Re: [PATCHv6 00/13] kexec: Use BPF lskel to enable kexec to load PE format boot image

[Philipp Rudo <prudo@redhat.com>]

Hi Pingfan,

please excuse my late reply. I've looked through the series and all in
all it looks fine to me. I've got two comments/questions in addition to
what the bpf-bot found. In general the findings from the bpf-bot look
valid to me. But fixing them should be rather straight forward. Only
for the first finding, where it "complains" that ctx->buf is NULL, I
don't understand what it is wants to tell us.

In my opinion the next step we should take is to implement an example
bpf-prog for UKIs. I expect it to be much more complex compared to the
zboot one. So having a example bpf-prog will show us if we run into any
limitations with bpf or need to adjust the interfaces.

Thanks
Philipp

On Mon, 19 Jan 2026 11:24:11 +0800
Pingfan Liu <piliu@redhat.com> wrote:

> *** The history ***
> 
> Nowadays, UEFI PE bootable images are becoming increasingly popular
> among distributions. Currently, we have several kinds of image format
> parsers in user space (kexec-tools). However, this approach breaks the
> integrity protection of the images. To address this integrity protection
> concern, several approaches have been proposed to resolve this issue,
> but none of them have been accepted upstream yet.
> 
> The summary of those approaches:
>   -1. UEFI service emulator for UEFI stub
>   -2. PE format parser in kernel
>   -3. Signing the arm64/boot/Image
> 
> 
> For the first approach, I tried a purgatory-style emulator [1], but it
> encounters hardware scaling issues. For the second approach, both
> zboot-format [2] and UKI-format [3] parsers were rejected due to
> concerns that variant format parsers would bloat the kernel code.
> Additionally, for example in arm64, both UKI and zboot format parsers
> would need to be introduced and chained together to handle image
> loading. For the third approach, I attempted [4], but since zboot or UKI
> images already have signatures, upstream maintainers dislike the
> additional signature on the Image. Moreover, for secure boot UKI, this
> method cannot use signatures to protect the initramfs.
> 
> 
> *** The approach in this series ***
> 
> This series introduces an approach that allows image formats to be
> parsed by BPF programs. As a result, the kexec kernel code can remain
> relatively stable without introducing new parsers for different
> architectures.  This approach introduces a dedicated '.bpf' section in
> the PE file, which stores BPF bytecode. The integrity of all
> components -- kernel, initramfs, cmdline, and even the BPF bytecode
> itself is protected by the PE file's signature.  After signature
> verification, the BPF bytecode is loaded and executed from within the
> kernel using BPF lskel. Therefore, the bytecode itself is protected from
> malicious attacks on the BPF loader in user space.  
> 
> When a .bpf section is extracted from the current image file, its
> bytecode is attached to the kexec kernel function
> kexec_image_parser_anchor(). After the bytecode parses the image, the
> next-stage image is prepared, and the bytecode in the new .bpf section
> can be attached to kexec_image_parser_anchor(). In this way, nested
> image format issues (e.g., zboot image within UKI on arm64) can be
> resolved.  (Theoretically not yet tested.)
> 
> 
> *** Thanks ***
> I would like to thank Philipp Rudo, whose insights inspired this
> approach and who dedicated significant time to evaluating its
> practicality. I am also grateful to Viktor Malik for his guidance on
> using BPF light skeleton to prevent malicious attacks from user space.
> 
> 
> *** Test approach ***
> -1. compile kernel
> -2. get the zboot image with bpf-prog by 'make -C tools/kexec zboot'
> -3. compile kexec-tools from https://github.com/pfliu/kexec-tools/tree/pe_bpf
> 
> The rest test process is the common convention to use kexec.
> 
> 
> [1]: https://lore.kernel.org/lkml/20240819145417.23367-1-piliu@redhat.com/T/
> [2]: https://lore.kernel.org/kexec/20230306030305.15595-1-kernelfans@gmail.com/
> [3]: https://lore.kernel.org/lkml/20230911052535.335770-1-kernel@jfarr.cc/
> [4]: https://lore.kernel.org/linux-efi/20230921133703.39042-1-kernelfans@gmail.com/
> 
> 
> *** Changes ***
> v5 -> v6
>   - Re-organize the layers in kexec_file_load into two layers: format-parsing and kernel boot protocol handling.
>   - Simplify the bpf kfunc interface.
>   - rebased onto Linux 6.19-rc2
> 
> v4 -> v5
>   - rebased onto Linux 6.17-rc2
>   - [1/12], use a separate CONFIG_KEEP_COMPRESSOR to decide the section
>     of decompressor method
>   - [10/12], add Catalin's acked-by (Thanks Catalin!)
> 
> v3 -> v4
>   - Use dynamic allocator in decompression ([4/12])
>   - Fix issue caused by Identical Code Folding ([5/12])
>   - Integrate the image generator tool in the kernel tree ([11,12/12])
>   - Address the issue according to Philipp's comments in v3 reviewing.
>     Thanks Philipp!
> 
> RFCv2 -> v3
>   - move the introduced bpf kfuncs to kernel/bpf/* and mark them sleepable
>   - use listener and publisher model to implement bpf_copy_to_kernel()
>   - keep each introduced kfunc under the control of memcg
> 
> RFCv1 -> RFCv2
>   - Use bpf kfunc instead of helper
>   - Use C source code to generate the light skeleton file
> 
> 
> ---
> Pingfan Liu (13):
>   bpf: Introduce kfuncs to parser buffer content
>   kexec_file: Move signature validation ahead
>   kexec_file: Introduce routines to parse PE file
>   kexec_file: Use bpf-prog to decompose image
>   lib/decompress: Keep decompressor when CONFIG_KEEP_DECOMPRESSOR
>   kexec_file: Implement decompress method for parser
>   kexec_file: Implement copy method for parser
>   kexec_file: Introduce a bpf-prog lskel to parse PE file
>   kexec_file: Factor out routine to find a symbol in ELF
>   kexec_file: Integrate bpf light skeleton to load image with bpf-prog
>   arm64/kexec: Select KEXEC_BPF to support UEFI-style kernel image
>   tools/kexec: Introduce a bpf-prog to parse zboot image format
>   tools/kexec: Add a zboot image building tool
> 
>  arch/arm64/Kconfig                           |   1 +
>  include/linux/bpf.h                          |  19 +
>  include/linux/decompress/mm.h                |   8 +
>  kernel/Kconfig.kexec                         |   8 +
>  kernel/Makefile                              |   2 +
>  kernel/bpf/Makefile                          |   3 +
>  kernel/bpf/bpf_buffer_parser.c               | 170 +++++++
>  kernel/kexec_bpf/Makefile                    |  70 +++
>  kernel/kexec_bpf/kexec_pe_parser_bpf.c       |  12 +
>  kernel/kexec_bpf/kexec_pe_parser_bpf.lskel.h | 130 ++++++
>  kernel/kexec_bpf/template.c                  |  68 +++
>  kernel/kexec_bpf_loader.c                    | 439 +++++++++++++++++++
>  kernel/kexec_file.c                          | 106 +++--
>  kernel/kexec_internal.h                      |   5 +
>  kernel/kexec_uefi_app.c                      |  81 ++++
>  lib/Kconfig                                  |   6 +
>  lib/decompress.c                             |   6 +-
>  tools/kexec/Makefile                         |  91 ++++
>  tools/kexec/pe.h                             | 177 ++++++++
>  tools/kexec/template.c                       |  68 +++
>  tools/kexec/zboot_image_builder.c            | 278 ++++++++++++
>  tools/kexec/zboot_parser_bpf.c               | 114 +++++
>  22 files changed, 1813 insertions(+), 49 deletions(-)
>  create mode 100644 kernel/bpf/bpf_buffer_parser.c
>  create mode 100644 kernel/kexec_bpf/Makefile
>  create mode 100644 kernel/kexec_bpf/kexec_pe_parser_bpf.c
>  create mode 100644 kernel/kexec_bpf/kexec_pe_parser_bpf.lskel.h
>  create mode 100644 kernel/kexec_bpf/template.c
>  create mode 100644 kernel/kexec_bpf_loader.c
>  create mode 100644 kernel/kexec_uefi_app.c
>  create mode 100644 tools/kexec/Makefile
>  create mode 100644 tools/kexec/pe.h
>  create mode 100644 tools/kexec/template.c
>  create mode 100644 tools/kexec/zboot_image_builder.c
>  create mode 100644 tools/kexec/zboot_parser_bpf.c
>