* [PATCH v2] kexec_file: skip checksum verification when safe @ 2026-06-02 12:33 Michal Clapinski 2026-06-02 15:16 ` Pratyush Yadav 2026-06-03 4:02 ` Pasha Tatashin 0 siblings, 2 replies; 6+ messages in thread From: Michal Clapinski @ 2026-06-02 12:33 UTC (permalink / raw) To: Andrew Morton, Baoquan He, Pasha Tatashin, Mike Rapoport, Pratyush Yadav, kexec Cc: Michal Clapinski Checksum verification is needed 1. for crash kernels. In a crash, we can't be sure the kernel is intact. 2. if we're worried about relocating the kernel into a region used by some DMA that wasn't properly cancelled. If KHO is enabled then relocations will happen to KHO scratch, which is free from DMA regions. If we used CMA to allocate segments then relocations are not going to happen at all. Therefore, we can safely disable checksum verification in both of those cases. Instead of adding a new variable to purgatory, just skip adding regions and save the default value of SHA256 hash. Saves ~250ms on my 4.0 GHz CPU. This is an important saving for the live-update project. Signed-off-by: Michal Clapinski <mclapinski@google.com> --- v2: - also skip checksum verification if KHO is enabled - small fixes from reviews My original idea was to do 2 changes: 1. Skip checksum if all segments are CMA. 2. If KHO is enabled, allocate the kernel inside kho_scratch using CMA. This way we could skip both relocations and checksum verification when KHO is enabled. But I realized that step 2 might not be possible on warm boots. I have no idea how to fix that (except weird ideas like 2 kho_scratches that we swap on every warm boot), so I decided to just skip checksum verification when KHO is enabled. This unfortunately means relocations will still happen. --- kernel/kexec_file.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 2bfbb2d144e6..db25a14692ab 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -27,6 +27,7 @@ #include <linux/syscalls.h> #include <linux/vmalloc.h> #include <linux/dma-map-ops.h> +#include <linux/kexec_handover.h> #include "kexec_internal.h" #ifdef CONFIG_KEXEC_SIG @@ -798,6 +799,16 @@ int kexec_add_buffer(struct kexec_buf *kbuf) return 0; } +static bool kexec_only_cma_segments(struct kimage *image) +{ + for (int i = 0; i < image->nr_segments; i++) { + if (!image->segment_cma[i]) + return false; + } + + return true; +} + /* Calculate and store the digest of segments */ static int kexec_calculate_store_digests(struct kimage *image) { @@ -822,6 +833,21 @@ static int kexec_calculate_store_digests(struct kimage *image) sha256_init(&sctx); + /* + * If KHO is enabled, the destinations are located in KHO scratch. + * KHO scratch can only contain early boot allocations and movable + * allocations. That means there is no risk of memory corruption by + * uncancelled DMA. + * + * If all segments were loaded into contiguous memory, there will be no + * relocations at all, so also no risk no corruption. + */ + if (image->type != KEXEC_TYPE_CRASH && + (kho_is_enabled() || kexec_only_cma_segments(image))) { + pr_debug("disabling checksum verification in purgatory\n"); + goto skip_checksum; + } + for (j = i = 0; i < image->nr_segments; i++) { struct kexec_segment *ksegment; @@ -867,6 +893,7 @@ static int kexec_calculate_store_digests(struct kimage *image) j++; } +skip_checksum: sha256_final(&sctx, digest); ret = kexec_purgatory_get_set_symbol(image, "purgatory_sha_regions", -- 2.54.0.929.g9b7fa37559-goog ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2] kexec_file: skip checksum verification when safe 2026-06-02 12:33 [PATCH v2] kexec_file: skip checksum verification when safe Michal Clapinski @ 2026-06-02 15:16 ` Pratyush Yadav 2026-06-02 15:43 ` Michał Cłapiński 2026-06-03 13:14 ` Pasha Tatashin 2026-06-03 4:02 ` Pasha Tatashin 1 sibling, 2 replies; 6+ messages in thread From: Pratyush Yadav @ 2026-06-02 15:16 UTC (permalink / raw) To: Michal Clapinski Cc: Andrew Morton, Baoquan He, Pasha Tatashin, Mike Rapoport, Pratyush Yadav, kexec On Tue, Jun 02 2026, Michal Clapinski wrote: > Checksum verification is needed > 1. for crash kernels. In a crash, we can't be sure the kernel is > intact. > 2. if we're worried about relocating the kernel into a region used by > some DMA that wasn't properly cancelled. > > If KHO is enabled then relocations will happen to KHO scratch, which > is free from DMA regions. > If we used CMA to allocate segments then relocations are not going to > happen at all. > Therefore, we can safely disable checksum verification in both of those > cases. > > Instead of adding a new variable to purgatory, just skip adding regions > and save the default value of SHA256 hash. > > Saves ~250ms on my 4.0 GHz CPU. This is an important saving for the > live-update project. > > Signed-off-by: Michal Clapinski <mclapinski@google.com> > --- > v2: > - also skip checksum verification if KHO is enabled > - small fixes from reviews > > My original idea was to do 2 changes: > 1. Skip checksum if all segments are CMA. > 2. If KHO is enabled, allocate the kernel inside kho_scratch using CMA. > > This way we could skip both relocations and checksum verification when > KHO is enabled. > But I realized that step 2 might not be possible on warm boots. AFAIU we only relocate into scratch since relocating anywhere else might over-write preserved memory. If there is no relocation, there is no need for the kernel image to be in scratch, since the image won't be preserved memory anyway. So perhaps we can just use CMA directly, and only fall back to kho_locate_mem_hole() if that fails? This should be a simple enough change. Do you know how much time we can save by skipping relocations? I would guess it is in the hundreds of milliseconds. Can you try this (COMPLETELY UNTESTED) patch out and see if it works and if it further improves kexec time? --- 8< --- diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 2bfbb2d144e6..0ccc7b6d67c1 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -720,14 +720,6 @@ int kexec_locate_mem_hole(struct kexec_buf *kbuf) if (kbuf->mem != KEXEC_BUF_MEM_UNKNOWN) return 0; - /* - * If KHO is active, only use KHO scratch memory. All other memory - * could potentially be handed over. - */ - ret = kho_locate_mem_hole(kbuf, locate_mem_hole_callback); - if (ret <= 0) - return ret; - /* * Try to find a free physically contiguous block of memory first. With that, we * can avoid any copying at kexec time. @@ -735,6 +727,14 @@ int kexec_locate_mem_hole(struct kexec_buf *kbuf) if (!kexec_alloc_contig(kbuf)) return 0; + /* + * If KHO is active and relocations are to be done,, only use KHO + * scratch memory. All other memory could potentially be handed over. + */ + ret = kho_locate_mem_hole(kbuf, locate_mem_hole_callback); + if (ret <= 0) + return ret; + if (!IS_ENABLED(CONFIG_ARCH_KEEP_MEMBLOCK)) ret = kexec_walk_resources(kbuf, locate_mem_hole_callback); else --- >8 --- Of course this is not directly related to this patch so it shouldn't block it, but I reckon we might be able to squeeze a bit more performance out this way as a follow up. > I have no idea how to fix that (except weird ideas like 2 kho_scratches > that we swap on every warm boot), so I decided to just skip checksum > verification when KHO is enabled. This unfortunately means relocations > will still happen. > --- > kernel/kexec_file.c | 27 +++++++++++++++++++++++++++ > 1 file changed, 27 insertions(+) > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > index 2bfbb2d144e6..db25a14692ab 100644 > --- a/kernel/kexec_file.c > +++ b/kernel/kexec_file.c > @@ -27,6 +27,7 @@ > #include <linux/syscalls.h> > #include <linux/vmalloc.h> > #include <linux/dma-map-ops.h> > +#include <linux/kexec_handover.h> > #include "kexec_internal.h" > > #ifdef CONFIG_KEXEC_SIG > @@ -798,6 +799,16 @@ int kexec_add_buffer(struct kexec_buf *kbuf) > return 0; > } > > +static bool kexec_only_cma_segments(struct kimage *image) > +{ > + for (int i = 0; i < image->nr_segments; i++) { > + if (!image->segment_cma[i]) > + return false; > + } > + > + return true; > +} > + > /* Calculate and store the digest of segments */ > static int kexec_calculate_store_digests(struct kimage *image) > { > @@ -822,6 +833,21 @@ static int kexec_calculate_store_digests(struct kimage *image) > > sha256_init(&sctx); > > + /* > + * If KHO is enabled, the destinations are located in KHO scratch. > + * KHO scratch can only contain early boot allocations and movable > + * allocations. That means there is no risk of memory corruption by > + * uncancelled DMA. > + * > + * If all segments were loaded into contiguous memory, there will be no > + * relocations at all, so also no risk no corruption. Typo: "so also no risk *of* corruption". We can fix that up when applying I think, so no need for a v3 just for this. Other than this, Reviewed-by: Pratyush Yadav (Google) <pratyush@kernel.org> > + */ > + if (image->type != KEXEC_TYPE_CRASH && > + (kho_is_enabled() || kexec_only_cma_segments(image))) { > + pr_debug("disabling checksum verification in purgatory\n"); > + goto skip_checksum; > + } > + > for (j = i = 0; i < image->nr_segments; i++) { > struct kexec_segment *ksegment; > > @@ -867,6 +893,7 @@ static int kexec_calculate_store_digests(struct kimage *image) > j++; > } > > +skip_checksum: > sha256_final(&sctx, digest); > > ret = kexec_purgatory_get_set_symbol(image, "purgatory_sha_regions", -- Regards, Pratyush Yadav ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2] kexec_file: skip checksum verification when safe 2026-06-02 15:16 ` Pratyush Yadav @ 2026-06-02 15:43 ` Michał Cłapiński 2026-06-02 16:49 ` Pratyush Yadav 2026-06-03 13:14 ` Pasha Tatashin 1 sibling, 1 reply; 6+ messages in thread From: Michał Cłapiński @ 2026-06-02 15:43 UTC (permalink / raw) To: Pratyush Yadav Cc: Andrew Morton, Baoquan He, Pasha Tatashin, Mike Rapoport, kexec On Tue, Jun 2, 2026 at 5:16 PM Pratyush Yadav <pratyush@kernel.org> wrote: > > On Tue, Jun 02 2026, Michal Clapinski wrote: > > > Checksum verification is needed > > 1. for crash kernels. In a crash, we can't be sure the kernel is > > intact. > > 2. if we're worried about relocating the kernel into a region used by > > some DMA that wasn't properly cancelled. > > > > If KHO is enabled then relocations will happen to KHO scratch, which > > is free from DMA regions. > > If we used CMA to allocate segments then relocations are not going to > > happen at all. > > Therefore, we can safely disable checksum verification in both of those > > cases. > > > > Instead of adding a new variable to purgatory, just skip adding regions > > and save the default value of SHA256 hash. > > > > Saves ~250ms on my 4.0 GHz CPU. This is an important saving for the > > live-update project. > > > > Signed-off-by: Michal Clapinski <mclapinski@google.com> > > --- > > v2: > > - also skip checksum verification if KHO is enabled > > - small fixes from reviews > > > > My original idea was to do 2 changes: > > 1. Skip checksum if all segments are CMA. > > 2. If KHO is enabled, allocate the kernel inside kho_scratch using CMA. > > > > This way we could skip both relocations and checksum verification when > > KHO is enabled. > > But I realized that step 2 might not be possible on warm boots. > > AFAIU we only relocate into scratch since relocating anywhere else might > over-write preserved memory. If there is no relocation, there is no need > for the kernel image to be in scratch, since the image won't be > preserved memory anyway. > > So perhaps we can just use CMA directly, and only fall back to > kho_locate_mem_hole() if that fails? This should be a simple enough > change. I agree that it will work. However, the user would need to have CMA memory and it would need to have enough contiguous memory available. Do you think running out of CMA memory is a real problem? > Do you know how much time we can save by skipping relocations? I would > guess it is in the hundreds of milliseconds. It's smaller than the variance between runs. Maybe 10ms. Everything between exiting the old kernel and TSC initialization in the new kernel takes ~70ms. Theoretically if we didn't have to do relocations, we could try unpacking the kernel before kexec, which would save a little bit more time. But again, definitely less than 0.1s. > Can you try this (COMPLETELY UNTESTED) patch out and see if it works and > if it further improves kexec time? > > --- 8< --- > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > index 2bfbb2d144e6..0ccc7b6d67c1 100644 > --- a/kernel/kexec_file.c > +++ b/kernel/kexec_file.c > @@ -720,14 +720,6 @@ int kexec_locate_mem_hole(struct kexec_buf *kbuf) > if (kbuf->mem != KEXEC_BUF_MEM_UNKNOWN) > return 0; > > - /* > - * If KHO is active, only use KHO scratch memory. All other memory > - * could potentially be handed over. > - */ > - ret = kho_locate_mem_hole(kbuf, locate_mem_hole_callback); > - if (ret <= 0) > - return ret; > - > /* > * Try to find a free physically contiguous block of memory first. With that, we > * can avoid any copying at kexec time. > @@ -735,6 +727,14 @@ int kexec_locate_mem_hole(struct kexec_buf *kbuf) > if (!kexec_alloc_contig(kbuf)) > return 0; > > + /* > + * If KHO is active and relocations are to be done,, only use KHO > + * scratch memory. All other memory could potentially be handed over. > + */ > + ret = kho_locate_mem_hole(kbuf, locate_mem_hole_callback); > + if (ret <= 0) > + return ret; > + > if (!IS_ENABLED(CONFIG_ARCH_KEEP_MEMBLOCK)) > ret = kexec_walk_resources(kbuf, locate_mem_hole_callback); > else > --- >8 --- > > Of course this is not directly related to this patch so it shouldn't > block it, but I reckon we might be able to squeeze a bit more > performance out this way as a follow up. > > > I have no idea how to fix that (except weird ideas like 2 kho_scratches > > that we swap on every warm boot), so I decided to just skip checksum > > verification when KHO is enabled. This unfortunately means relocations > > will still happen. > > --- > > kernel/kexec_file.c | 27 +++++++++++++++++++++++++++ > > 1 file changed, 27 insertions(+) > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > > index 2bfbb2d144e6..db25a14692ab 100644 > > --- a/kernel/kexec_file.c > > +++ b/kernel/kexec_file.c > > @@ -27,6 +27,7 @@ > > #include <linux/syscalls.h> > > #include <linux/vmalloc.h> > > #include <linux/dma-map-ops.h> > > +#include <linux/kexec_handover.h> > > #include "kexec_internal.h" > > > > #ifdef CONFIG_KEXEC_SIG > > @@ -798,6 +799,16 @@ int kexec_add_buffer(struct kexec_buf *kbuf) > > return 0; > > } > > > > +static bool kexec_only_cma_segments(struct kimage *image) > > +{ > > + for (int i = 0; i < image->nr_segments; i++) { > > + if (!image->segment_cma[i]) > > + return false; > > + } > > + > > + return true; > > +} > > + > > /* Calculate and store the digest of segments */ > > static int kexec_calculate_store_digests(struct kimage *image) > > { > > @@ -822,6 +833,21 @@ static int kexec_calculate_store_digests(struct kimage *image) > > > > sha256_init(&sctx); > > > > + /* > > + * If KHO is enabled, the destinations are located in KHO scratch. > > + * KHO scratch can only contain early boot allocations and movable > > + * allocations. That means there is no risk of memory corruption by > > + * uncancelled DMA. > > + * > > + * If all segments were loaded into contiguous memory, there will be no > > + * relocations at all, so also no risk no corruption. > > Typo: "so also no risk *of* corruption". > > We can fix that up when applying I think, so no need for a v3 just for > this. > > Other than this, > > Reviewed-by: Pratyush Yadav (Google) <pratyush@kernel.org> > > > + */ > > + if (image->type != KEXEC_TYPE_CRASH && > > + (kho_is_enabled() || kexec_only_cma_segments(image))) { > > + pr_debug("disabling checksum verification in purgatory\n"); > > + goto skip_checksum; > > + } > > + > > for (j = i = 0; i < image->nr_segments; i++) { > > struct kexec_segment *ksegment; > > > > @@ -867,6 +893,7 @@ static int kexec_calculate_store_digests(struct kimage *image) > > j++; > > } > > > > +skip_checksum: > > sha256_final(&sctx, digest); > > > > ret = kexec_purgatory_get_set_symbol(image, "purgatory_sha_regions", > > -- > Regards, > Pratyush Yadav ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] kexec_file: skip checksum verification when safe 2026-06-02 15:43 ` Michał Cłapiński @ 2026-06-02 16:49 ` Pratyush Yadav 0 siblings, 0 replies; 6+ messages in thread From: Pratyush Yadav @ 2026-06-02 16:49 UTC (permalink / raw) To: Michał Cłapiński Cc: Pratyush Yadav, Andrew Morton, Baoquan He, Pasha Tatashin, Mike Rapoport, kexec On Tue, Jun 02 2026, Michał Cłapiński wrote: > On Tue, Jun 2, 2026 at 5:16 PM Pratyush Yadav <pratyush@kernel.org> wrote: >> >> On Tue, Jun 02 2026, Michal Clapinski wrote: >> >> > Checksum verification is needed >> > 1. for crash kernels. In a crash, we can't be sure the kernel is >> > intact. >> > 2. if we're worried about relocating the kernel into a region used by >> > some DMA that wasn't properly cancelled. >> > >> > If KHO is enabled then relocations will happen to KHO scratch, which >> > is free from DMA regions. >> > If we used CMA to allocate segments then relocations are not going to >> > happen at all. >> > Therefore, we can safely disable checksum verification in both of those >> > cases. >> > >> > Instead of adding a new variable to purgatory, just skip adding regions >> > and save the default value of SHA256 hash. >> > >> > Saves ~250ms on my 4.0 GHz CPU. This is an important saving for the >> > live-update project. >> > >> > Signed-off-by: Michal Clapinski <mclapinski@google.com> >> > --- >> > v2: >> > - also skip checksum verification if KHO is enabled >> > - small fixes from reviews >> > >> > My original idea was to do 2 changes: >> > 1. Skip checksum if all segments are CMA. >> > 2. If KHO is enabled, allocate the kernel inside kho_scratch using CMA. >> > >> > This way we could skip both relocations and checksum verification when >> > KHO is enabled. >> > But I realized that step 2 might not be possible on warm boots. >> >> AFAIU we only relocate into scratch since relocating anywhere else might >> over-write preserved memory. If there is no relocation, there is no need >> for the kernel image to be in scratch, since the image won't be >> preserved memory anyway. >> >> So perhaps we can just use CMA directly, and only fall back to >> kho_locate_mem_hole() if that fails? This should be a simple enough >> change. > > I agree that it will work. However, the user would need to have CMA > memory and it would need to have enough contiguous memory available. > Do you think running out of CMA memory is a real problem? No idea. I think that depends heavily on how much memory drivers are using, and I have no numbers for that. Anyway, if the user doesn't have memory available in CMA, we will still fall back to the normal path so kexec load will still at least keep working. > >> Do you know how much time we can save by skipping relocations? I would >> guess it is in the hundreds of milliseconds. > > It's smaller than the variance between runs. Maybe 10ms. Everything > between exiting the old kernel and TSC initialization in the new > kernel takes ~70ms. > > Theoretically if we didn't have to do relocations, we could try > unpacking the kernel before kexec, which would save a little bit more > time. But again, definitely less than 0.1s. Hmm, I thought it would take longer. I don't think we are at a point yet where we should try to save 10s of milliseconds. Thanks for trying it out though. > >> Can you try this (COMPLETELY UNTESTED) patch out and see if it works and >> if it further improves kexec time? >> >> --- 8< --- >> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c >> index 2bfbb2d144e6..0ccc7b6d67c1 100644 >> --- a/kernel/kexec_file.c >> +++ b/kernel/kexec_file.c >> @@ -720,14 +720,6 @@ int kexec_locate_mem_hole(struct kexec_buf *kbuf) >> if (kbuf->mem != KEXEC_BUF_MEM_UNKNOWN) >> return 0; >> >> - /* >> - * If KHO is active, only use KHO scratch memory. All other memory >> - * could potentially be handed over. >> - */ >> - ret = kho_locate_mem_hole(kbuf, locate_mem_hole_callback); >> - if (ret <= 0) >> - return ret; >> - >> /* >> * Try to find a free physically contiguous block of memory first. With that, we >> * can avoid any copying at kexec time. >> @@ -735,6 +727,14 @@ int kexec_locate_mem_hole(struct kexec_buf *kbuf) >> if (!kexec_alloc_contig(kbuf)) >> return 0; >> >> + /* >> + * If KHO is active and relocations are to be done,, only use KHO >> + * scratch memory. All other memory could potentially be handed over. >> + */ >> + ret = kho_locate_mem_hole(kbuf, locate_mem_hole_callback); >> + if (ret <= 0) >> + return ret; >> + >> if (!IS_ENABLED(CONFIG_ARCH_KEEP_MEMBLOCK)) >> ret = kexec_walk_resources(kbuf, locate_mem_hole_callback); >> else >> --- >8 --- >> >> Of course this is not directly related to this patch so it shouldn't >> block it, but I reckon we might be able to squeeze a bit more >> performance out this way as a follow up. >> [...] -- Regards, Pratyush Yadav ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] kexec_file: skip checksum verification when safe 2026-06-02 15:16 ` Pratyush Yadav 2026-06-02 15:43 ` Michał Cłapiński @ 2026-06-03 13:14 ` Pasha Tatashin 1 sibling, 0 replies; 6+ messages in thread From: Pasha Tatashin @ 2026-06-03 13:14 UTC (permalink / raw) To: Pratyush Yadav Cc: Michal Clapinski, Andrew Morton, Baoquan He, Pasha Tatashin, Mike Rapoport, kexec On 06-02 17:16, Pratyush Yadav wrote: > On Tue, Jun 02 2026, Michal Clapinski wrote: > > > Checksum verification is needed > > 1. for crash kernels. In a crash, we can't be sure the kernel is > > intact. > > 2. if we're worried about relocating the kernel into a region used by > > some DMA that wasn't properly cancelled. > > > > If KHO is enabled then relocations will happen to KHO scratch, which > > is free from DMA regions. > > If we used CMA to allocate segments then relocations are not going to > > happen at all. > > Therefore, we can safely disable checksum verification in both of those > > cases. > > > > Instead of adding a new variable to purgatory, just skip adding regions > > and save the default value of SHA256 hash. > > > > Saves ~250ms on my 4.0 GHz CPU. This is an important saving for the > > live-update project. > > > > Signed-off-by: Michal Clapinski <mclapinski@google.com> > > --- > > v2: > > - also skip checksum verification if KHO is enabled > > - small fixes from reviews > > > > My original idea was to do 2 changes: > > 1. Skip checksum if all segments are CMA. > > 2. If KHO is enabled, allocate the kernel inside kho_scratch using CMA. > > > > This way we could skip both relocations and checksum verification when > > KHO is enabled. > > But I realized that step 2 might not be possible on warm boots. > > AFAIU we only relocate into scratch since relocating anywhere else might > over-write preserved memory. If there is no relocation, there is no need > for the kernel image to be in scratch, since the image won't be > preserved memory anyway. > > So perhaps we can just use CMA directly, and only fall back to > kho_locate_mem_hole() if that fails? This should be a simple enough > change. > > Do you know how much time we can save by skipping relocations? I would > guess it is in the hundreds of milliseconds. > > Can you try this (COMPLETELY UNTESTED) patch out and see if it works and > if it further improves kexec time? > > --- 8< --- > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > index 2bfbb2d144e6..0ccc7b6d67c1 100644 > --- a/kernel/kexec_file.c > +++ b/kernel/kexec_file.c > @@ -720,14 +720,6 @@ int kexec_locate_mem_hole(struct kexec_buf *kbuf) > if (kbuf->mem != KEXEC_BUF_MEM_UNKNOWN) > return 0; > > - /* > - * If KHO is active, only use KHO scratch memory. All other memory > - * could potentially be handed over. > - */ > - ret = kho_locate_mem_hole(kbuf, locate_mem_hole_callback); > - if (ret <= 0) > - return ret; > - > /* > * Try to find a free physically contiguous block of memory first. With that, we > * can avoid any copying at kexec time. > @@ -735,6 +727,14 @@ int kexec_locate_mem_hole(struct kexec_buf *kbuf) > if (!kexec_alloc_contig(kbuf)) > return 0; > > + /* > + * If KHO is active and relocations are to be done,, only use KHO > + * scratch memory. All other memory could potentially be handed over. > + */ > + ret = kho_locate_mem_hole(kbuf, locate_mem_hole_callback); > + if (ret <= 0) > + return ret; > + > if (!IS_ENABLED(CONFIG_ARCH_KEEP_MEMBLOCK)) > ret = kexec_walk_resources(kbuf, locate_mem_hole_callback); > else > --- >8 --- > > Of course this is not directly related to this patch so it shouldn't > block it, but I reckon we might be able to squeeze a bit more > performance out this way as a follow up. > > > I have no idea how to fix that (except weird ideas like 2 kho_scratches > > that we swap on every warm boot), so I decided to just skip checksum > > verification when KHO is enabled. This unfortunately means relocations > > will still happen. > > --- > > kernel/kexec_file.c | 27 +++++++++++++++++++++++++++ > > 1 file changed, 27 insertions(+) > > > > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c > > index 2bfbb2d144e6..db25a14692ab 100644 > > --- a/kernel/kexec_file.c > > +++ b/kernel/kexec_file.c > > @@ -27,6 +27,7 @@ > > #include <linux/syscalls.h> > > #include <linux/vmalloc.h> > > #include <linux/dma-map-ops.h> > > +#include <linux/kexec_handover.h> > > #include "kexec_internal.h" > > > > #ifdef CONFIG_KEXEC_SIG > > @@ -798,6 +799,16 @@ int kexec_add_buffer(struct kexec_buf *kbuf) > > return 0; > > } > > > > +static bool kexec_only_cma_segments(struct kimage *image) > > +{ > > + for (int i = 0; i < image->nr_segments; i++) { > > + if (!image->segment_cma[i]) > > + return false; > > + } > > + > > + return true; > > +} > > + > > /* Calculate and store the digest of segments */ > > static int kexec_calculate_store_digests(struct kimage *image) > > { > > @@ -822,6 +833,21 @@ static int kexec_calculate_store_digests(struct kimage *image) > > > > sha256_init(&sctx); > > > > + /* > > + * If KHO is enabled, the destinations are located in KHO scratch. > > + * KHO scratch can only contain early boot allocations and movable > > + * allocations. That means there is no risk of memory corruption by > > + * uncancelled DMA. > > + * > > + * If all segments were loaded into contiguous memory, there will be no > > + * relocations at all, so also no risk no corruption. > > Typo: "so also no risk *of* corruption". Missed this fix when applied forced updated, to address this. > > We can fix that up when applying I think, so no need for a v3 just for > this. > > Other than this, > > Reviewed-by: Pratyush Yadav (Google) <pratyush@kernel.org> > > > + */ > > + if (image->type != KEXEC_TYPE_CRASH && > > + (kho_is_enabled() || kexec_only_cma_segments(image))) { > > + pr_debug("disabling checksum verification in purgatory\n"); > > + goto skip_checksum; > > + } > > + > > for (j = i = 0; i < image->nr_segments; i++) { > > struct kexec_segment *ksegment; > > > > @@ -867,6 +893,7 @@ static int kexec_calculate_store_digests(struct kimage *image) > > j++; > > } > > > > +skip_checksum: > > sha256_final(&sctx, digest); > > > > ret = kexec_purgatory_get_set_symbol(image, "purgatory_sha_regions", > > -- > Regards, > Pratyush Yadav ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] kexec_file: skip checksum verification when safe 2026-06-02 12:33 [PATCH v2] kexec_file: skip checksum verification when safe Michal Clapinski 2026-06-02 15:16 ` Pratyush Yadav @ 2026-06-03 4:02 ` Pasha Tatashin 1 sibling, 0 replies; 6+ messages in thread From: Pasha Tatashin @ 2026-06-03 4:02 UTC (permalink / raw) To: Andrew Morton, Baoquan He, Mike Rapoport, Pratyush Yadav, kexec, Michal Clapinski On Tue, 02 Jun 2026 14:33:11 +0200, Michal Clapinski wrote: > Checksum verification is needed > 1. for crash kernels. In a crash, we can't be sure the kernel is > intact. > 2. if we're worried about relocating the kernel into a region used by > some DMA that wasn't properly cancelled. > > If KHO is enabled then relocations will happen to KHO scratch, which > is free from DMA regions. > If we used CMA to allocate segments then relocations are not going to > happen at all. > Therefore, we can safely disable checksum verification in both of those > cases. > > [...] Applied, thanks! [1/1] kexec_file: skip checksum verification when safe commit: 459a08d029bf6f026b25063708a63bdaa8ccc0b1 Best regards, -- Pasha Tatashin <pasha.tatashin@soleen.com> ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-06-03 13:14 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-06-02 12:33 [PATCH v2] kexec_file: skip checksum verification when safe Michal Clapinski 2026-06-02 15:16 ` Pratyush Yadav 2026-06-02 15:43 ` Michał Cłapiński 2026-06-02 16:49 ` Pratyush Yadav 2026-06-03 13:14 ` Pasha Tatashin 2026-06-03 4:02 ` Pasha Tatashin
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.