_pefile.c

-- 
2.40.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ