[PATCH v5 0/4] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[PATCH v5 0/4] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Baoquan He]

Our customer reported that Kernel text may be located on non-mirror
region (movable zone) when both address range mirroring feature and
KASLR are enabled.

The functions of address range mirroring feature are as follows.
- The physical memory region whose descriptors in EFI memory map have
  EFI_MEMORY_MORE_RELIABLE attribute (bit: 16) are mirrored
- The function arranges such mirror region into normal zone and other region
  into movable zone in order to locate kernel code and data on mirror region

So we need restrict kernel to be located inside mirror regions if it
is existed.

The method is very simple. If efi is enabled, just iterate all efi
memory map and pick mirror region to process for adding candidate
of slot. No matter how many mirror regions or what size of mirror region
are found, as long as mirror region is found, we won't enter into e820
processing code though mirror region might not big enough to provide
different position for kernel. If efi disabled or no mirror region
existed, still process e820 memory map. This won't bring much efficiency
loss, at worst we just go through all efi memory maps and found no mirror.

Changelog:
v4->v5:
  Refactor process_efi_entries code according to Kees's suggestion. 

v3->v4:
  Rearrange the old patch 1/2 to make it be done in three steps for
  easier review addcording to Kees's suggestion.

v2->v3:
  Put process_efi_entry invocation inside the #ifdef CONFIG_EFI according
  to tglx's suggestion. Since the efi related code is meaningful only if
  CONFIG_EFI=y.

v1->v2:
  Removed debug code.

  Taku suggested that we should put kernel to mirrored region always
  whether or not "kernelcore=mirror" is specified since kernel text is
  important and mirrored region is reliable.

  Change code according to kbuild report and Chao Fan's comment.

Baoquan He (4):
  x86/boot/KASLR: Wrap e820 entries walking code into new function
    process_e820_entries()
  x86/boot/KASLR: Switch to pass struct mem_vector to
    process_e820_entry()
  x86/boot/KASLR: Rename process_e820_entry() into process_mem_region()
  x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

 arch/x86/boot/compressed/kaslr.c | 125 ++++++++++++++++++++++++++++++---------
 1 file changed, 98 insertions(+), 27 deletions(-)

-- 
2.5.5

[PATCH v5 1/4] x86/boot/KASLR: Wrap e820 entries walking code into new function process_e820_entries()

[Baoquan He]

The original function process_e820_entry() only takes care of each
e820 entry passed.

And move the E820_TYPE_RAM checking logic into process_e820_entries().

And remove the redundent local variable 'addr' definition in
find_random_phys_addr().

Signed-off-by: Baoquan He <bhe@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
---
 arch/x86/boot/compressed/kaslr.c | 38 +++++++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 17 deletions(-)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 91f27ab970ef..1485f48aeda1 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -488,10 +488,6 @@ static void process_e820_entry(struct boot_e820_entry *entry,
 	unsigned long start_orig, end;
 	struct boot_e820_entry cur_entry;
 
-	/* Skip non-RAM entries. */
-	if (entry->type != E820_TYPE_RAM)
-		return;
-
 	/* On 32-bit, ignore entries entirely above our maximum. */
 	if (IS_ENABLED(CONFIG_X86_32) && entry->addr >= KERNEL_IMAGE_SIZE)
 		return;
@@ -562,12 +558,29 @@ static void process_e820_entry(struct boot_e820_entry *entry,
 	}
 }
 
-static unsigned long find_random_phys_addr(unsigned long minimum,
-					   unsigned long image_size)
+static void process_e820_entries(unsigned long minimum,
+				 unsigned long image_size)
 {
 	int i;
-	unsigned long addr;
+	struct boot_e820_entry *entry;
+
+	/* Verify potential e820 positions, appending to slots list. */
+	for (i = 0; i < boot_params->e820_entries; i++) {
+		entry = &boot_params->e820_table[i];
+		/* Skip non-RAM entries. */
+		if (entry->type != E820_TYPE_RAM)
+			continue;
+		process_e820_entry(entry, minimum, image_size);
+		if (slot_area_index == MAX_SLOT_AREA) {
+			debug_putstr("Aborted e820 scan (slot_areas full)!\n");
+			break;
+		}
+	}
+}
 
+static unsigned long find_random_phys_addr(unsigned long minimum,
+					   unsigned long image_size)
+{
 	/* Check if we had too many memmaps. */
 	if (memmap_too_large) {
 		debug_putstr("Aborted e820 scan (more than 4 memmap= args)!\n");
@@ -577,16 +590,7 @@ static unsigned long find_random_phys_addr(unsigned long minimum,
 	/* Make sure minimum is aligned. */
 	minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN);
 
-	/* Verify potential e820 positions, appending to slots list. */
-	for (i = 0; i < boot_params->e820_entries; i++) {
-		process_e820_entry(&boot_params->e820_table[i], minimum,
-				   image_size);
-		if (slot_area_index == MAX_SLOT_AREA) {
-			debug_putstr("Aborted e820 scan (slot_areas full)!\n");
-			break;
-		}
-	}
-
+	process_e820_entries(minimum, image_size);
 	return slots_fetch_random();
 }
 
-- 
2.5.5

[PATCH v5 2/4] x86/boot/KASLR: Switch to pass struct mem_vector to process_e820_entry()

[Baoquan He]

This makes process_e820_entry() be able to process any kind of memory
region.

Signed-off-by: Baoquan He <bhe@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
---
 arch/x86/boot/compressed/kaslr.c | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 1485f48aeda1..36ff9f729c43 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -479,31 +479,31 @@ static unsigned long slots_fetch_random(void)
 	return 0;
 }
 
-static void process_e820_entry(struct boot_e820_entry *entry,
+static void process_e820_entry(struct mem_vector *entry,
 			       unsigned long minimum,
 			       unsigned long image_size)
 {
 	struct mem_vector region, overlap;
 	struct slot_area slot_area;
 	unsigned long start_orig, end;
-	struct boot_e820_entry cur_entry;
+	struct mem_vector cur_entry;
 
 	/* On 32-bit, ignore entries entirely above our maximum. */
-	if (IS_ENABLED(CONFIG_X86_32) && entry->addr >= KERNEL_IMAGE_SIZE)
+	if (IS_ENABLED(CONFIG_X86_32) && entry->start >= KERNEL_IMAGE_SIZE)
 		return;
 
 	/* Ignore entries entirely below our minimum. */
-	if (entry->addr + entry->size < minimum)
+	if (entry->start + entry->size < minimum)
 		return;
 
 	/* Ignore entries above memory limit */
-	end = min(entry->size + entry->addr, mem_limit);
-	if (entry->addr >= end)
+	end = min(entry->size + entry->start, mem_limit);
+	if (entry->start >= end)
 		return;
-	cur_entry.addr = entry->addr;
-	cur_entry.size = end - entry->addr;
+	cur_entry.start = entry->start;
+	cur_entry.size = end - entry->start;
 
-	region.start = cur_entry.addr;
+	region.start = cur_entry.start;
 	region.size = cur_entry.size;
 
 	/* Give up if slot area array is full. */
@@ -518,7 +518,7 @@ static void process_e820_entry(struct boot_e820_entry *entry,
 		region.start = ALIGN(region.start, CONFIG_PHYSICAL_ALIGN);
 
 		/* Did we raise the address above this e820 region? */
-		if (region.start > cur_entry.addr + cur_entry.size)
+		if (region.start > cur_entry.start + cur_entry.size)
 			return;
 
 		/* Reduce size by any delta from the original address. */
@@ -562,6 +562,7 @@ static void process_e820_entries(unsigned long minimum,
 				 unsigned long image_size)
 {
 	int i;
+	struct mem_vector region;
 	struct boot_e820_entry *entry;
 
 	/* Verify potential e820 positions, appending to slots list. */
@@ -570,7 +571,9 @@ static void process_e820_entries(unsigned long minimum,
 		/* Skip non-RAM entries. */
 		if (entry->type != E820_TYPE_RAM)
 			continue;
-		process_e820_entry(entry, minimum, image_size);
+		region.start = entry->addr;
+		region.size = entry->size;
+		process_e820_entry(&region, minimum, image_size);
 		if (slot_area_index == MAX_SLOT_AREA) {
 			debug_putstr("Aborted e820 scan (slot_areas full)!\n");
 			break;
-- 
2.5.5

[PATCH v5 3/4] x86/boot/KASLR: Rename process_e820_entry() into process_mem_region()

[Baoquan He]

Now process_e820_entry() is not limited to e820 entry processing, rename
it to process_mem_region(). And adjust the code comment accordingly.

Signed-off-by: Baoquan He <bhe@redhat.com>
Acked-by: Kees Cook <keescook@chromium.org>
---
 arch/x86/boot/compressed/kaslr.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 36ff9f729c43..99c7194f7ea6 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -479,7 +479,7 @@ static unsigned long slots_fetch_random(void)
 	return 0;
 }
 
-static void process_e820_entry(struct mem_vector *entry,
+static void process_mem_region(struct mem_vector *entry,
 			       unsigned long minimum,
 			       unsigned long image_size)
 {
@@ -517,7 +517,7 @@ static void process_e820_entry(struct mem_vector *entry,
 		/* Potentially raise address to meet alignment needs. */
 		region.start = ALIGN(region.start, CONFIG_PHYSICAL_ALIGN);
 
-		/* Did we raise the address above this e820 region? */
+		/* Did we raise the address above the passed in memory entry? */
 		if (region.start > cur_entry.start + cur_entry.size)
 			return;
 
@@ -573,7 +573,7 @@ static void process_e820_entries(unsigned long minimum,
 			continue;
 		region.start = entry->addr;
 		region.size = entry->size;
-		process_e820_entry(&region, minimum, image_size);
+		process_mem_region(&region, minimum, image_size);
 		if (slot_area_index == MAX_SLOT_AREA) {
 			debug_putstr("Aborted e820 scan (slot_areas full)!\n");
 			break;
-- 
2.5.5

[PATCH v5 4/4] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Baoquan He]

Kernel text may be located in non-mirror regions (movable zone) when both
address range mirroring feature and KASLR are enabled.

The address range mirroring feature arranges such mirror region into
normal zone and other region into movable zone in order to locate
kernel code and data in mirror region. The physical memory region
whose descriptors in EFI memory map has EFI_MEMORY_MORE_RELIABLE
attribute (bit: 16) are mirrored.

If efi is detected, iterate efi memory map and pick the mirror region to
process for adding candidate of randomization slot. If efi is disabled
or no mirror region found, still process e820 memory map.

Signed-off-by: Baoquan He <bhe@redhat.com>
---
 arch/x86/boot/compressed/kaslr.c | 68 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 66 insertions(+), 2 deletions(-)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 99c7194f7ea6..9059b571eca1 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -37,7 +37,9 @@
 #include <linux/uts.h>
 #include <linux/utsname.h>
 #include <linux/ctype.h>
+#include <linux/efi.h>
 #include <generated/utsrelease.h>
+#include <asm/efi.h>
 
 /* Macros used by the included decompressor code below. */
 #define STATIC
@@ -558,6 +560,65 @@ static void process_mem_region(struct mem_vector *entry,
 	}
 }
 
+#ifdef CONFIG_EFI
+/*
+ * Returns true if mirror region found (and must have been processed
+ * for slots adding)
+ */
+static bool process_efi_entries(unsigned long minimum,
+				unsigned long image_size)
+{
+	struct efi_info *e = &boot_params->efi_info;
+	bool efi_mirror_found = false;
+	struct mem_vector region;
+	efi_memory_desc_t *md;
+	unsigned long pmap;
+	char *signature;
+	u32 nr_desc;
+	int i;
+
+	signature = (char *)&boot_params->efi_info.efi_loader_signature;
+	if (strncmp(signature, EFI32_LOADER_SIGNATURE, 4) &&
+	    strncmp(signature, EFI64_LOADER_SIGNATURE, 4))
+		return false;
+
+#ifdef CONFIG_X86_32
+	/* Can't handle data above 4GB at this time */
+	if (e->efi_memmap_hi) {
+		warn("Memory map is above 4GB, EFI should be disabled.\n");
+		return false;
+	}
+	pmap =  e->efi_memmap;
+#else
+	pmap = (e->efi_memmap | ((__u64)e->efi_memmap_hi << 32));
+#endif
+
+	nr_desc = e->efi_memmap_size / e->efi_memdesc_size;
+	for (i = 0; i < nr_desc; i++) {
+		md = (efi_memory_desc_t *)(pmap + (i * e->efi_memdesc_size));
+		if (md->attribute & EFI_MEMORY_MORE_RELIABLE) {
+			region.start = md->phys_addr;
+			region.size = md->num_pages << EFI_PAGE_SHIFT;
+			process_mem_region(&region, minimum, image_size);
+			efi_mirror_found = true;
+
+			if (slot_area_index == MAX_SLOT_AREA) {
+				debug_putstr("Aborted efi scan (slot_areas full)!\n");
+				break;
+			}
+		}
+	}
+
+	return efi_mirror_found;
+}
+#else
+static inline bool process_efi_entries(unsigned long minimum,
+				       unsigned long image_size)
+{
+	return false;
+}
+#endif
+
 static void process_e820_entries(unsigned long minimum,
 				 unsigned long image_size)
 {
@@ -586,13 +647,16 @@ static unsigned long find_random_phys_addr(unsigned long minimum,
 {
 	/* Check if we had too many memmaps. */
 	if (memmap_too_large) {
-		debug_putstr("Aborted e820 scan (more than 4 memmap= args)!\n");
+		debug_putstr("Aborted memory entries scan (more than 4 memmap= args)!\n");
 		return 0;
 	}
 
 	/* Make sure minimum is aligned. */
 	minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN);
 
+	if(process_efi_entries(minimum, image_size))
+		return slots_fetch_random();
+
 	process_e820_entries(minimum, image_size);
 	return slots_fetch_random();
 }
@@ -652,7 +716,7 @@ void choose_random_location(unsigned long input,
 	 */
 	min_addr = min(*output, 512UL << 20);
 
-	/* Walk e820 and find a random address. */
+	/* Walk available memory entries to find a random address. */
 	random_addr = find_random_phys_addr(min_addr, output_size);
 	if (!random_addr) {
 		warn("Physical KASLR disabled: no suitable memory region!");
-- 
2.5.5

Re: [PATCH v5 4/4] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Kees Cook]

On Thu, Jul 13, 2017 at 7:19 AM, Baoquan He <bhe@redhat.com> wrote:
> Kernel text may be located in non-mirror regions (movable zone) when both
> address range mirroring feature and KASLR are enabled.
>
> The address range mirroring feature arranges such mirror region into
> normal zone and other region into movable zone in order to locate
> kernel code and data in mirror region. The physical memory region
> whose descriptors in EFI memory map has EFI_MEMORY_MORE_RELIABLE
> attribute (bit: 16) are mirrored.
>
> If efi is detected, iterate efi memory map and pick the mirror region to
> process for adding candidate of randomization slot. If efi is disabled
> or no mirror region found, still process e820 memory map.
>
> Signed-off-by: Baoquan He <bhe@redhat.com>
> ---
>  arch/x86/boot/compressed/kaslr.c | 68 ++++++++++++++++++++++++++++++++++++++--
>  1 file changed, 66 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
> index 99c7194f7ea6..9059b571eca1 100644
> --- a/arch/x86/boot/compressed/kaslr.c
> +++ b/arch/x86/boot/compressed/kaslr.c
> @@ -37,7 +37,9 @@
>  #include <linux/uts.h>
>  #include <linux/utsname.h>
>  #include <linux/ctype.h>
> +#include <linux/efi.h>
>  #include <generated/utsrelease.h>
> +#include <asm/efi.h>
>
>  /* Macros used by the included decompressor code below. */
>  #define STATIC
> @@ -558,6 +560,65 @@ static void process_mem_region(struct mem_vector *entry,
>         }
>  }
>
> +#ifdef CONFIG_EFI
> +/*
> + * Returns true if mirror region found (and must have been processed
> + * for slots adding)
> + */
> +static bool process_efi_entries(unsigned long minimum,
> +                               unsigned long image_size)
> +{
> +       struct efi_info *e = &boot_params->efi_info;
> +       bool efi_mirror_found = false;
> +       struct mem_vector region;
> +       efi_memory_desc_t *md;
> +       unsigned long pmap;
> +       char *signature;
> +       u32 nr_desc;
> +       int i;
> +
> +       signature = (char *)&boot_params->efi_info.efi_loader_signature;
> +       if (strncmp(signature, EFI32_LOADER_SIGNATURE, 4) &&
> +           strncmp(signature, EFI64_LOADER_SIGNATURE, 4))
> +               return false;
> +
> +#ifdef CONFIG_X86_32
> +       /* Can't handle data above 4GB at this time */
> +       if (e->efi_memmap_hi) {
> +               warn("Memory map is above 4GB, EFI should be disabled.\n");
> +               return false;
> +       }
> +       pmap =  e->efi_memmap;
> +#else
> +       pmap = (e->efi_memmap | ((__u64)e->efi_memmap_hi << 32));
> +#endif
> +
> +       nr_desc = e->efi_memmap_size / e->efi_memdesc_size;
> +       for (i = 0; i < nr_desc; i++) {
> +               md = (efi_memory_desc_t *)(pmap + (i * e->efi_memdesc_size));
> +               if (md->attribute & EFI_MEMORY_MORE_RELIABLE) {
> +                       region.start = md->phys_addr;
> +                       region.size = md->num_pages << EFI_PAGE_SHIFT;
> +                       process_mem_region(&region, minimum, image_size);
> +                       efi_mirror_found = true;
> +
> +                       if (slot_area_index == MAX_SLOT_AREA) {
> +                               debug_putstr("Aborted efi scan (slot_areas full)!\n");

Should this text be capitalized to "EFI" or expanded to "EFI mirror"?

> +                               break;
> +                       }
> +               }
> +       }
> +
> +       return efi_mirror_found;
> +}
> +#else
> +static inline bool process_efi_entries(unsigned long minimum,
> +                                      unsigned long image_size)
> +{
> +       return false;
> +}
> +#endif
> +
>  static void process_e820_entries(unsigned long minimum,
>                                  unsigned long image_size)
>  {
> @@ -586,13 +647,16 @@ static unsigned long find_random_phys_addr(unsigned long minimum,
>  {
>         /* Check if we had too many memmaps. */
>         if (memmap_too_large) {
> -               debug_putstr("Aborted e820 scan (more than 4 memmap= args)!\n");
> +               debug_putstr("Aborted memory entries scan (more than 4 memmap= args)!\n");
>                 return 0;
>         }
>
>         /* Make sure minimum is aligned. */
>         minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN);
>
> +       if(process_efi_entries(minimum, image_size))

Style nit: space between "if" and "(".

> +               return slots_fetch_random();
> +
>         process_e820_entries(minimum, image_size);
>         return slots_fetch_random();
>  }
> @@ -652,7 +716,7 @@ void choose_random_location(unsigned long input,
>          */
>         min_addr = min(*output, 512UL << 20);
>
> -       /* Walk e820 and find a random address. */
> +       /* Walk available memory entries to find a random address. */
>         random_addr = find_random_phys_addr(min_addr, output_size);
>         if (!random_addr) {
>                 warn("Physical KASLR disabled: no suitable memory region!");
> --
> 2.5.5
>

Otherwise, looks fine to me for the KASLR piece; I can't speak
specifically to the EFI logic. :)

Reviewed-by: Kees Cook <keescook@chromium.org>

-Kees

-- 
Kees Cook
Pixel Security

Re: [PATCH v5 4/4] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Baoquan He]

On 07/17/17 at 04:13pm, Kees Cook wrote:
> > +#ifdef CONFIG_EFI
> > +/*
> > + * Returns true if mirror region found (and must have been processed
> > + * for slots adding)
> > + */
> > +static bool process_efi_entries(unsigned long minimum,
> > +                               unsigned long image_size)
> > +{
> > +       struct efi_info *e = &boot_params->efi_info;
> > +       bool efi_mirror_found = false;
> > +       struct mem_vector region;
> > +       efi_memory_desc_t *md;
> > +       unsigned long pmap;
> > +       char *signature;
> > +       u32 nr_desc;
> > +       int i;
> > +
> > +       signature = (char *)&boot_params->efi_info.efi_loader_signature;
> > +       if (strncmp(signature, EFI32_LOADER_SIGNATURE, 4) &&
> > +           strncmp(signature, EFI64_LOADER_SIGNATURE, 4))
> > +               return false;
> > +
> > +#ifdef CONFIG_X86_32
> > +       /* Can't handle data above 4GB at this time */
> > +       if (e->efi_memmap_hi) {
> > +               warn("Memory map is above 4GB, EFI should be disabled.\n");
> > +               return false;
> > +       }
> > +       pmap =  e->efi_memmap;
> > +#else
> > +       pmap = (e->efi_memmap | ((__u64)e->efi_memmap_hi << 32));
> > +#endif
> > +
> > +       nr_desc = e->efi_memmap_size / e->efi_memdesc_size;
> > +       for (i = 0; i < nr_desc; i++) {
> > +               md = (efi_memory_desc_t *)(pmap + (i * e->efi_memdesc_size));
> > +               if (md->attribute & EFI_MEMORY_MORE_RELIABLE) {
> > +                       region.start = md->phys_addr;
> > +                       region.size = md->num_pages << EFI_PAGE_SHIFT;
> > +                       process_mem_region(&region, minimum, image_size);
> > +                       efi_mirror_found = true;
> > +
> > +                       if (slot_area_index == MAX_SLOT_AREA) {
> > +                               debug_putstr("Aborted efi scan (slot_areas full)!\n");
> 
> Should this text be capitalized to "EFI" or expanded to "EFI mirror"?

Yeah, this should be capitalized. And it should be EFI mirror here, just
later Naoya will add other features about EFI, not only EFI mirror. Let
me change it to EFI mirror, and Naoya can rebase on it.

Many thanks for your reviewing, Kees!

> 
> > +                               break;
> > +                       }
> > +               }
> > +       }
> > +
> > +       return efi_mirror_found;
> > +}
> > +#else
> > +static inline bool process_efi_entries(unsigned long minimum,
> > +                                      unsigned long image_size)
> > +{
> > +       return false;
> > +}
> > +#endif
> > +
> >  static void process_e820_entries(unsigned long minimum,
> >                                  unsigned long image_size)
> >  {
> > @@ -586,13 +647,16 @@ static unsigned long find_random_phys_addr(unsigned long minimum,
> >  {
> >         /* Check if we had too many memmaps. */
> >         if (memmap_too_large) {
> > -               debug_putstr("Aborted e820 scan (more than 4 memmap= args)!\n");
> > +               debug_putstr("Aborted memory entries scan (more than 4 memmap= args)!\n");
> >                 return 0;
> >         }
> >
> >         /* Make sure minimum is aligned. */
> >         minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN);
> >
> > +       if(process_efi_entries(minimum, image_size))
> 
> Style nit: space between "if" and "(".

Will change, could I forget running checkpatch script.

> 
> > +               return slots_fetch_random();
> > +
> >         process_e820_entries(minimum, image_size);
> >         return slots_fetch_random();
> >  }
> > @@ -652,7 +716,7 @@ void choose_random_location(unsigned long input,
> >          */
> >         min_addr = min(*output, 512UL << 20);
> >
> > -       /* Walk e820 and find a random address. */
> > +       /* Walk available memory entries to find a random address. */
> >         random_addr = find_random_phys_addr(min_addr, output_size);
> >         if (!random_addr) {
> >                 warn("Physical KASLR disabled: no suitable memory region!");
> > --
> > 2.5.5
> >
> 
> Otherwise, looks fine to me for the KASLR piece; I can't speak
> specifically to the EFI logic. :)
> 
> Reviewed-by: Kees Cook <keescook@chromium.org>

I will repost with the clean up change and adding your Reviewed-by
since no functionality change. Will see if there will be any EFI
related comment.

Thanks again for reviewing and great suggestions!

Thanks
Baoquan

[PATCH v6 4/4] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Baoquan He]

Kernel text may be located in non-mirror regions (movable zone) when both
address range mirroring feature and KASLR are enabled.

The address range mirroring feature arranges such mirror region into
normal zone and other region into movable zone in order to locate
kernel code and data in mirror region. The physical memory region
whose descriptors in EFI memory map has EFI_MEMORY_MORE_RELIABLE
attribute (bit: 16) are mirrored.

If efi is detected, iterate efi memory map and pick the mirror region to
process for adding candidate of randomization slot. If efi is disabled
or no mirror region found, still process e820 memory map.

Signed-off-by: Baoquan He <bhe@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
---
v5->v6:
  Code style clean up according to Kees's comment.

 arch/x86/boot/compressed/kaslr.c | 68 ++++++++++++++++++++++++++++++++++++++--
 1 file changed, 66 insertions(+), 2 deletions(-)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 99c7194f7ea6..271b9632dd95 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -37,7 +37,9 @@
 #include <linux/uts.h>
 #include <linux/utsname.h>
 #include <linux/ctype.h>
+#include <linux/efi.h>
 #include <generated/utsrelease.h>
+#include <asm/efi.h>
 
 /* Macros used by the included decompressor code below. */
 #define STATIC
@@ -558,6 +560,65 @@ static void process_mem_region(struct mem_vector *entry,
 	}
 }
 
+#ifdef CONFIG_EFI
+/*
+ * Returns true if mirror region found (and must have been processed
+ * for slots adding)
+ */
+static bool process_efi_entries(unsigned long minimum,
+				unsigned long image_size)
+{
+	struct efi_info *e = &boot_params->efi_info;
+	bool efi_mirror_found = false;
+	struct mem_vector region;
+	efi_memory_desc_t *md;
+	unsigned long pmap;
+	char *signature;
+	u32 nr_desc;
+	int i;
+
+	signature = (char *)&boot_params->efi_info.efi_loader_signature;
+	if (strncmp(signature, EFI32_LOADER_SIGNATURE, 4) &&
+	    strncmp(signature, EFI64_LOADER_SIGNATURE, 4))
+		return false;
+
+#ifdef CONFIG_X86_32
+	/* Can't handle data above 4GB at this time */
+	if (e->efi_memmap_hi) {
+		warn("Memory map is above 4GB, EFI should be disabled.\n");
+		return false;
+	}
+	pmap =  e->efi_memmap;
+#else
+	pmap = (e->efi_memmap | ((__u64)e->efi_memmap_hi << 32));
+#endif
+
+	nr_desc = e->efi_memmap_size / e->efi_memdesc_size;
+	for (i = 0; i < nr_desc; i++) {
+		md = (efi_memory_desc_t *)(pmap + (i * e->efi_memdesc_size));
+		if (md->attribute & EFI_MEMORY_MORE_RELIABLE) {
+			region.start = md->phys_addr;
+			region.size = md->num_pages << EFI_PAGE_SHIFT;
+			process_mem_region(&region, minimum, image_size);
+			efi_mirror_found = true;
+
+			if (slot_area_index == MAX_SLOT_AREA) {
+				debug_putstr("Aborted EFI scan (slot_areas full)!\n");
+				break;
+			}
+		}
+	}
+
+	return efi_mirror_found;
+}
+#else
+static inline bool process_efi_entries(unsigned long minimum,
+				       unsigned long image_size)
+{
+	return false;
+}
+#endif
+
 static void process_e820_entries(unsigned long minimum,
 				 unsigned long image_size)
 {
@@ -586,13 +647,16 @@ static unsigned long find_random_phys_addr(unsigned long minimum,
 {
 	/* Check if we had too many memmaps. */
 	if (memmap_too_large) {
-		debug_putstr("Aborted e820 scan (more than 4 memmap= args)!\n");
+		debug_putstr("Aborted memory entries scan (more than 4 memmap= args)!\n");
 		return 0;
 	}
 
 	/* Make sure minimum is aligned. */
 	minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN);
 
+	if (process_efi_entries(minimum, image_size))
+		return slots_fetch_random();
+
 	process_e820_entries(minimum, image_size);
 	return slots_fetch_random();
 }
@@ -652,7 +716,7 @@ void choose_random_location(unsigned long input,
 	 */
 	min_addr = min(*output, 512UL << 20);
 
-	/* Walk e820 and find a random address. */
+	/* Walk available memory entries to find a random address. */
 	random_addr = find_random_phys_addr(min_addr, output_size);
 	if (!random_addr) {
 		warn("Physical KASLR disabled: no suitable memory region!");
-- 
2.5.5