| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 7 Jun 2024 11:51:07 -0700 From: Deepak Gupta <debug@...osinc.com> To: Conor Dooley <conor@...nel.org> Cc: Alexandre Ghiti <alex@...ti.fr>, Jesse Taube <jesse@...osinc.com>, linux-riscv@...ts.infradead.org, linux-kernel@...r.kernel.org, llvm@...ts.linux.dev, Alexandre Ghiti <alexghiti@...osinc.com>, Palmer Dabbelt <palmer@...belt.com>, Albert Ou <aou@...s.berkeley.edu>, Björn Töpel <bjorn@...osinc.com>, Paul Walmsley <paul.walmsley@...ive.com>, Nathan Chancellor <nathan@...nel.org>, Nick Desaulniers <ndesaulniers@...gle.com>, Masahiro Yamada <masahiroy@...nel.org>, Clément Léger <cleger@...osinc.com>, Atish Patra <atishp@...osinc.com> Subject: Re: [PATCH v0] RISC-V: Use Zkr to seed KASLR base address On Mon, Jun 03, 2024 at 01:47:40PM +0100, Conor Dooley wrote: >On Mon, Jun 03, 2024 at 11:14:49AM +0200, Alexandre Ghiti wrote: >> Hi Conor, >> >> On 31/05/2024 19:31, Conor Dooley wrote: >> > On Fri, May 31, 2024 at 12:23:27PM -0400, Jesse Taube wrote: >> > > Dectect the Zkr extension and use it to seed the kernel base address. >> > > >> > > Detection of the extension can not be done in the typical fashion, as >> > > this is very early in the boot process. Instead, add a trap handler >> > > and run it to see if the extension is present. >> > You can't rely on the lack of a trap meaning that Zkr is present unless >> > you know that the platform implements Ssstrict. The CSR with that number >> > could do anything if not Ssstrict compliant, so this approach gets a >> > nak from me. Unfortunately, Ssstrict doesn't provide a way to detect >> > it, so you're stuck with getting that information from firmware. >> >> >> FYI, this patch is my idea, so I'm the one to blame here :) >> >> >> > >> > For DT systems, you can actually parse the DT in the pi, we do it to get >> > the kaslr seed if present, so you can actually check for Zkr. With ACPI >> > I have no idea how you can get that information, I amn't an ACPI-ist. >> >> >> I took a look at how to access ACPI tables this early when implementing the >> Zabha/Zacas patches, but it seems not possible. >> >> But I'll look into this more, this is not the first time we need the >> extensions list very early and since we have no way to detect the presence >> of an extension at runtime, something needs to be done. > >Aye, having remembered that reading CSR_SEED could have side-effects on a >system with non-conforming extensions, it'd be good to see if we can >actually do this via detection on ACPI - especially for some other >extensions that we may need to turn on very early (I forget which ones we >talked about this before for). I didn't arm64 do anything with ACPI in the >pi code, is the code arch/x86/boot/compressed run at an equivilent-ish point >in boot? cc: +Clement and Atish I don't know all the details but on first glance it seems like instead of ACPI, may be FWFT is a better place for discovery ? https://lists.riscv.org/g/tech-prs/topic/patch_v12_add_firmware/106479571 Supervisor could query if Sstrict is implemented and then it can check for lack of trap on CSR_SEED or straight-away check for presence of Zkr.
Powered by blists - more mailing lists