Kexec Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: James Morse <james.morse@arm.com>
To: Bhupesh SHARMA <bhupesh.linux@gmail.com>
Cc: Pratyush Anand <panand@redhat.com>,
	Mark Rutland <mark.rutland@arm.com>, Baoquan He <bhe@redhat.com>,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>,
	"kexec@lists.infradead.org" <kexec@lists.infradead.org>,
	Simon Horman <horms@verge.net.au>, Dave Young <dyoung@redhat.com>,
	"linux-arm-kernel@lists.infradead.org"
	<linux-arm-kernel@lists.infradead.org>
Subject: Re: [PATCH v3 0/2] kexec-tools: arm64: Enable D-cache in purgatory
Date: Fri, 02 Jun 2017 17:36:08 +0100	[thread overview]
Message-ID: <593193F8.1080509@arm.com> (raw)
In-Reply-To: <CAFTCetS17w0-BJJzTfi8uNS67xos4MwJz3R=qdz2Oe7+fcXk3g@mail.gmail.com>

Hi Bhupesh,

On 02/06/17 12:15, Bhupesh SHARMA wrote:
> On Fri, Jun 2, 2017 at 3:25 PM, Ard Biesheuvel
> <ard.biesheuvel@linaro.org> wrote:
>> On 2 June 2017 at 08:23, James Morse <james.morse@arm.com> wrote:
>>> On 23/05/17 06:02, Pratyush Anand wrote:
>>>> It takes more that 2 minutes to verify SHA in purgatory when vmlinuz image
>>>> is around 13MB and initramfs is around 30MB. It takes more than 20 second
>>>> even when we have -O2 optimization enabled. However, if dcache is enabled
>>>> during purgatory execution then, it takes just a second in SHA
>>>> verification.
>>>>
>>>> Therefore, these patches adds support for dcache enabling facility during
>>>> purgatory execution.
>>>
>>> I'm still not convinced we need this. Moving the SHA verification to happen
>>> before the dcache+mmu are disabled would also solve the delay problem, and we
>>> can print an error message or fail the syscall.
>>>
>>> For kexec we don't expect memory corruption, what are we testing for?
>>
>> This is a very good question. SHA-256 is quite a heavy hammer if all
>> you need is CRC style error detection.

Thanks for the history links.

We don't (yet) support KEXEC_FILE or KEXEC_VERIFY_SIG, and arm64 doesn't have an
in-kernel purgatory (which looks to be required for kexec_file under secure-boot).


> AFAICR the sha-256 implementation was proposed to boot a signed
> kexec/kdump kernel to circumvent kexec from violating UEFI secure boot
> restrictions (see [1]).

The beginning of the kexec-tools git history is 'kexec-tools-1.101' in 2006, it
had util_lib/sha256.c. It looks like SecureBoot arrived in 2011 with v2.3.1 of UEFI.
I can see how x86 picked up on this checksum for secure-boot as kexec-tools
already did this work, (some of the files under arch/x86/purgatory note their
kexec-tools origin), my question is why did it do it in the first place?
If the reason is accidental writes, we mitigate this on arm64 by unmapping the
kdump region instead of just marking it read-only.


> As Matthew Garret rightly noted (see[2]), secure Boot, if enabled, is
> explicitly designed to stop you booting modified kernels unless you've
> added your own keys.

> So, CRC wouldn't possibly fulfil the functionality we are trying to
> achieve with SHA-256 in the purgatory.

Is this still true for a purgatory provided by user-space?


Thanks,

James


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

  parent reply	other threads:[~2017-06-02 16:36 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-05-23  5:02 [PATCH v3 0/2] kexec-tools: arm64: Enable D-cache in purgatory Pratyush Anand
2017-05-23  5:02 ` [PATCH v3 1/2] kexec: arm64: create identity page table to be used " Pratyush Anand
2017-06-02  8:24   ` James Morse
2017-06-02 14:29     ` Pratyush Anand
2017-05-23  5:02 ` [PATCH v3 2/2] arm64: enable d-cache support during purgatory sha verification Pratyush Anand
2017-06-02  8:23 ` [PATCH v3 0/2] kexec-tools: arm64: Enable D-cache in purgatory James Morse
2017-06-02  9:55   ` Ard Biesheuvel
2017-06-02 11:15     ` Bhupesh SHARMA
2017-06-02 11:36       ` Ard Biesheuvel
2017-06-02 11:44         ` Ard Biesheuvel
2017-06-02 14:32           ` Pratyush Anand
2017-06-02 16:36       ` James Morse [this message]
2017-06-02 14:42   ` Pratyush Anand
     [not found]     ` <CAB=otbT23ySN4VC6G0sBKF5p4SvsnG8PS-C_beBgn8YJUsbw9Q@mail.gmail.com>
2018-04-04 12:45       ` Kostiantyn Iarmak
2018-04-04 13:04         ` Kostiantyn Iarmak
2018-04-04 13:28         ` James Morse
2018-04-04 22:55           ` Ard Biesheuvel
2018-04-05  1:47           ` AKASHI Takahiro
2018-04-06 18:15           ` Kostiantyn Iarmak
2018-04-11 15:59           ` Geoff Levand

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=593193F8.1080509@arm.com \
    --to=james.morse@arm.com \
    --cc=ard.biesheuvel@linaro.org \
    --cc=bhe@redhat.com \
    --cc=bhupesh.linux@gmail.com \
    --cc=dyoung@redhat.com \
    --cc=horms@verge.net.au \
    --cc=kexec@lists.infradead.org \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=mark.rutland@arm.com \
    --cc=panand@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox