From: "Eric W. Biederman" <ebiederm@xmission.com>
To: Baoquan He <bhe@redhat.com>
Cc: "Kirill A. Shutemov" <kirill@shutemov.name>,
akpm@linux-foundation.org, kexec@lists.infradead.org,
Yan Zhao <yan.y.zhao@intel.com>,
linux-kernel@vger.kernel.org, linux-coco@lists.linux.dev,
x86@kernel.org, rick.p.edgecombe@intel.com,
kirill.shutemov@linux.intel.com, <security@kernel.org>
Subject: Re: [PATCH v2 0/1] Accept unaccepted kexec segments' destination addresses
Date: Mon, 13 Jan 2025 08:59:29 -0600 [thread overview]
Message-ID: <87zfjuoj3i.fsf@email.froward.int.ebiederm.org> (raw)
In-Reply-To: <Z4T1G4dwzo7qdwSP@MiWiFi-R3L-srv> (Baoquan He's message of "Mon, 13 Jan 2025 19:12:27 +0800")
Baoquan He <bhe@redhat.com> writes:
> On 01/13/25 at 12:01pm, Kirill A. Shutemov wrote:
>> On Fri, Dec 13, 2024 at 05:49:30PM +0800, Yan Zhao wrote:
>> > Hi Eric,
>> >
>> > This is a repost of the patch "kexec_core: Accept unaccepted kexec
>> > destination addresses" [1], rebased to v6.13-rc2.
>>
>> Can we get this patch applied?
>
> This looks good to me. In v1, we have analyzed all other possible
> solutions, however change in this patch seems the simplest and most
> accepatable one.
Truly? I will go back and look and see what I missed but I haven't seen
anything that I addressed my original objections.
To repeat my objection. The problem I saw was that the performance of
the accepted memory paradigm was so terrible that they had to resort to
lazily ``accepting'' memory, which leads to hacks in kexec. I would not
like to included hacks in kexec just so that other people can avoid
fixing their bugs.
I did see a coherent explanation of the bad performance that pointed the
finger squarely at the fact that everything is happening a page at a
time. AKA that the design of the ACPI interface has a flaw that needs
to be fixed.
I really don't think we should be making complicated work-arounds for
someone else's bad software decision just because someone immortalized
their bad decision in a standard. Just accepting all of memory and
letting the folks who made the bad decision deal with the consequences
seems much more reasonable to me.
> If Eric has no objection, maybe Andrew can help pick this into his
> tree.
I have a new objection. I believe ``unaccepted memory'' and especially
lazily initialized ``unaccepted memory'' is an information leak that
could defeat the purpose of encrypted memory. For that reason I have
Cc'd the security list. I don't know who to CC to get expertise on this
issue, and the security list folks should.
Unless I am misunderstanding things the big idea with encrypted
memory is that the hypervisor won't be able to figure out what you
are doing, because it can't read your memory.
My concern is that by making the ``acceptance'' of memory lazy, that
there is a fairly strong indication of the function of different parts
of memory. I expect that signal is strong enough to defeat whatever
elements of memory address randomization that we implement in the
kernel.
So not only does it appear to me that implementation of ``accepting''
memory has a stupidly slow implementation, somewhat enshrined by a bad
page at a time ACPI standard, but it appears to me that lazily
``accepting'' that memory probably defeats the purpose of having
encrypted memory.
I think the actual solution is to remove all code except for the
"accept_memory=eager" code paths. AKA delete the "accept_memory=lazy"
code. At that point there are no more changes that need to be made to
kexec.
Eric
next prev parent reply other threads:[~2025-01-13 15:48 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-13 9:49 [PATCH v2 0/1] Accept unaccepted kexec segments' destination addresses Yan Zhao
2024-12-13 9:54 ` [PATCH v2 1/1] kexec_core: " Yan Zhao
2025-02-13 15:50 ` Dave Hansen
2025-02-14 13:37 ` Kirill A. Shutemov
2025-02-19 23:16 ` Dave Hansen
2025-01-13 10:01 ` [PATCH v2 0/1] " Kirill A. Shutemov
2025-01-13 11:12 ` Baoquan He
2025-01-13 14:59 ` Eric W. Biederman [this message]
2025-01-14 3:26 ` Baoquan He
2025-01-14 7:04 ` Yan Zhao
2025-01-14 10:08 ` Kirill A. Shutemov
2025-02-13 15:55 ` Dave Hansen
2025-02-14 13:46 ` Kirill A. Shutemov
2025-02-14 16:20 ` Dave Hansen
2025-03-04 8:41 ` Kirill A. Shutemov
2025-03-04 18:49 ` Eric W. Biederman
2025-03-04 19:16 ` Dave Hansen
2025-03-12 20:33 ` Dave Hansen
2025-02-19 23:03 ` Jianxiong Gao
2025-02-20 2:27 ` Ashish Kalra
2025-03-04 23:43 ` Andrew Morton
2025-03-04 23:53 ` Andrew Morton
2025-03-04 23:54 ` Andrew Morton
2025-03-13 12:06 ` Kirill A. Shutemov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zfjuoj3i.fsf@email.froward.int.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=akpm@linux-foundation.org \
--cc=bhe@redhat.com \
--cc=kexec@lists.infradead.org \
--cc=kirill.shutemov@linux.intel.com \
--cc=kirill@shutemov.name \
--cc=linux-coco@lists.linux.dev \
--cc=linux-kernel@vger.kernel.org \
--cc=rick.p.edgecombe@intel.com \
--cc=security@kernel.org \
--cc=x86@kernel.org \
--cc=yan.y.zhao@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox