From: Mark Rutland <mark.rutland@arm.com>
To: AKASHI Takahiro <takahiro.akashi@linaro.org>
Cc: catalin.marinas@arm.com, will.deacon@arm.com,
bauerman@linux.vnet.ibm.com, dhowells@redhat.com,
vgoyal@redhat.com, herbert@gondor.apana.org.au,
davem@davemloft.net, akpm@linux-foundation.org,
mpe@ellerman.id.au, dyoung@redhat.com, bhe@redhat.com,
arnd@arndb.de, ard.biesheuvel@linaro.org,
kexec@lists.infradead.org, linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH 09/14] arm64: kexec_file: add sha256 digest check in purgatory
Date: Thu, 24 Aug 2017 18:04:40 +0100 [thread overview]
Message-ID: <20170824170440.GD29665@leverpostej> (raw)
In-Reply-To: <20170824081811.19299-10-takahiro.akashi@linaro.org>
On Thu, Aug 24, 2017 at 05:18:06PM +0900, AKASHI Takahiro wrote:
> Most of sha256 code is based on crypto/sha256-glue.c, particularly using
> non-neon version.
>
> Please note that we won't be able to re-use lib/mem*.S for purgatory
> because unaligned memory access is not allowed in purgatory where mmu
> is turned off.
>
> Since purgatory is not linked with the other part of kernel, care must be
> taken of selecting an appropriate set of compiler options in order to
> prevent undefined symbol references from being generated.
What is the point in performing this check in the purgatory code, when
this will presumably have been checked when the image is loaded?
[...]
> diff --git a/arch/arm64/purgatory/entry.S b/arch/arm64/purgatory/entry.S
> index bc4e6b3bf8a1..74d028b838bd 100644
> --- a/arch/arm64/purgatory/entry.S
> +++ b/arch/arm64/purgatory/entry.S
> @@ -6,6 +6,11 @@
> .text
>
> ENTRY(purgatory_start)
> + adr x19, .Lstack
> + mov sp, x19
> +
> + bl purgatory
> +
> /* Start new image. */
> ldr x17, arm64_kernel_entry
> ldr x0, arm64_dtb_addr
> @@ -15,6 +20,14 @@ ENTRY(purgatory_start)
> br x17
> END(purgatory_start)
>
> +.ltorg
> +
> +.align 4
> + .rept 256
> + .quad 0
> + .endr
> +.Lstack:
> +
> .data
Why is the stack in .text?
Does this need to be zeroed?
If it does, why not something like:
.fill PURGATORY_STACK_SIZE 1, 0
>
> .align 3
> diff --git a/arch/arm64/purgatory/purgatory.c b/arch/arm64/purgatory/purgatory.c
> new file mode 100644
> index 000000000000..7fcbefa786bc
> --- /dev/null
> +++ b/arch/arm64/purgatory/purgatory.c
> @@ -0,0 +1,20 @@
> +/*
> + * purgatory: Runs between two kernels
> + *
> + * Copyright (c) 2017 Linaro Limited
> + * Author: AKASHI Takahiro <takahiro.akashi@linaro.org>
> + */
> +
> +#include "sha256.h"
> +
> +void purgatory(void)
> +{
> + int ret;
> +
> + ret = verify_sha256_digest();
> + if (ret) {
> + /* loop forever */
> + for (;;)
> + ;
> + }
> +}
Surely we can do something slightly better than a busy loop? e.g.
something like the __no_granule_support loop in head.s?
> diff --git a/arch/arm64/purgatory/sha256-core.S b/arch/arm64/purgatory/sha256-core.S
> new file mode 100644
> index 000000000000..24f5ce25b61e
> --- /dev/null
> +++ b/arch/arm64/purgatory/sha256-core.S
> @@ -0,0 +1 @@
> +#include "../crypto/sha256-core.S_shipped"
> diff --git a/arch/arm64/purgatory/sha256.c b/arch/arm64/purgatory/sha256.c
> new file mode 100644
> index 000000000000..5d20d81767e3
> --- /dev/null
> +++ b/arch/arm64/purgatory/sha256.c
> @@ -0,0 +1,79 @@
> +#include <linux/kexec.h>
> +#include <linux/purgatory.h>
> +#include <linux/types.h>
> +
> +/*
> + * Under KASAN, those are defined as un-instrumented version, __memxxx()
> + */
> +#undef memcmp
> +#undef memcpy
> +#undef memset
This doesn't look like the right place for this undeffery; it looks
rather fragile.
> +
> +#include "string.h"
> +#include <crypto/hash.h>
> +#include <crypto/sha.h>
> +#include <crypto/sha256_base.h>
> +
> +u8 purgatory_sha256_digest[SHA256_DIGEST_SIZE] __section(.kexec-purgatory);
> +struct kexec_sha_region purgatory_sha_regions[KEXEC_SEGMENT_MAX]
> + __section(.kexec-purgatory);
> +
> +asmlinkage void sha256_block_data_order(u32 *digest, const void *data,
> + unsigned int num_blks);
> +
> +static int sha256_init(struct shash_desc *desc)
> +{
> + return sha256_base_init(desc);
> +}
> +
> +static int sha256_update(struct shash_desc *desc, const u8 *data,
> + unsigned int len)
> +{
> + return sha256_base_do_update(desc, data, len,
> + (sha256_block_fn *)sha256_block_data_order);
> +}
> +
> +static int __sha256_base_finish(struct shash_desc *desc, u8 *out)
> +{
> + /* we can't do crypto_shash_digestsize(desc->tfm) */
> + unsigned int digest_size = 32;
> + struct sha256_state *sctx = shash_desc_ctx(desc);
> + __be32 *digest = (__be32 *)out;
> + int i;
> +
> + for (i = 0; digest_size > 0; i++, digest_size -= sizeof(__be32))
> + put_unaligned_be32(sctx->state[i], digest++);
> +
> + *sctx = (struct sha256_state){};
> + return 0;
> +}
> +
> +static int sha256_final(struct shash_desc *desc, u8 *out)
> +{
> + sha256_base_do_finalize(desc,
> + (sha256_block_fn *)sha256_block_data_order);
> +
> + return __sha256_base_finish(desc, out);
> +}
> +
> +int verify_sha256_digest(void)
> +{
> + char __sha256_desc[sizeof(struct shash_desc) +
> + sizeof(struct sha256_state)] CRYPTO_MINALIGN_ATTR;
> + struct shash_desc *desc = (struct shash_desc *)__sha256_desc;
> + struct kexec_sha_region *ptr, *end;
> + u8 digest[SHA256_DIGEST_SIZE];
> +
> + sha256_init(desc);
> +
> + end = purgatory_sha_regions + ARRAY_SIZE(purgatory_sha_regions);
> + for (ptr = purgatory_sha_regions; ptr < end; ptr++)
> + sha256_update(desc, (uint8_t *)(ptr->start), ptr->len);
> +
> + sha256_final(desc, digest);
> +
> + if (memcmp(digest, purgatory_sha256_digest, sizeof(digest)))
> + return 1;
> +
> + return 0;
> +}
> diff --git a/arch/arm64/purgatory/sha256.h b/arch/arm64/purgatory/sha256.h
> new file mode 100644
> index 000000000000..54dc3c33c469
> --- /dev/null
> +++ b/arch/arm64/purgatory/sha256.h
> @@ -0,0 +1 @@
> +extern int verify_sha256_digest(void);
> diff --git a/arch/arm64/purgatory/string.c b/arch/arm64/purgatory/string.c
> new file mode 100644
> index 000000000000..33233a210a65
> --- /dev/null
> +++ b/arch/arm64/purgatory/string.c
> @@ -0,0 +1,32 @@
> +#include <linux/types.h>
> +
> +void *memcpy(void *dst, const void *src, size_t len)
> +{
> + int i;
> +
> + for (i = 0; i < len; i++)
> + ((u8 *)dst)[i] = ((u8 *)src)[i];
> +
> + return NULL;
> +}
> +
> +void *memset(void *dst, int c, size_t len)
> +{
> + int i;
> +
> + for (i = 0; i < len; i++)
> + ((u8 *)dst)[i] = (u8)c;
> +
> + return NULL;
> +}
> +
> +int memcmp(const void *src, const void *dst, size_t len)
> +{
> + int i;
> +
> + for (i = 0; i < len; i++)
> + if (*(char *)src != *(char *)dst)
> + return 1;
> +
> + return 0;
> +}
How is the compiler prevented from "optimising" these into calls to
themselves?
I suspect these will need to be written in asm.
Thanks,
Mark.
next prev parent reply other threads:[~2017-08-24 17:05 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-24 8:17 [PATCH 00/14] arm64: kexec: add kexec_file_load support AKASHI Takahiro
2017-08-24 8:17 ` [PATCH 01/14] MODSIGN: Export module signature definitions AKASHI Takahiro
2017-08-24 8:17 ` [PATCH 02/14] include: pe.h: remove message[] from mz header definition AKASHI Takahiro
2017-08-24 9:04 ` Ard Biesheuvel
2017-08-24 8:18 ` [PATCH 03/14] resource: add walk_system_ram_res_rev() AKASHI Takahiro
2017-08-24 9:06 ` Ard Biesheuvel
2017-08-25 0:50 ` AKASHI Takahiro
2017-08-31 2:34 ` Pratyush Anand
2017-09-08 2:33 ` AKASHI Takahiro
2017-08-24 8:18 ` [PATCH 04/14] kexec_file: factor out vmlinux (elf) parser from powerpc AKASHI Takahiro
2017-08-24 8:18 ` [PATCH 05/14] kexec_file: factor out crashdump elf header function from x86 AKASHI Takahiro
2017-08-25 5:47 ` Dave Young
2017-09-08 2:31 ` AKASHI Takahiro
2017-08-24 8:18 ` [PATCH 06/14] kexec_file: add kexec_add_segment() AKASHI Takahiro
2017-08-24 8:18 ` [PATCH 07/14] asm-generic: add kexec_file_load system call to unistd.h AKASHI Takahiro
2017-08-24 10:53 ` Arnd Bergmann
2017-08-24 8:18 ` [PATCH 08/14] arm64: kexec_file: create purgatory AKASHI Takahiro
2017-08-24 9:10 ` Ard Biesheuvel
2017-08-25 1:10 ` AKASHI Takahiro
2017-08-24 16:56 ` Mark Rutland
2017-08-25 1:00 ` AKASHI Takahiro
2017-08-25 10:22 ` Mark Rutland
2017-08-25 16:16 ` Thiago Jung Bauermann
2017-09-08 2:46 ` AKASHI Takahiro
2017-08-24 8:18 ` [PATCH 09/14] arm64: kexec_file: add sha256 digest check in purgatory AKASHI Takahiro
2017-08-24 9:13 ` Ard Biesheuvel
2017-08-25 1:25 ` AKASHI Takahiro
2017-08-24 17:04 ` Mark Rutland [this message]
2017-08-25 1:21 ` AKASHI Takahiro
2017-08-25 10:41 ` Mark Rutland
2017-09-08 2:50 ` AKASHI Takahiro
2017-09-08 15:59 ` Thiago Jung Bauermann
2017-08-24 8:18 ` [PATCH 10/14] arm64: kexec_file: load initrd, device-tree and purgatory segments AKASHI Takahiro
2017-08-24 17:11 ` Mark Rutland
2017-08-25 1:34 ` AKASHI Takahiro
2017-08-24 8:18 ` [PATCH 11/14] arm64: kexec_file: set up for crash dump adding elf core header AKASHI Takahiro
2017-08-24 8:18 ` [PATCH 12/14] arm64: enable KEXEC_FILE config AKASHI Takahiro
2017-08-24 8:18 ` [PATCH 13/14] arm64: kexec_file: add Image format support AKASHI Takahiro
2017-08-24 17:23 ` Mark Rutland
2017-08-25 1:49 ` AKASHI Takahiro
2017-08-24 8:18 ` [PATCH 14/14] arm64: kexec_file: add vmlinux " AKASHI Takahiro
2017-08-24 17:30 ` Mark Rutland
2017-08-25 2:03 ` AKASHI Takahiro
2017-08-25 6:13 ` Dave Young
2017-09-08 2:54 ` AKASHI Takahiro
2017-08-29 10:01 ` Mark Rutland
2017-08-29 16:15 ` Thiago Jung Bauermann
2017-08-30 8:40 ` Michael Ellerman
2017-09-08 3:07 ` AKASHI Takahiro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170824170440.GD29665@leverpostej \
--to=mark.rutland@arm.com \
--cc=akpm@linux-foundation.org \
--cc=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=bauerman@linux.vnet.ibm.com \
--cc=bhe@redhat.com \
--cc=catalin.marinas@arm.com \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dyoung@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=kexec@lists.infradead.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mpe@ellerman.id.au \
--cc=takahiro.akashi@linaro.org \
--cc=vgoyal@redhat.com \
--cc=will.deacon@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox