lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BL1PR11MB5978633DF36A69F8020818E1F77C2@BL1PR11MB5978.namprd11.prod.outlook.com>
Date: Wed, 31 Jan 2024 13:07:29 +0000
From: "Huang, Kai" <kai.huang@...el.com>
To: Nikolay Borisov <nik.borisov@...e.com>, Baoquan He <bhe@...hat.com>
CC: Paolo Bonzini <pbonzini@...hat.com>, "Kirill A. Shutemov"
	<kirill.shutemov@...ux.intel.com>, Thomas Gleixner <tglx@...utronix.de>, Ingo
 Molnar <mingo@...hat.com>, Borislav Petkov <bp@...en8.de>, Dave Hansen
	<dave.hansen@...ux.intel.com>, "x86@...nel.org" <x86@...nel.org>, "Rafael J.
 Wysocki" <rafael@...nel.org>, Peter Zijlstra <peterz@...radead.org>, "Hunter,
 Adrian" <adrian.hunter@...el.com>, Kuppuswamy Sathyanarayanan
	<sathyanarayanan.kuppuswamy@...ux.intel.com>, "Reshetova, Elena"
	<elena.reshetova@...el.com>, "Nakajima, Jun" <jun.nakajima@...el.com>,
	"Edgecombe, Rick P" <rick.p.edgecombe@...el.com>, Tom Lendacky
	<thomas.lendacky@....com>, "Kalra, Ashish" <ashish.kalra@....com>, "Sean
 Christopherson" <seanjc@...gle.com>, "kexec@...ts.infradead.org"
	<kexec@...ts.infradead.org>, "linux-coco@...ts.linux.dev"
	<linux-coco@...ts.linux.dev>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>
Subject: RE: [PATCHv6 00/16] x86/tdx: Add kexec support

> > Runtime disabling kexec looks better than at cmpile time, esp for
> > distros. While from above patch, making using of kexec_load_disabled
> > to achive the runtime disabling may not be so good. Because we have a
> > front door to enable it through:
> >
> > /proc/sys/kernel/kexec_load_disabled
> 
> AFAIU it can't be enabled via this sysctl because the handler for it expects
> only 1 to be written to it:
> 
>       2                 .proc_handler   = proc_dointvec_minmax,
> 
>       1                 .extra1         = SYSCTL_ONE,
> 
>    994                  .extra2         = SYSCTL_ONE,
> 

This is also my understanding.  

The documentation also says once it is turned to disable we cannot turn back again:

kexec_load_disable
===================

A toggle indicating if the syscalls ``kexec_load`` and
``kexec_file_load`` have been disabled.
This value defaults to 0 (false: ``kexec_*load`` enabled), but can be
set to 1 (true: ``kexec_*load`` disabled).
Once true, kexec can no longer be used, and the toggle cannot be set
back to false.
......

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ