From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752436AbdFOJUi (ORCPT ); Thu, 15 Jun 2017 05:20:38 -0400 Received: from mx1.redhat.com ([209.132.183.28]:36896 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751727AbdFOJUh (ORCPT ); Thu, 15 Jun 2017 05:20:37 -0400 DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 9D396C04B938 Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=bhe@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 9D396C04B938 Date: Thu, 15 Jun 2017 17:20:32 +0800 From: "'Baoquan He'" To: "Izumi, Taku" Cc: "linux-kernel@vger.kernel.org" , "keescook@chromium.org" , "x86@kernel.org" , "Fan, Chao" , "Cao, Jin" , "Dou, Liyang" Subject: Re: [RFC][PATCH 0/2] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions if existed Message-ID: <20170615092032.GC16181@x1> References: <1497513169-25283-1-git-send-email-bhe@redhat.com> <20170615080329.GB16181@x1> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.7.0 (2016-08-17) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Thu, 15 Jun 2017 09:20:36 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 06/15/17 at 08:34am, Izumi, Taku wrote: > Dear Baoquan, > > > > Our customer reported that Kernel text may be located on non-mirror > > > region (movable zone) when both address range mirroring feature and > > > KASLR are enabled. > > I know your customer :) LOL, have to agree. > > > The method is very simple. If efi is enabled, just iterate all efi > > > memory map and pick up mirror region to process for adding candidate > > > of slot. If efi disabled or no mirror region existed, still process > > > e820 memory map. This won't bring much efficiency loss, at worst we > > > just go through all efi memory maps and found no mirror. > > > > > > One question: > > > From code, though mirror regions are existed, they are meaningful only > > > if kernelcore=mirror kernel option is specified. Not sure if my > > > understanding is correct. > > Your understanding is almost correct. > Only when "kernelcore=mirror" specified, the above procedure works. > But, if mirrored regions are existed, bootmem allocator tries to > allocate from mirrored region independently of "kerenelcore=mirror" option. > > So, IMHO, kernel text is important, so putting it to mirrored (more reliable) > region is reasonable whether or not "kernelcore=mirror" is specified. Ah, yeah, thanks for telling. So at boot time memblock will put mirror region in highest priority to allocate. Then let me remove the kernelcore=mirror handling code, the process_efi_entry will be simpler. commit a3f5bafcc04aaf62990e0cf3ced1cc6d8dc6fe95 Author: Tony Luck Date: Wed Jun 24 16:58:12 2015 -0700 mm/memblock: allocate boot time data structures from mirrored memory > > Anyway thanks for submitting patch. > We have Address Range Mirroring capable machine, so we'll test your patch. Thanks a lot for help, Yasuaki Ishimatsu said he also will loan me a testing machine when it's available. Thanks Baoquan > > > > > > > > NOTE: > > > I haven't got a machine with efi mirror region enabled, so only test > > > the > > > e820 map processing case and the case of no mirror region on efi machine. > > > So set this as a RFC patchset, will post formal one after above > > > question is made clear and mirror issue test passed. > > > > > > Baoquan He (2): > > > x86/boot/KASLR: Adapt process_e820_entry for all kinds of memory map > > > x86/boot/KASLR: Restrict kernel to be randomized in mirror regions if > > > existed > > > > > > arch/x86/boot/compressed/kaslr.c | 129 > > > +++++++++++++++++++++++++++++++-------- > > > 1 file changed, 104 insertions(+), 25 deletions(-) > > > > > > -- > > > 2.5.5 > > > >