| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260119032424.10781-13-piliu@redhat.com>
Date: Mon, 19 Jan 2026 11:24:23 +0800
From: Pingfan Liu <piliu@...hat.com>
To: kexec@...ts.infradead.org
Cc: Pingfan Liu <piliu@...hat.com>,
"David S. Miller" <davem@...emloft.net>,
Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
John Fastabend <john.fastabend@...il.com>,
Andrii Nakryiko <andrii@...nel.org>,
Martin KaFai Lau <martin.lau@...ux.dev>,
Eduard Zingerman <eddyz87@...il.com>,
Song Liu <song@...nel.org>,
Yonghong Song <yonghong.song@...ux.dev>,
Jeremy Linton <jeremy.linton@....com>,
Catalin Marinas <catalin.marinas@....com>,
Will Deacon <will@...nel.org>,
Ard Biesheuvel <ardb@...nel.org>,
Simon Horman <horms@...nel.org>,
Gerd Hoffmann <kraxel@...hat.com>,
Vitaly Kuznetsov <vkuznets@...hat.com>,
Philipp Rudo <prudo@...hat.com>,
Viktor Malik <vmalik@...hat.com>,
Jan Hendrik Farr <kernel@...rr.cc>,
Baoquan He <bhe@...hat.com>,
Dave Young <dyoung@...hat.com>,
Andrew Morton <akpm@...ux-foundation.org>,
bpf@...r.kernel.org,
systemd-devel@...ts.freedesktop.org,
linux-kernel@...r.kernel.org
Subject: [PATCHv6 12/13] tools/kexec: Introduce a bpf-prog to parse zboot image format
This BPF program aligns with the convention defined in the kernel file
kexec_pe_parser_bpf.lskel.h. This can be easily achieved by include
"template.c", which includes:
four maps:
struct bpf_map_desc ringbuf_1;
struct bpf_map_desc ringbuf_2;
struct bpf_map_desc ringbuf_3;
struct bpf_map_desc ringbuf_4;
four sections:
struct bpf_map_desc rodata;
struct bpf_map_desc data;
struct bpf_map_desc bss;
struct bpf_map_desc rodata_str1_1;
The only left thing is to implement a prog
SEC("fentry.s/kexec_image_parser_anchor")
int BPF_PROG(parse_pe, struct kexec_context *context, unsigned long parser_id)
This BPF program only uses ringbuf_1, so it minimizes the size of the
other three ringbufs to one byte. The size of ringbuf_1 is derived from
the size of the uncompressed file 'vmlinux.bin', which is usually less
than 64MB. With the help of the BPF kfunc bpf_buffer_parser(), the BPF
program passes instructions to the kexec BPF component to perform the
appropriate actions.
Signed-off-by: Pingfan Liu <piliu@...hat.com>
Cc: Alexei Starovoitov <ast@...nel.org>
Cc: Baoquan He <bhe@...hat.com>
Cc: Dave Young <dyoung@...hat.com>
Cc: Andrew Morton <akpm@...ux-foundation.org>
Cc: Philipp Rudo <prudo@...hat.com>
Cc: bpf@...r.kernel.org
To: kexec@...ts.infradead.org
---
tools/kexec/Makefile | 83 ++++++++++++++++++++++++
tools/kexec/template.c | 68 ++++++++++++++++++++
tools/kexec/zboot_parser_bpf.c | 114 +++++++++++++++++++++++++++++++++
3 files changed, 265 insertions(+)
create mode 100644 tools/kexec/Makefile
create mode 100644 tools/kexec/template.c
create mode 100644 tools/kexec/zboot_parser_bpf.c
diff --git a/tools/kexec/Makefile b/tools/kexec/Makefile
new file mode 100644
index 0000000000000..88db6d11bde61
--- /dev/null
+++ b/tools/kexec/Makefile
@@ -0,0 +1,83 @@
+# SPDX-License-Identifier: GPL-2.0
+
+# Ensure Kbuild variables are available
+include ../scripts/Makefile.include
+
+srctree := $(patsubst %/tools/kexec,%,$(CURDIR))
+VMLINUX = $(srctree)/vmlinux
+TOOLSDIR := $(srctree)/tools
+LIBDIR := $(TOOLSDIR)/lib
+BPFDIR := $(LIBDIR)/bpf
+ARCH ?= $(shell uname -m | sed -e s/i.86/x86/ -e s/x86_64/x86/ -e s/aarch64.*/arm64/ -e s/riscv64/riscv/ -e s/loongarch.*/loongarch/)
+# At present, zboot image format is used by arm64, riscv, loongarch
+# And arch/$(ARCH)/boot/vmlinux.bin is the uncompressed file instead of arch/$(ARCH)/boot/Image
+ifeq ($(ARCH),$(filter $(ARCH),arm64 riscv loongarch))
+ EFI_IMAGE := $(srctree)/arch/$(ARCH)/boot/vmlinuz.efi
+ KERNEL_IMAGE := $(srctree)/arch/$(ARCH)/boot/vmlinux.bin
+else
+ @echo "Unsupported architecture: $(ARCH)"
+ @exit 1
+endif
+
+
+CC = clang
+CFLAGS = -O2
+BPF_PROG_CFLAGS = -g -O2 -target bpf -Wall -I $(BPFDIR) -I .
+BPFTOOL = bpftool
+
+# List of generated target files
+HEADERS = vmlinux.h bpf_helper_defs.h image_size.h
+ZBOOT_TARGETS = zboot_parser_bpf.o zboot_parser_bpf.lskel.h bytecode.c bytecode.o
+
+
+# Targets
+zboot: $(HEADERS) $(ZBOOT_TARGETS)
+
+# Rule to generate vmlinux.h from vmlinux
+vmlinux.h: $(VMLINUX)
+ @command -v $(BPFTOOL) >/dev/null 2>&1 || { echo >&2 "$(BPFTOOL) is required but not found. Please install it."; exit 1; }
+ @$(BPFTOOL) btf dump file $(VMLINUX) format c > vmlinux.h
+
+bpf_helper_defs.h: $(srctree)/tools/include/uapi/linux/bpf.h
+ @$(QUIET_GEN)$(srctree)/scripts/bpf_doc.py --header \
+ --file $(srctree)/tools/include/uapi/linux/bpf.h > bpf_helper_defs.h
+
+image_size.h: $(KERNEL_IMAGE)
+ @{ \
+ if [ ! -f "$(KERNEL_IMAGE)" ]; then \
+ echo "Error: File '$(KERNEL_IMAGE)' does not exist"; \
+ exit 1; \
+ fi; \
+ FILE_SIZE=$$(stat -c '%s' "$(KERNEL_IMAGE)" 2>/dev/null); \
+ POWER=4096; \
+ while [ $$POWER -le $$FILE_SIZE ]; do \
+ POWER=$$((POWER * 2)); \
+ done; \
+ RINGBUF_SIZE=$$POWER; \
+ echo "#define IMAGE_SIZE_POWER2_ALIGN $$RINGBUF_SIZE" > $@; \
+ echo "#define IMAGE_SIZE $$FILE_SIZE" >> $@; \
+ }
+
+
+# Rule to generate zboot_parser_bpf.o, depends on vmlinux.h
+zboot_parser_bpf.o: zboot_parser_bpf.c vmlinux.h bpf_helper_defs.h
+ @$(CC) $(BPF_PROG_CFLAGS) -c zboot_parser_bpf.c -o zboot_parser_bpf.o
+
+# Generate zboot_parser_bpf.lskel.h using bpftool
+zboot_parser_bpf.lskel.h: zboot_parser_bpf.o
+ @$(BPFTOOL) gen skeleton -L zboot_parser_bpf.o > zboot_parser_bpf.lskel.h
+
+# Then, extract the opts_data[] and opts_insn[] arrays and remove 'static'
+# keywords to avoid being optimized away.
+bytecode.c: zboot_parser_bpf.lskel.h
+ @sed -n '/static const char opts_data\[\]/,/;/p' zboot_parser_bpf.lskel.h | sed 's/static const/const/' > $@
+ @sed -n '/static const char opts_insn\[\]/,/;/p' zboot_parser_bpf.lskel.h | sed 's/static const/const/' >> $@
+
+bytecode.o: bytecode.c
+ @$(CC) -c $< -o $@
+
+# Clean up generated files
+clean:
+ @rm -f $(HEADERS) $(ZBOOT_TARGETS)
+
+.PHONY: all clean
diff --git a/tools/kexec/template.c b/tools/kexec/template.c
new file mode 100644
index 0000000000000..9f17a4952ecd4
--- /dev/null
+++ b/tools/kexec/template.c
@@ -0,0 +1,68 @@
+// SPDX-License-Identifier: GPL-2.0
+//
+// Copyright (C) 2026 Red Hat, Inc
+//
+// Original file: kernel/kexec_bpf/template.c
+//
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_core_read.h>
+#include <bpf/bpf_endian.h>
+#include <bpf/bpf_tracing.h>
+
+/* Command to kernel kexec bpf loader, which is defined on the stream */
+#define KEXEC_BPF_CMD_DECOMPRESS 0x1
+#define KEXEC_BPF_CMD_COPY 0x2
+
+#define KEXEC_BPF_SUBCMD_KERNEL 0x1
+#define KEXEC_BPF_SUBCMD_INITRD 0x2
+#define KEXEC_BPF_SUBCMD_CMDLINE 0x3
+
+/*
+ * The ringbufs can have different capacity. But only four ringbuf are provided.
+ */
+#ifndef RINGBUF1_SIZE
+#define RINGBUF1_SIZE 4
+#endif
+#ifndef RINGBUF2_SIZE
+#define RINGBUF2_SIZE 4
+#endif
+#ifndef RINGBUF3_SIZE
+#define RINGBUF3_SIZE 4
+#endif
+#ifndef RINGBUF4_SIZE
+#define RINGBUF4_SIZE 4
+#endif
+
+/* ringbuf is safe since the user space has no write access to them */
+struct {
+ __uint(type, BPF_MAP_TYPE_RINGBUF);
+ __uint(max_entries, RINGBUF1_SIZE);
+} ringbuf_1 SEC(".maps");
+
+struct {
+ __uint(type, BPF_MAP_TYPE_RINGBUF);
+ __uint(max_entries, RINGBUF2_SIZE);
+} ringbuf_2 SEC(".maps");
+
+struct {
+ __uint(type, BPF_MAP_TYPE_RINGBUF);
+ __uint(max_entries, RINGBUF3_SIZE);
+} ringbuf_3 SEC(".maps");
+
+struct {
+ __uint(type, BPF_MAP_TYPE_RINGBUF);
+ __uint(max_entries, RINGBUF4_SIZE);
+} ringbuf_4 SEC(".maps");
+
+char LICENSE[] SEC("license") = "GPL";
+
+/*
+ * This function ensures that the sections .rodata, .data, .rodata.str1.1 and .bss
+ * are created for a bpf prog.
+ */
+static const char dummy_rodata[16] __attribute__((used)) = "rodata";
+static char dummy_data[16] __attribute__((used)) = "data";
+static char *dummy_mergeable_str __attribute__((used)) = ".rodata.str1.1";
+static char dummy_bss[16] __attribute__((used));
+
diff --git a/tools/kexec/zboot_parser_bpf.c b/tools/kexec/zboot_parser_bpf.c
new file mode 100644
index 0000000000000..54c4b762b3324
--- /dev/null
+++ b/tools/kexec/zboot_parser_bpf.c
@@ -0,0 +1,114 @@
+// SPDX-License-Identifier: GPL-2.0
+//
+// Copyright (C) 2025, 2026 Red Hat, Inc
+//
+#include "vmlinux.h"
+#include <bpf_helpers.h>
+#include <bpf_tracing.h>
+#include "image_size.h"
+
+/* ringbuf 2,3,4 are useless */
+#define MIN_BUF_SIZE 1
+#define MAX_RECORD_SIZE (IMAGE_SIZE + 40960)
+#define RINGBUF1_SIZE IMAGE_SIZE_POWER2_ALIGN
+#define RINGBUF2_SIZE MIN_BUF_SIZE
+#define RINGBUF3_SIZE MIN_BUF_SIZE
+#define RINGBUF4_SIZE MIN_BUF_SIZE
+
+
+#include "template.c"
+
+/* see drivers/firmware/efi/libstub/zboot-header.S */
+struct linux_pe_zboot_header {
+ unsigned int mz_magic;
+ char image_type[4];
+ unsigned int payload_offset;
+ unsigned int payload_size;
+ unsigned int reserved[2];
+ char comp_type[4];
+ unsigned int linux_pe_magic;
+ unsigned int pe_header_offset;
+} __attribute__((packed));
+
+
+SEC("fentry.s/kexec_image_parser_anchor")
+int BPF_PROG(parse_pe, struct kexec_context *context, unsigned long parser_id)
+{
+ struct linux_pe_zboot_header *zboot_header;
+ unsigned int image_sz;
+ char *buf;
+ int ret = 0;
+
+ image_sz = context->kernel_sz;
+ bpf_printk("begin parse PE\n");
+ /* BPF verifier should know each variable initial state */
+ if (!context->kernel || (image_sz > MAX_RECORD_SIZE)) {
+ bpf_printk("Err: image size is greater than 0x%lx\n", MAX_RECORD_SIZE);
+ return 0;
+ }
+
+ /* In order to access bytes not aligned on 2 order, copy into ringbuf.
+ * And allocate the memory all at once, later overwriting.
+ *
+ * R2 is ARG_CONST_ALLOC_SIZE_OR_ZERO, should be decided at compling time
+ */
+ buf = (char *)bpf_ringbuf_reserve(&ringbuf_1, MAX_RECORD_SIZE, 0);
+ if (!buf) {
+ bpf_printk("Err: fail to reserve ringbuf to parse zboot header\n");
+ return 0;
+ }
+ bpf_probe_read((void *)buf, sizeof(struct linux_pe_zboot_header), context->kernel);
+ zboot_header = (struct linux_pe_zboot_header *)buf;
+ if (!!__builtin_memcmp(&zboot_header->image_type, "zimg",
+ sizeof(zboot_header->image_type))) {
+ bpf_ringbuf_discard(buf, BPF_RB_NO_WAKEUP);
+ bpf_printk("Err: image is not zboot image\n");
+ return 0;
+ }
+
+ unsigned int payload_offset = zboot_header->payload_offset;
+ unsigned int payload_size = zboot_header->payload_size;
+ bpf_printk("zboot image payload offset=0x%x, size=0x%x\n", payload_offset, payload_size);
+ /* sane check */
+ if (payload_size > image_sz) {
+ bpf_ringbuf_discard(buf, BPF_RB_NO_WAKEUP);
+ bpf_printk("Invalid zboot image payload offset and size\n");
+ return 0;
+ }
+ unsigned int max_payload = MAX_RECORD_SIZE - sizeof(struct cmd_hdr);
+ if (payload_size >= max_payload) {
+ bpf_ringbuf_discard(buf, BPF_RB_NO_WAKEUP);
+ bpf_printk("Err: payload_size > MAX_RECORD_SIZE\n");
+ return 0;
+ }
+ void *dst = (void *)buf + sizeof(struct cmd_hdr);
+ /* Overwrite buf */
+ struct cmd_hdr *cmd = (struct cmd_hdr *)buf;
+ cmd->cmd = KEXEC_BPF_CMD_DECOMPRESS;
+ cmd->subcmd = KEXEC_BPF_SUBCMD_KERNEL;
+ /* 4 bytes original size is appended after vmlinuz.bin */
+ cmd->payload_len = payload_size - 4;
+ bpf_probe_read(dst, payload_size, context->kernel + payload_offset);
+ if (payload_size < 4) {
+ bpf_ringbuf_discard(buf, BPF_RB_NO_WAKEUP);
+ return 0;
+ }
+ bpf_printk("Calling bpf_kexec_decompress()\n");
+ struct bpf_parser_context *bpf = bpf_get_parser_context(parser_id);
+ if (!bpf) {
+ bpf_ringbuf_discard(buf, BPF_RB_NO_WAKEUP);
+ bpf_printk("No parser in kernel\n");
+ return 0;
+ }
+ ret = bpf_buffer_parser(buf, sizeof(struct cmd_hdr) + payload_size - 4, bpf);
+ if (ret < 0) {
+ bpf_ringbuf_discard(buf, BPF_RB_NO_WAKEUP);
+ bpf_put_parser_context(bpf);
+ bpf_printk("Decompression fails\n");
+ return 0;
+ }
+ bpf_ringbuf_discard(buf, BPF_RB_NO_WAKEUP);
+ bpf_put_parser_context(bpf);
+
+ return 0;
+}
--
2.49.0
Powered by blists - more mailing lists