lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMj1kXFswd1Au-tyHuYtCVon_02OJixGLf8X-=k9y7jajoEHUw@mail.gmail.com>
Date: Thu, 24 Apr 2025 20:16:39 +0200
From: Ard Biesheuvel <ardb@...nel.org>
To: Ingo Molnar <mingo@...nel.org>
Cc: Ard Biesheuvel <ardb+git@...gle.com>, linux-kernel@...r.kernel.org, x86@...nel.org
Subject: Re: [RFC PATCH PoC 00/11] x86: strict separation of startup code

On Thu, 24 Apr 2025 at 20:09, Ingo Molnar <mingo@...nel.org> wrote:
>
>
> * Ard Biesheuvel <ardb+git@...gle.com> wrote:
>
> > From: Ard Biesheuvel <ardb@...nel.org>
> >
> > This is a proof-of-concept series that implements a strict separation
> > between startup code and ordinary code, where startup code is built in a
> > way that tolerates being invoked from the initial 1:1 mapping of memory.
> >
> > The current approach of emitting this code into .head.text and checking
> > for absolute relocations in that section is not 100% safe, and produces
> > diagnostics that are sometimes difficult to interpret.
> >
> > Instead, rely on symbol prefixes, similar to how this is implemented for
> > the EFI stub and for the startup code in the arm64 port. This ensures
> > that startup code can only call other startup code, unless a special
> > symbol alias is emitted that exposes a non-startup routine to the
> > startup code.
>
> So when startup code accidentally references non-startup symbols
> outside the __pi namespace, we get a build/link error, right?
>

Yes.

> > This is somewhat intrusive, as there are many data objects that are
> > referenced both by startup code and by ordinary code, and an alias
> > needs to be emitted for each of those.
>
> Yeah, but this should make it ultimately safe(r): every object is
> either local to the startup code, or has been 'exported' intentionally
> to the startup code.
>

Indeed.

> > This ultimately allows the .head.text section to be dropped entirely,
> > as it no longer has a special significance. Instead, code that only
> > executes at boot is emitted into .init.text as it should.
> >
> > This series is presented for discussion only - defconfig should build
> > and run correctly, but allmodconfig will likely need the last patch
> > omitted.
>
> No fundamental objections from me.
>

Good to know - thanks.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ