lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALu+AoQRdxJUpNK_eCjKJ=ydRZ4av2S3xBaz3CYJZp12xqm=jQ@mail.gmail.com>
Date: Thu, 22 Aug 2024 14:16:52 +0800
From: Dave Young <dyoung@...hat.com>
To: Pingfan Liu <piliu@...hat.com>
Cc: Lennart Poettering <mzxreary@...inter.de>, Ard Biesheuvel <ardb@...nel.org>, 
	Jan Hendrik Farr <kernel@...rr.cc>, Philipp Rudo <prudo@...hat.com>, Jarkko Sakkinen <jarkko@...nel.org>, 
	Eric Biederman <ebiederm@...ssion.com>, Baoquan He <bhe@...hat.com>, 
	Mark Rutland <mark.rutland@....com>, Will Deacon <will@...nel.org>, 
	Catalin Marinas <catalin.marinas@....com>, kexec@...ts.infradead.org, 
	linux-efi@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFCv2 0/9] UEFI emulator for kexec

On Thu, 22 Aug 2024 at 13:42, Pingfan Liu <piliu@...hat.com> wrote:
>
> On Wed, Aug 21, 2024 at 10:27 PM Lennart Poettering
> <mzxreary@...inter.de> wrote:
> >
> > On Mo, 19.08.24 22:53, Pingfan Liu (piliu@...hat.com) wrote:
> >
> > > *** Background ***
> > >
> > > As more PE format kernel images are introduced, it post challenge to kexec to
> > > cope with the new format.
> > >
> > > In my attempt to add support for arm64 zboot image in the kernel [1],
> > > Ard suggested using an emulator to tackle this issue.  Last year, when
> > > Jan tried to introduce UKI support in the kernel [2], Ard mentioned the
> > > emulator approach again [3]
> >
> > Hmm, systemd's systemd-stub code tries to load certain "side-car"
> > files placed next to the UKI, via the UEFI file system APIs. What's
> > your intention with the UEFI emulator regarding that? The sidecars are
> > somewhat important, because that's how we parameterize otherwise
> > strictly sealed, immutable UKIs.
> >
> IIUC, you are referring to UKI addons.
>
> > Hence, what's the story there? implement some form of fs driver (for
> > what fs precisely?) in the emulator too?
> >
> As for addon, that is a missing part in this series. I have overlooked
> this issue. Originally, I thought that there was no need to implement
> a disk driver and vfat file system, just preload them into memory, and
> finally present them through the uefi API. I will take a closer look
> at it and chew on it.
>

Hi Pingfan,

If more and more stuff needs coming in,  not only the limited boot
services then it will be way too complicated and hard to maintain and
debug,  also the two kexec code paths are duplicated somehow. It is
really bad..

I forgot why we can not just extract the kernel from UKI and then load
it directly,  if the embedded kernel is also signed it should be good?

Thanks
Dave

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ