From: takahiro.akashi@linaro.org (AKASHI Takahiro)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v12 16/16] arm64: kexec_file: add kaslr support
Date: Wed, 1 Aug 2018 16:57:21 +0900 [thread overview]
Message-ID: <20180801075720.GM11258@linaro.org> (raw)
In-Reply-To: <405b6708-4518-d81e-3938-39032c2b487e@arm.com>
James,
All the changes mentioned below were applied to my coming v13.
On Fri, Jul 27, 2018 at 10:22:31AM +0100, James Morse wrote:
> Hi Akashi,
>
>
> On 07/27/2018 09:31 AM, AKASHI Takahiro wrote:
> >On Thu, Jul 26, 2018 at 02:40:49PM +0100, James Morse wrote:
> >>On 24/07/18 07:57, AKASHI Takahiro wrote:
> >>>Adding "kaslr-seed" to dtb enables triggering kaslr, or kernel virtual
> >>>address randomization, at secondary kernel boot.
> >>Hmm, there are three things that get moved by CONFIG_RANDOMIZE_BASE. The kernel
> >>physical placement when booted via the EFIstub, the kernel-text VAs and the
> >>location of memory in the linear-map region. Adding the kaslr-seed only does the
> >>last two.
> >Yes, but I think that I and Mark has agreed that "kaslr" meant
> >"virtual" randomisation, not including "physical" randomisation.
> Okay, I'll update my terminology!
>
>
> >>This means the physical placement of the new kernel is predictable from
> >>/proc/iomem ... but this also tells you the physical placement of the current
> >>kernel, so I don't think this is a problem.
> >>
> >>
> >>>We always do this as it will have no harm on kaslr-incapable kernel.
> >>>We don't have any "switch" to turn off this feature directly, but still
> >>>can suppress it by passing "nokaslr" as a kernel boot argument.
> >>
> >>>diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
> >>>index 7356da5a53d5..47a4fbd0dc34 100644
> >>>--- a/arch/arm64/kernel/machine_kexec_file.c
> >>>+++ b/arch/arm64/kernel/machine_kexec_file.c
> >>>@@ -158,6 +160,12 @@ static int setup_dtb(struct kimage *image,
> >>Don't you need to reserve some space in the area you vmalloc()d for the DT?
> >No, I don't think so.
> >All the data to be loaded are temporarily saved in kexec buffers,
> >which will eventually be copied to target locations in machine_kexec
> >(arm64_relocate_new_kernel, which, unlike its name, will handle
> >not only kernel but also other data as well).
>
> I think we're speaking at cross purposes. Don't you need:
>
> | buf_size += fdt_prop_len("kaslr?seed", sizeof(u64));
>
>
> You can't assume the existing DTB had a kaslr-seed property, and the
> difference may take us over a PAGE_SIZE boundary.
I see, I will add that.
>
> >
> >>
> >>>+ /* add kaslr-seed */
> >>>+ get_random_bytes(&value, sizeof(value));
> >>What happens if the crng isn't ready?
> >>
> >>It looks like this will print a warning that these random-bytes aren't really up
> >>to standard, but the new kernel doesn't know this happened.
> >>
> >>crng_ready() isn't exposed, all we could do now is
> >>wait_for_random_bytes(), but that may wait forever because we do this
> >>unconditionally.
> >>
> >>I'd prefer to leave this feature until we can check crng_ready(), and skip
> >>adding a dodgy-seed if its not-ready. This avoids polluting the next-kernel's
> >>entropy pool.
> >OK. I would try to follow the same way as Bhupesh's userspace patch
> >does for kaslr-seed:
> >http://lists.infradead.org/pipermail/kexec/2018-April/020564.html
>
> (I really don't understand this 'copying code from user-space' that happens
> with kexec_file_load)
>
>
> > if (not found kaslr-seed in 1st kernel's dtb)
> > don't care; go ahead
>
> Don' t bother. As you say in the commit-message its harmless if the new
> kernel doesn't support it.
> Always having this would let you use kexec_file_load as a bootloader that
> can get the crng to
> provide decent entropy even if the platform bootloader can't.
OK, but anyway previous "kaslr-seed" will be dropped first.
>
> > else
> > if (current kaslr-seed != 0)
> > error
>
> Don't bother. If this happens its a bug in another part of the kernel that
> doesn't affect this one. We aren't second-guessing the file-system when we
> read the kernel-fd, lets keep this simple.
OK
> > if (crng_ready()) ; FIXME, it's a local macro
> > get_random_bytes(non-blocking)
> > set new kaslr-seed
> > else
> > error
> error? Something like pr_warn_once().
It was changed to pr_notice() since there is nothing wrong.
Thanks,
-Takahiro AKASHI
> I thought the kaslr-seed was added to the entropy pool, but now I look again
> I see its a separate EFI table. So the new kernel will add the same entropy
> ... that doesn't sound clever. (I can't see where its zero'd or
> re-initialised)
>
>
>
> Thanks,
>
> James
prev parent reply other threads:[~2018-08-01 7:57 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-24 6:57 [PATCH v12 00/16] arm64: kexec: add kexec_file_load() support AKASHI Takahiro
2018-07-24 6:57 ` [PATCH v12 01/16] asm-generic: add kexec_file_load system call to unistd.h AKASHI Takahiro
2018-07-26 13:35 ` James Morse
2018-07-27 5:22 ` AKASHI Takahiro
2018-07-24 6:57 ` [PATCH v12 02/16] kexec_file: make kexec_image_post_load_cleanup_default() global AKASHI Takahiro
2018-07-24 6:57 ` [PATCH v12 03/16] s390, kexec_file: drop arch_kexec_mem_walk() AKASHI Takahiro
2018-07-24 9:23 ` Philipp Rudo
2018-07-24 6:57 ` [PATCH v12 04/16] powerpc, kexec_file: factor out memblock-based arch_kexec_walk_mem() AKASHI Takahiro
2018-07-25 12:31 ` Dave Young
2018-07-27 5:25 ` AKASHI Takahiro
2018-07-24 6:57 ` [PATCH v12 05/16] kexec_file: kexec_walk_memblock() only walks a dedicated region at kdump AKASHI Takahiro
2018-07-24 6:57 ` [PATCH v12 06/16] of/fdt: add helper functions for handling properties AKASHI Takahiro
2018-07-24 6:57 ` [PATCH v12 07/16] arm64: add image head flag definitions AKASHI Takahiro
2018-07-24 6:57 ` [PATCH v12 08/16] arm64: cpufeature: add MMFR0 helper functions AKASHI Takahiro
2018-07-24 6:57 ` [PATCH v12 09/16] arm64: enable KEXEC_FILE config AKASHI Takahiro
2018-07-24 6:57 ` [PATCH v12 10/16] arm64: kexec_file: load initrd and device-tree AKASHI Takahiro
2018-07-26 13:34 ` James Morse
2018-07-27 5:37 ` AKASHI Takahiro
2018-07-24 6:57 ` [PATCH v12 11/16] arm64: kexec_file: allow for loading Image-format kernel AKASHI Takahiro
2018-07-24 6:57 ` [PATCH v12 12/16] arm64: kexec_file: add crash dump support AKASHI Takahiro
2018-07-26 13:36 ` James Morse
2018-07-27 7:00 ` AKASHI Takahiro
2018-07-24 6:57 ` [PATCH v12 13/16] arm64: kexec_file: invoke the kernel without purgatory AKASHI Takahiro
2018-07-26 13:36 ` James Morse
2018-07-27 7:22 ` AKASHI Takahiro
2018-07-24 6:57 ` [PATCH v12 14/16] include: pe.h: remove message[] from mz header definition AKASHI Takahiro
2018-07-24 6:57 ` [PATCH v12 15/16] arm64: kexec_file: add kernel signature verification support AKASHI Takahiro
2018-07-26 13:39 ` James Morse
2018-07-24 6:57 ` [PATCH v12 16/16] arm64: kexec_file: add kaslr support AKASHI Takahiro
2018-07-26 13:40 ` James Morse
2018-07-27 8:31 ` AKASHI Takahiro
[not found] ` <405b6708-4518-d81e-3938-39032c2b487e@arm.com>
2018-07-27 9:28 ` Ard Biesheuvel
2018-08-01 7:57 ` AKASHI Takahiro [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180801075720.GM11258@linaro.org \
--to=takahiro.akashi@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).