[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <f088987e-32d5-4a86-808e-6cfc372c3c80@roeck-us.net>
Date: Tue, 13 Aug 2024 09:26:02 -0700
From: Guenter Roeck <linux@...ck-us.net>
To: KP Singh <kpsingh@...nel.org>
Cc: Paul Moore <paul@...l-moore.com>, Nathan Chancellor <nathan@...nel.org>,
linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org,
bp@...en8.de, sfr@...b.auug.org.au, peterz@...radead.org,
ink@...assic.park.msu.ru, richard.henderson@...aro.org
Subject: Re: [PATCH] init/main.c: Initialize early LSMs after arch code
On 8/13/24 08:56, KP Singh wrote:
> On Tue, Aug 13, 2024 at 6:08 AM Guenter Roeck <linux@...ck-us.net> wrote:
[ ... ]
>> A somewhat primitive alternate fix is:
>>
>> diff --git a/security/security.c b/security/security.c
>> index aa059d0cfc29..dea9736b2014 100644
>> --- a/security/security.c
>> +++ b/security/security.c
>> @@ -156,7 +156,7 @@ static __initdata struct lsm_info *exclusive;
>> * and a trampoline (STATIC_CALL_TRAMP) which are used to call
>> * __static_call_update when updating the static call.
>> */
>> -struct lsm_static_calls_table static_calls_table __ro_after_init = {
>> +struct lsm_static_calls_table static_calls_table __ro_after_init __attribute__((aligned(8))) = {
>> #define INIT_LSM_STATIC_CALL(NUM, NAME) \
>
> I think it's worth making it aligned at 8 byte, a much simpler fix
> than the arch change. Paul, I will rebase my series with these
> patches, better descriptions and post them later today.
>
I think that would make sense, since it might well be that other architectures
have similar problems but it isn't seen because static_calls_table just happens
to be aligned properly there. Also, even if unaligned accesses that early were
supported, it is probably undesirable to have those in the running code if it
can be avoided due to the overhead involved.
With the above change:
Build results:
total: 158 pass: 158 fail: 0
Qemu test results:
total: 539 pass: 539 fail: 0
Unit test results:
pass: 370886 fail: 3
There are a couple of caveats, unrelated to your patch series:
- I can not enable (and thus not test) security configurations
on sh4 and sh4eb; doing so results in immediate qemu crashes.
- I can not enable / test security configurations on riscv32
since it results in kernel images getting too large to fit
into the available memory. I'll try to work around it,
but for now I can only test with riscv64.
Guenter
Powered by blists - more mailing lists