lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 20 May 2024 13:36:32 -0500
From: Steve Wahl <steve.wahl@....com>
To: Steve Wahl <steve.wahl@....com>, Dave Hansen <dave.hansen@...ux.intel.com>,
        Andy Lutomirski <luto@...nel.org>,
        Peter Zijlstra <peterz@...radead.org>,
        Thomas Gleixner <tglx@...utronix.de>, Ingo Molnar <mingo@...hat.com>,
        Borislav Petkov <bp@...en8.de>, x86@...nel.org,
        "H. Peter Anvin" <hpa@...or.com>, linux-kernel@...r.kernel.org,
        Pavin Joseph <me@...injoseph.com>, Eric Hagberg <ehagberg@...il.com>
Cc: Simon Horman <horms@...ge.net.au>, Eric Biederman <ebiederm@...ssion.com>,
        Dave Young <dyoung@...hat.com>, Sarah Brofeldt <srhb@....dk>,
        Russ Anderson <rja@....com>, Dimitri Sivanich <sivanich@....com>,
        Hou Wenlong <houwenlong.hwl@...group.com>,
        Andrew Morton <akpm@...ux-foundation.org>, Baoquan He <bhe@...hat.com>,
        Yuntao Wang <ytcoode@...il.com>, Bjorn Helgaas <bhelgaas@...gle.com>,
        Joerg Roedel <jroedel@...e.de>, Michael Roth <michael.roth@....com>
Subject: [PATCH 2/3] x86/kexec: Add EFI Confidential Computing blob to kexec identity mapping.

Like the EFI config table itself, the Confidential Computing blob entry
in that table, if it exists, is referenced by the kexec kernel before
it establishes its own identity map.

This could potentially cause a kexec failure if the CC blob is not
located close to other identity map areas.  Such a failure is more
likely with the nogbpages command line option.

So, explicitly add the CC blob to the kexec identity map.

Signed-off-by: Steve Wahl <steve.wahl@....com>
Tested-by: Pavin Joseph <me@...injoseph.com>
Tested-by: Sarah Brofeldt <srhb@....dk>
Tested-by: Eric Hagberg <ehagberg@...il.com>
---
 arch/x86/kernel/machine_kexec_64.c | 47 +++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c
index d89942307659..bb68d86ecafe 100644
--- a/arch/x86/kernel/machine_kexec_64.c
+++ b/arch/x86/kernel/machine_kexec_64.c
@@ -29,6 +29,7 @@
 #include <asm/set_memory.h>
 #include <asm/cpu.h>
 #include <asm/efi.h>
+#include <asm/sev.h>
 
 #ifdef CONFIG_ACPI
 /*
@@ -90,6 +91,7 @@ map_efi_tables(struct x86_mapping_info *info, pgd_t *level4p)
 	unsigned long mstart, mend;
 	void *kaddr;
 	int ret;
+	unsigned int cfg_tbl_len;
 
 	if (!efi_enabled(EFI_BOOT))
 		return 0;
@@ -120,16 +122,59 @@ map_efi_tables(struct x86_mapping_info *info, pgd_t *level4p)
 	if (efi_enabled(EFI_64BIT)) {
 		efi_system_table_64_t *stbl = (efi_system_table_64_t *)kaddr;
 
+		cfg_tbl_len = stbl->nr_tables;
 		mend = mstart + sizeof(efi_config_table_64_t) * stbl->nr_tables;
 	} else {
 		efi_system_table_32_t *stbl = (efi_system_table_32_t *)kaddr;
 
+		cfg_tbl_len = stbl->nr_tables;
 		mend = mstart + sizeof(efi_config_table_32_t) * stbl->nr_tables;
 	}
 
 	memunmap(kaddr);
 
-	return kernel_ident_mapping_init(info, level4p, mstart, mend);
+	ret = kernel_ident_mapping_init(info, level4p, mstart, mend);
+	if (ret)
+		return ret;
+
+	/*
+	 * CC blob is referenced in kernel startup before the new
+	 * kernel creates it's own identity map, so make sure it's
+	 * included in the kexec identity map.
+	 */
+	kaddr = memremap(mstart, mend - mstart, MEMREMAP_WB);
+	if (!kaddr) {
+		pr_err("Could not map UEFI config table\n");
+		return -ENOMEM;
+	}
+
+	mstart = 0;
+	if (efi_enabled(EFI_64BIT)) {
+		efi_config_table_64_t *ctbl = (void *) kaddr;
+		int i;
+
+		for (i = 0; i < cfg_tbl_len; i++) {
+			if (!efi_guidcmp(EFI_CC_BLOB_GUID, ctbl[i].guid)) {
+				mstart = ctbl[i].table;
+				mend = mstart + sizeof(struct cc_blob_sev_info);
+				break;
+			}
+		}
+	} else {
+		efi_config_table_32_t *ctbl = (void *) kaddr;
+		int i;
+
+		for (i = 0; i < cfg_tbl_len; i++) {
+			if (!efi_guidcmp(EFI_CC_BLOB_GUID, ctbl[i].guid)) {
+				mstart = ctbl[i].table;
+				mend = mstart + sizeof(struct cc_blob_sev_info);
+				break;
+			}
+		}
+	}
+	memunmap(kaddr);
+	if (mstart)
+		return kernel_ident_mapping_init(info, level4p, mstart, mend);
 #endif
 	return 0;
 }
-- 
2.26.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ