From: Baoquan He <bhe@redhat.com>
To: linux-kernel@vger.kernel.org, izumi.taku@jp.fujitsu.com
Cc: keescook@chromium.org, x86@kernel.org, fanc.fnst@cn.fujitsu.com,
caoj.fnst@cn.fujitsu.com, douly.fnst@cn.fujitsu.com
Subject: Re: [RFC][PATCH 0/2] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions if existed
Date: Thu, 15 Jun 2017 16:03:29 +0800 [thread overview]
Message-ID: <20170615080329.GB16181@x1> (raw)
In-Reply-To: <1497513169-25283-1-git-send-email-bhe@redhat.com>
Sorry, forget adding Taku to the list.
Hi Taku,
On 06/15/17 at 03:52pm, Baoquan He wrote:
> Our customer reported that Kernel text may be located on non-mirror
> region (movable zone) when both address range mirroring feature and
> KASLR are enabled.
>
> The functions of address range mirroring feature are as follows.
> - The physical memory region whose descriptors in EFI memory map have
> EFI_MEMORY_MORE_RELIABLE attribute (bit: 16) are mirrored
> - The function arranges such mirror region into normal zone and other region
> into movable zone in order to locate kernel code and data on mirror region
>
> So we need restrict kernel to be located inside mirror region if it
> is existed.
>
> The method is very simple. If efi is enabled, just iterate all efi
> memory map and pick up mirror region to process for adding candidate
> of slot. If efi disabled or no mirror region existed, still process
> e820 memory map. This won't bring much efficiency loss, at worst we
> just go through all efi memory maps and found no mirror.
>
> One question:
> From code, though mirror regions are existed, they are meaningful only
> if kernelcore=mirror kernel option is specified. Not sure if my understanding
> is correct.
Since you are the author of kernelcore=mirror related code and expert on
mirror feature, could you help answer above question?
Thanks
Baoquan
>
> NOTE:
> I haven't got a machine with efi mirror region enabled, so only test the
> e820 map processing case and the case of no mirror region on efi machine.
> So set this as a RFC patchset, will post formal one after above question
> is made clear and mirror issue test passed.
>
> Baoquan He (2):
> x86/boot/KASLR: Adapt process_e820_entry for all kinds of memory map
> x86/boot/KASLR: Restrict kernel to be randomized in mirror regions if
> existed
>
> arch/x86/boot/compressed/kaslr.c | 129 +++++++++++++++++++++++++++++++--------
> 1 file changed, 104 insertions(+), 25 deletions(-)
>
> --
> 2.5.5
>
next prev parent reply other threads:[~2017-06-15 8:03 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-15 7:52 [RFC][PATCH 0/2] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions if existed Baoquan He
2017-06-15 7:52 ` [PATCH 1/2] x86/boot/KASLR: Adapt process_e820_entry for all kinds of memory map Baoquan He
2017-06-20 8:22 ` Chao Fan
2017-06-15 7:52 ` [PATCH 2/2] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions if existed Baoquan He
2017-06-15 14:04 ` kbuild test robot
2017-06-15 15:03 ` Baoquan He
2017-06-15 8:03 ` Baoquan He [this message]
2017-06-15 8:34 ` [RFC][PATCH 0/2] " Izumi, Taku
2017-06-15 9:20 ` 'Baoquan He'
2017-06-22 3:10 ` Chao Fan
2017-06-22 3:20 ` Baoquan He
2017-06-22 3:36 ` Chao Fan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170615080329.GB16181@x1 \
--to=bhe@redhat.com \
--cc=caoj.fnst@cn.fujitsu.com \
--cc=douly.fnst@cn.fujitsu.com \
--cc=fanc.fnst@cn.fujitsu.com \
--cc=izumi.taku@jp.fujitsu.com \
--cc=keescook@chromium.org \
--cc=linux-kernel@vger.kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox