From: James Morse <james.morse@arm.com>
To: AKASHI Takahiro <takahiro.akashi@linaro.org>
Cc: herbert@gondor.apana.org.au, bhe@redhat.com,
ard.biesheuvel@linaro.org, catalin.marinas@arm.com,
julien.thierry@arm.com, will.deacon@arm.com,
linux-kernel@vger.kernel.org, kexec@lists.infradead.org,
dhowells@redhat.com, arnd@arndb.de,
linux-arm-kernel@lists.infradead.org, mpe@ellerman.id.au,
bauerman@linux.vnet.ibm.com, akpm@linux-foundation.org,
dyoung@redhat.com, davem@davemloft.net, vgoyal@redhat.com
Subject: Re: [PATCH v7 00/11] arm64: kexec: add kexec_file_load() support
Date: Wed, 07 Feb 2018 18:37:21 +0000 [thread overview]
Message-ID: <5A7B4761.3000808@arm.com> (raw)
In-Reply-To: <20171204025801.12161-1-takahiro.akashi@linaro.org>
Hi Akashi,
I'm still getting my head round how all this works, so please forgive what may
be stupid questions!
On 04/12/17 02:57, AKASHI Takahiro wrote:
> This is the seventh round of implementing kexec_file_load() support
> on arm64.[1]
> Most of the code is based on kexec-tools (along with some kernel code
> from x86, which also came from kexec-tools).
>
>
> This patch series enables us to
> * load the kernel, Image, via kexec_file_load() system call, and
> * optionally verify its signature at load time for trusted boot.
Is kdump using kexec_file_load() possible? (questions on patch 3)
I can't work out why additional elf-generating code would be necessary if kdump
works today without it...
> To load the kernel via kexec_file_load() system call, a small change
> is also required on kexec-tools. See [2]. This enables '-s' option.
> (Please use v7.2.1+ crash utility for v4.14+ kernel)
(what does the -s option do?)
> As we discussed a long time ago, users may not be allowed to specify
> device-tree file of the 2nd kernel explicitly with kexec-tools, hence
> re-using the blob of the first kernel.
>
> Regarding a kernel image verification, a signature must be presented
> along with the binary itself. A signature is basically a hash value
> calculated against the whole binary data and encrypted by a key which
> will be authenticated by the system's trusted certificate.
> Any attempt to read and load a to-be-kexec-ed kernel image through
> a system call will be checked and blocked if the binary's hash value
> doesn't match its associated signature.
> Concerns(or future works):
(lets keep this stuff in the future)
> * Even if the kernel is configured with CONFIG_RANDOMIZE_BASE, the 2nd
> kernel won't be placed at a randomized address. We will have to
> add some boot code similar to efi-stub to implement the randomization.
I think there are two parts to this. The efistub may copy the kernel to a new
~random location in physical memory. It also adds a seed used to randomise the
virtual-addresses the kernel executes from.
For kexec_file_load() the first-kernel could apply some randomness to the
physical offset when it re-assembles the kexec-kernel. i.e. code in
arm64_relocate_new_kernel(). I don't think we should do this without some hint
that the new kernel supports this...
For the virtual-addresses it would need to add a new kaslr-seed to the
DT/chosen, which should be harmless.
> for approach (1),
> * While big-endian kernel can support kernel signing, I'm not sure that
> Image can be recognized as in PE format because x86 standard only
> defines little-endian-based format.
What does the recognizing? (I don't think we should invent a new format..)
> * vmlinux support
(Patch 3 is why I'm here)
I don't think we need to support this. I can't boot a vmlinux file via UEFI. As
I understand it kexec_file_load() is all about the signature verification for
UEFI:SecureBoot. The chances of me having a vmlinux signed for SecureBoot use is
pretty low, chances are its a self-signed image I just built, in which case I
can use the arm64 Image file that was built at the same time.
Supporting two file formats is going to be a headache. Distributions ship
separate debug info packages for debugging, I don't think we need to make them
bootable...
Thanks,
James
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: james.morse@arm.com (James Morse)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v7 00/11] arm64: kexec: add kexec_file_load() support
Date: Wed, 07 Feb 2018 18:37:21 +0000 [thread overview]
Message-ID: <5A7B4761.3000808@arm.com> (raw)
In-Reply-To: <20171204025801.12161-1-takahiro.akashi@linaro.org>
Hi Akashi,
I'm still getting my head round how all this works, so please forgive what may
be stupid questions!
On 04/12/17 02:57, AKASHI Takahiro wrote:
> This is the seventh round of implementing kexec_file_load() support
> on arm64.[1]
> Most of the code is based on kexec-tools (along with some kernel code
> from x86, which also came from kexec-tools).
>
>
> This patch series enables us to
> * load the kernel, Image, via kexec_file_load() system call, and
> * optionally verify its signature at load time for trusted boot.
Is kdump using kexec_file_load() possible? (questions on patch 3)
I can't work out why additional elf-generating code would be necessary if kdump
works today without it...
> To load the kernel via kexec_file_load() system call, a small change
> is also required on kexec-tools. See [2]. This enables '-s' option.
> (Please use v7.2.1+ crash utility for v4.14+ kernel)
(what does the -s option do?)
> As we discussed a long time ago, users may not be allowed to specify
> device-tree file of the 2nd kernel explicitly with kexec-tools, hence
> re-using the blob of the first kernel.
>
> Regarding a kernel image verification, a signature must be presented
> along with the binary itself. A signature is basically a hash value
> calculated against the whole binary data and encrypted by a key which
> will be authenticated by the system's trusted certificate.
> Any attempt to read and load a to-be-kexec-ed kernel image through
> a system call will be checked and blocked if the binary's hash value
> doesn't match its associated signature.
> Concerns(or future works):
(lets keep this stuff in the future)
> * Even if the kernel is configured with CONFIG_RANDOMIZE_BASE, the 2nd
> kernel won't be placed at a randomized address. We will have to
> add some boot code similar to efi-stub to implement the randomization.
I think there are two parts to this. The efistub may copy the kernel to a new
~random location in physical memory. It also adds a seed used to randomise the
virtual-addresses the kernel executes from.
For kexec_file_load() the first-kernel could apply some randomness to the
physical offset when it re-assembles the kexec-kernel. i.e. code in
arm64_relocate_new_kernel(). I don't think we should do this without some hint
that the new kernel supports this...
For the virtual-addresses it would need to add a new kaslr-seed to the
DT/chosen, which should be harmless.
> for approach (1),
> * While big-endian kernel can support kernel signing, I'm not sure that
> Image can be recognized as in PE format because x86 standard only
> defines little-endian-based format.
What does the recognizing? (I don't think we should invent a new format..)
> * vmlinux support
(Patch 3 is why I'm here)
I don't think we need to support this. I can't boot a vmlinux file via UEFI. As
I understand it kexec_file_load() is all about the signature verification for
UEFI:SecureBoot. The chances of me having a vmlinux signed for SecureBoot use is
pretty low, chances are its a self-signed image I just built, in which case I
can use the arm64 Image file that was built at the same time.
Supporting two file formats is going to be a headache. Distributions ship
separate debug info packages for debugging, I don't think we need to make them
bootable...
Thanks,
James
WARNING: multiple messages have this Message-ID (diff)
From: James Morse <james.morse@arm.com>
To: AKASHI Takahiro <takahiro.akashi@linaro.org>
Cc: catalin.marinas@arm.com, will.deacon@arm.com,
bauerman@linux.vnet.ibm.com, dhowells@redhat.com,
vgoyal@redhat.com, herbert@gondor.apana.org.au,
davem@davemloft.net, akpm@linux-foundation.org,
mpe@ellerman.id.au, dyoung@redhat.com, bhe@redhat.com,
arnd@arndb.de, ard.biesheuvel@linaro.org, julien.thierry@arm.com,
kexec@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v7 00/11] arm64: kexec: add kexec_file_load() support
Date: Wed, 07 Feb 2018 18:37:21 +0000 [thread overview]
Message-ID: <5A7B4761.3000808@arm.com> (raw)
In-Reply-To: <20171204025801.12161-1-takahiro.akashi@linaro.org>
Hi Akashi,
I'm still getting my head round how all this works, so please forgive what may
be stupid questions!
On 04/12/17 02:57, AKASHI Takahiro wrote:
> This is the seventh round of implementing kexec_file_load() support
> on arm64.[1]
> Most of the code is based on kexec-tools (along with some kernel code
> from x86, which also came from kexec-tools).
>
>
> This patch series enables us to
> * load the kernel, Image, via kexec_file_load() system call, and
> * optionally verify its signature at load time for trusted boot.
Is kdump using kexec_file_load() possible? (questions on patch 3)
I can't work out why additional elf-generating code would be necessary if kdump
works today without it...
> To load the kernel via kexec_file_load() system call, a small change
> is also required on kexec-tools. See [2]. This enables '-s' option.
> (Please use v7.2.1+ crash utility for v4.14+ kernel)
(what does the -s option do?)
> As we discussed a long time ago, users may not be allowed to specify
> device-tree file of the 2nd kernel explicitly with kexec-tools, hence
> re-using the blob of the first kernel.
>
> Regarding a kernel image verification, a signature must be presented
> along with the binary itself. A signature is basically a hash value
> calculated against the whole binary data and encrypted by a key which
> will be authenticated by the system's trusted certificate.
> Any attempt to read and load a to-be-kexec-ed kernel image through
> a system call will be checked and blocked if the binary's hash value
> doesn't match its associated signature.
> Concerns(or future works):
(lets keep this stuff in the future)
> * Even if the kernel is configured with CONFIG_RANDOMIZE_BASE, the 2nd
> kernel won't be placed at a randomized address. We will have to
> add some boot code similar to efi-stub to implement the randomization.
I think there are two parts to this. The efistub may copy the kernel to a new
~random location in physical memory. It also adds a seed used to randomise the
virtual-addresses the kernel executes from.
For kexec_file_load() the first-kernel could apply some randomness to the
physical offset when it re-assembles the kexec-kernel. i.e. code in
arm64_relocate_new_kernel(). I don't think we should do this without some hint
that the new kernel supports this...
For the virtual-addresses it would need to add a new kaslr-seed to the
DT/chosen, which should be harmless.
> for approach (1),
> * While big-endian kernel can support kernel signing, I'm not sure that
> Image can be recognized as in PE format because x86 standard only
> defines little-endian-based format.
What does the recognizing? (I don't think we should invent a new format..)
> * vmlinux support
(Patch 3 is why I'm here)
I don't think we need to support this. I can't boot a vmlinux file via UEFI. As
I understand it kexec_file_load() is all about the signature verification for
UEFI:SecureBoot. The chances of me having a vmlinux signed for SecureBoot use is
pretty low, chances are its a self-signed image I just built, in which case I
can use the arm64 Image file that was built at the same time.
Supporting two file formats is going to be a headache. Distributions ship
separate debug info packages for debugging, I don't think we need to make them
bootable...
Thanks,
James
next prev parent reply other threads:[~2018-02-07 18:37 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-04 2:57 [PATCH v7 00/11] arm64: kexec: add kexec_file_load() support AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` [PATCH v7 01/11] resource: add walk_system_ram_res_rev() AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` [PATCH v7 02/11] kexec_file: factor out arch_kexec_kernel_*() from x86, powerpc AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` [PATCH v7 03/11] kexec_file: factor out crashdump elf header function from x86 AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2018-02-07 18:37 ` James Morse
2018-02-07 18:37 ` James Morse
2018-02-07 18:37 ` James Morse
2018-02-09 12:23 ` AKASHI Takahiro
2018-02-09 12:23 ` AKASHI Takahiro
2018-02-09 12:23 ` AKASHI Takahiro
2017-12-04 2:57 ` [PATCH v7 04/11] asm-generic: add kexec_file_load system call to unistd.h AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` [PATCH v7 05/11] arm64: kexec_file: create purgatory AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2018-02-07 18:37 ` James Morse
2018-02-07 18:37 ` James Morse
2018-02-07 18:37 ` James Morse
2018-02-09 12:40 ` AKASHI Takahiro
2018-02-09 12:40 ` AKASHI Takahiro
2018-02-09 12:40 ` AKASHI Takahiro
2017-12-04 2:57 ` [PATCH v7 06/11] arm64: kexec_file: load initrd, device-tree and purgatory segments AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` [PATCH v7 07/11] arm64: kexec_file: set up for crash dump adding elf core header AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` [PATCH v7 08/11] arm64: kexec_file: enable KEXEC_FILE config AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` [PATCH v7 09/11] arm64: kexec_file: add Image format support AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:57 ` AKASHI Takahiro
2017-12-04 2:58 ` [PATCH v7 10/11] include: pe.h: remove message[] from mz header definition AKASHI Takahiro
2017-12-04 2:58 ` AKASHI Takahiro
2017-12-04 2:58 ` AKASHI Takahiro
2017-12-04 2:58 ` [PATCH v7 11/11] arm64: kexec_file: enable KEXEC_VERIFY_SIG for Image AKASHI Takahiro
2017-12-04 2:58 ` AKASHI Takahiro
2017-12-04 2:58 ` AKASHI Takahiro
2018-02-07 18:37 ` James Morse [this message]
2018-02-07 18:37 ` [PATCH v7 00/11] arm64: kexec: add kexec_file_load() support James Morse
2018-02-07 18:37 ` James Morse
2018-02-09 11:49 ` AKASHI Takahiro
2018-02-09 11:49 ` AKASHI Takahiro
2018-02-09 11:49 ` AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5A7B4761.3000808@arm.com \
--to=james.morse@arm.com \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=bauerman@linux.vnet.ibm.com \
--cc=bhe@redhat.com \
--cc=catalin.marinas@arm.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dyoung@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=julien.thierry@arm.com \
--cc=kexec@lists.infradead.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mpe@ellerman.id.au \
--cc=takahiro.akashi@linaro.org \
--cc=vgoyal@redhat.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.