Re: [PATCHv5 00/12] kexec: Use BPF lskel to enable kexec to load PE format boot image

[Philipp Rudo <prudo@redhat.com>]

Hi Pingfan,

thanks for sharing the updated version of the series. There are a few
small nits you can find in my comments to the individual patches.

I also took an other look at the bigger picture. The way I see it the
series contains two major changes.

1. A generic mechanism to parse and run bpf programs during kexec.
2. A new loader for UEFI Applications building up on 1.

Both those changes are currently smashed together as "PE image loader",
which IMHO is quite confusing. It's correct that UEFI Apps are PE
files. But the PE format is also used in many other ways and in the end
we are only interested in this specific use case. Plus the generic
mechanism to parse and run bpf programs during kexec can also be used
with any other file format, not just PE.

In addition I noticed that hooking into kexec_file while loading the
image is too late. The problem is that in
kernel/kexec_file.c:kimage_file_prepare_segments the cmdline is
measured for IMA before the image is loaded. But we allow the
bpf_prog to change the cmdline. When that is done the IMA measurement
no longer is correct. So we need a new hook to run the bpf programs
after the initrd and cmdline were read but before the IMA measurement is
done.

So my suggestions are:

1. Extend the kexec_file_ops by a new 'get_bpf_prog' hook.
2. Move the mechanism to run bpf progs from kexec_pe_image.c to
   kexec_file.c (with the new hook in the file_ops there shouldn't be
   any problems).
3. Rename CONFIG_KEXEC_PE_IMAGE to CONFIG_KEXEC_BPF
4. Rename kexec_pe_image.c (and the functions within) to
   kexec_uefi_app.c 

Thanks
Philipp

On Tue, 19 Aug 2025 09:24:16 +0800
Pingfan Liu <piliu@redhat.com> wrote:

> Cc systemd-devel@lists.freedesktop.org so any UKI expert can comment
> 
> *** Review the history ***
> 
> Nowadays UEFI PE bootable image is more and more popular on the distribution.
> But it is still an open issue to load that kind of image by kexec with IMA enabled
> 
> There are several approaches to reslove this issue, but none of them are
> accepted in upstream till now.
> 
> The summary of those approaches:
>   -1. UEFI service emulator for UEFI stub
>   -2. PE format parser in kernel
> 
> For the first one, I have tried a purgatory-style emulator [1]. But it
> confronts the hardware scaling trouble.  For the second one, there are two
> choices, one is to implement it inside the kernel, the other is inside the user
> space.  Both zboot-format [2] and UKI-format [3] parsers are rejected due to
> the concern that the variant format parsers will inflate the kernel code.  And
> finally, we have these kinds of parsers in the user space 'kexec-tools'.
> 
> 
> *** The approach in this series ***
> 
> This approach allows the various PE boot image to be parsed in the bpf-prog,
> as a result, the kexec kernel code to remain relatively stable.
> 
> Benefits
> And it abstracts architecture independent part and 
> the API is limitted 
> 
> To protect against malicious attacks on the BPF loader in user space, it
> employs BPF lskel to load and execute BPF programs from within the
> kernel.
> 
> Each type of PE image contains a dedicated section '.bpf', which stores
> the bpf-prog designed to parse the format.  This ensures that the PE's
> signature also protects the integrity of the '.bpf' section.
> 
> 
> The parsing process operates as a pipeline. The current BPF program
> parser attaches to bpf_handle_pefile() and detaches at the end of the
> current stage via disarm_bpf_prog(). The results parsed by the current
> BPF program are buffered in the kernel through prepare_nested_pe() and
> then delivered to the next stage. For each stage of the pipeline, the
> BPF bytecode is stored in the '.bpf' section of the PE file. That means
> a vmlinuz.efi embeded in UKI format can be handled.
> 
> 
> Special thanks to Philipp Rudo, who spent significant time evaluating
> the practicality of my solution, and to Viktor Malik, who guided me
> toward using BPF light skeleton to prevent malicious attacks from user
> space.
> 
> *** Test result ***
> Configured with RHEL kernel debug file, which turns on most of locking,
> memory debug option, I have not seen any warning or bug for 1000 times.
> 
> Test approach:
> -1. compile kernel
> -2. get the zboot image with bpf-prog by 'make -C tools/kexec zboot'
> -3. compile kexec-tools from https://github.com/pfliu/kexec-tools/pull/new/pe_bpf
> 
> The rest process is the common convention to use kexec.
> 
> 
> [1]: https://lore.kernel.org/lkml/20240819145417.23367-1-piliu@redhat.com/T/
> [2]: https://lore.kernel.org/kexec/20230306030305.15595-1-kernelfans@gmail.com/
> [3]: https://lore.kernel.org/lkml/20230911052535.335770-1-kernel@jfarr.cc/
> [4]: https://lore.kernel.org/linux-arm-kernel/20230921133703.39042-2-kernelfans@gmail.com/T/
> 
> v4 -> v5
>   - rebased onto Linux 6.17-rc2
>   - [1/12], use a separate CONFIG_KEEP_COMPRESSOR to decide the section
>     of decompressor method
>   - [10/12], add Catalin's acked-by (Thanks Catalin!)
> 
> v3 -> v4
>   - Use dynamic allocator in decompression ([4/12])
>   - Fix issue caused by Identical Code Folding ([5/12])
>   - Integrate the image generator tool in the kernel tree ([11,12/12])
>   - Address the issue according to Philipp's comments in v3 reviewing.
>     Thanks Philipp!
> 
> RFCv2 -> v3
>   - move the introduced bpf kfuncs to kernel/bpf/* and mark them sleepable
>   - use listener and publisher model to implement bpf_copy_to_kernel()
>   - keep each introduced kfunc under the control of memcg
> 
> RFCv1 -> RFCv2
>   - Use bpf kfunc instead of helper
>   - Use C source code to generate the light skeleton file
> 
> 
> *** BLURB HERE ***
> 
> Pingfan Liu (12):
>   kexec_file: Make kexec_image_load_default global visible
>   lib/decompress: Keep decompressor when CONFIG_KEEP_COMPRESSOR
>   bpf: Introduce bpf_copy_to_kernel() to buffer the content from bpf-prog
>   bpf: Introduce decompressor kfunc
>   kexec: Introduce kexec_pe_image to parse and load PE file
>   kexec: Integrate with the introduced bpf kfuncs
>   kexec: Introduce a bpf-prog lskel to parse PE file
>   kexec: Factor out routine to find a symbol in ELF
>   kexec: Integrate bpf light skeleton to load zboot image
>   arm64/kexec: Add PE image format support
>   tools/kexec: Introduce a bpf-prog to parse zboot image format
>   tools/kexec: Add a zboot image building tool
> 
>  arch/arm64/Kconfig                           |   1 +
>  arch/arm64/include/asm/kexec.h               |   1 +
>  arch/arm64/kernel/machine_kexec_file.c       |   3 +
>  include/linux/bpf.h                          |  42 ++
>  include/linux/decompress/mm.h                |   7 +
>  include/linux/kexec.h                        |  10 +
>  kernel/Kconfig.kexec                         |   9 +
>  kernel/Makefile                              |   2 +
>  kernel/bpf/Makefile                          |   3 +
>  kernel/bpf/helpers.c                         | 230 +++++++++
>  kernel/bpf/helpers_carrier.c                 | 215 +++++++++
>  kernel/kexec_bpf/Makefile                    |  71 +++
>  kernel/kexec_bpf/kexec_pe_parser_bpf.c       |  67 +++
>  kernel/kexec_bpf/kexec_pe_parser_bpf.lskel.h | 147 ++++++
>  kernel/kexec_file.c                          |  88 ++--
>  kernel/kexec_pe_image.c                      | 463 +++++++++++++++++++
>  lib/Kconfig                                  |   3 +
>  lib/decompress.c                             |   6 +-
>  tools/kexec/Makefile                         |  90 ++++
>  tools/kexec/pe.h                             | 177 +++++++
>  tools/kexec/zboot_image_builder.c            | 280 +++++++++++
>  tools/kexec/zboot_parser_bpf.c               | 158 +++++++
>  22 files changed, 2029 insertions(+), 44 deletions(-)
>  create mode 100644 kernel/bpf/helpers_carrier.c
>  create mode 100644 kernel/kexec_bpf/Makefile
>  create mode 100644 kernel/kexec_bpf/kexec_pe_parser_bpf.c
>  create mode 100644 kernel/kexec_bpf/kexec_pe_parser_bpf.lskel.h
>  create mode 100644 kernel/kexec_pe_image.c
>  create mode 100644 tools/kexec/Makefile
>  create mode 100644 tools/kexec/pe.h
>  create mode 100644 tools/kexec/zboot_image_builder.c
>  create mode 100644 tools/kexec/zboot_parser_bpf.c
> 
> 
> base-commit: c17b750b3ad9f45f2b6f7e6f7f4679844244f0b9