From: Baoquan He <bhe@redhat.com>
To: Coiby Xu <coxu@redhat.com>
Cc: kexec@lists.infradead.org, "Ondrej Kozina" <okozina@redhat.com>,
"Milan Broz" <gmazyland@gmail.com>,
"Thomas Staudt" <tstaudt@de.ibm.com>,
"Daniel P . Berrangé" <berrange@redhat.com>,
"Kairui Song" <ryncsn@gmail.com>
Subject: Re: [PATCH v3 7/7] x86/crash: make the page that stores the dm crypt keys inaccessible
Date: Tue, 21 May 2024 11:51:00 +0800 [thread overview]
Message-ID: <ZkwZ+PubwfDzEQ4v@MiWiFi-R3L-srv> (raw)
In-Reply-To: <20240425100434.198925-8-coxu@redhat.com>
On 04/25/24 at 06:04pm, Coiby Xu wrote:
> This adds an addition layer of protection for the saved copy of dm
> crypt key. Trying to access the saved copy will cause page fault.
>
> Suggested-by: Pingfan Liu <kernelfans@gmail.com>
> Signed-off-by: Coiby Xu <coxu@redhat.com>
> ---
> arch/x86/kernel/machine_kexec_64.c | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)
>
> diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c
> index b180d8e497c3..fc0a80f4254e 100644
> --- a/arch/x86/kernel/machine_kexec_64.c
> +++ b/arch/x86/kernel/machine_kexec_64.c
> @@ -545,13 +545,34 @@ static void kexec_mark_crashkres(bool protect)
> kexec_mark_range(control, crashk_res.end, protect);
> }
>
> +static void kexec_mark_dm_crypt_keys(bool protect)
> +{
> + unsigned long start_paddr, end_paddr;
> + unsigned int nr_pages;
> +
> + if (kexec_crash_image->dm_crypt_keys_addr) {
> + start_paddr = kexec_crash_image->dm_crypt_keys_addr;
> + end_paddr = start_paddr + kexec_crash_image->dm_crypt_keys_sz - 1;
> + nr_pages = (PAGE_ALIGN(end_paddr) - PAGE_ALIGN_DOWN(start_paddr))/PAGE_SIZE;
> + if (protect)
> + set_memory_np((unsigned long)phys_to_virt(start_paddr), nr_pages);
> + else
> + __set_memory_prot(
> + (unsigned long)phys_to_virt(start_paddr),
> + nr_pages,
> + __pgprot(_PAGE_PRESENT | _PAGE_NX | _PAGE_RW));
> + }
> +}
> +
> void arch_kexec_protect_crashkres(void)
> {
> kexec_mark_crashkres(true);
> + kexec_mark_dm_crypt_keys(true);
Really? Are all x86 systems having this dm_crypt_keys and need be
handled in kdump?
> }
>
> void arch_kexec_unprotect_crashkres(void)
> {
> + kexec_mark_dm_crypt_keys(false);
> kexec_mark_crashkres(false);
> }
> #endif
> --
> 2.44.0
>
next prev parent reply other threads:[~2024-05-21 3:51 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-25 10:04 [PATCH v3 0/7] Support kdump with LUKS encryption by reusing LUKS volume keys Coiby Xu
2024-04-25 10:04 ` Coiby Xu
2024-04-25 10:04 ` [PATCH v3 1/7] kexec_file: allow to place kexec_buf randomly Coiby Xu
2024-04-25 10:04 ` Coiby Xu
2024-05-20 6:16 ` Baoquan He
2024-05-20 6:16 ` Baoquan He
2024-05-21 1:58 ` Coiby Xu
2024-05-21 1:58 ` Coiby Xu
2024-05-21 3:13 ` Baoquan He
2024-05-21 3:13 ` Baoquan He
2024-05-24 7:22 ` Coiby Xu
2024-05-24 7:22 ` Coiby Xu
2024-04-25 10:04 ` [PATCH v3 2/7] crash_dump: make dm crypt keys persist for the kdump kernel Coiby Xu
2024-04-25 10:04 ` Coiby Xu
2024-04-26 13:10 ` kernel test robot
2024-04-26 13:10 ` kernel test robot
2024-05-21 3:20 ` Baoquan He
2024-05-21 3:20 ` Baoquan He
2024-05-23 5:34 ` Coiby Xu
2024-05-23 5:34 ` Coiby Xu
2024-04-25 10:04 ` [PATCH v3 3/7] crash_dump: store dm keys in kdump reserved memory Coiby Xu
2024-04-25 10:04 ` Coiby Xu
2024-05-21 3:42 ` Baoquan He
2024-05-24 7:38 ` Coiby Xu
2024-04-25 10:04 ` [PATCH v3 4/7] crash_dump: reuse saved dm crypt keys for CPU/memory hot-plugging Coiby Xu
2024-04-25 10:04 ` Coiby Xu
2024-05-21 3:48 ` Baoquan He
2024-05-21 3:48 ` Baoquan He
2024-05-24 7:40 ` Coiby Xu
2024-05-24 7:40 ` Coiby Xu
2024-04-25 10:04 ` [PATCH v3 5/7] crash_dump: retrieve dm crypt keys in kdump kernel Coiby Xu
2024-04-25 10:04 ` Coiby Xu
2024-04-25 10:04 ` [PATCH v3 6/7] x86/crash: pass dm crypt keys to " Coiby Xu
2024-04-25 10:04 ` Coiby Xu
2024-04-25 10:04 ` [PATCH v3 7/7] x86/crash: make the page that stores the dm crypt keys inaccessible Coiby Xu
2024-04-25 10:04 ` Coiby Xu
2024-05-21 3:51 ` Baoquan He [this message]
2024-05-24 7:43 ` Coiby Xu
2024-05-20 6:18 ` [PATCH v3 0/7] Support kdump with LUKS encryption by reusing LUKS volume keys Baoquan He
2024-05-20 6:18 ` Baoquan He
2024-05-21 1:43 ` Coiby Xu
2024-05-21 1:43 ` Coiby Xu
2024-05-21 3:19 ` Baoquan He
2024-05-21 3:19 ` Baoquan He
2024-05-30 9:33 ` Dave Young
2024-05-30 9:33 ` Dave Young
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZkwZ+PubwfDzEQ4v@MiWiFi-R3L-srv \
--to=bhe@redhat.com \
--cc=berrange@redhat.com \
--cc=coxu@redhat.com \
--cc=gmazyland@gmail.com \
--cc=kexec@lists.infradead.org \
--cc=okozina@redhat.com \
--cc=ryncsn@gmail.com \
--cc=tstaudt@de.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.