From: "Michael S. Tsirkin" <mst@redhat.com>
To: Gerd Hoffmann <kraxel@redhat.com>
Cc: qemu-devel@nongnu.org,
Marcel Apfelbaum <marcel.apfelbaum@gmail.com>,
Paolo Bonzini <pbonzini@redhat.com>,
Richard Henderson <richard.henderson@linaro.org>,
Eduardo Habkost <eduardo@habkost.net>
Subject: Re: [PATCH] x86/loader: only patch linux kernels
Date: Wed, 10 Apr 2024 03:26:29 -0400 [thread overview]
Message-ID: <20240410032448-mutt-send-email-mst@kernel.org> (raw)
In-Reply-To: <20240410072126.617063-1-kraxel@redhat.com>
On Wed, Apr 10, 2024 at 09:21:26AM +0200, Gerd Hoffmann wrote:
> If the binary loaded via -kernel is *not* a linux kernel (in which
> case protocol == 0), do not patch the linux kernel header fields.
>
> It's (a) pointless and (b) might break binaries by random patching
> and (c) changes the binary hash which in turn breaks secure boot
> verification.
>
> Background: OVMF happily loads and runs not only linux kernels but
> any efi binary via direct kernel boot.
>
> Note: Breaking the secure boot verification is a problem for linux
> kernels too, but fixed that is left for another day ...
Um we kind of care about Linux ;)
What's the plan? I suspect we should just add a command line flag
to skip patching? And once we do that, it seems safer to just
always rely on the flag?
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
> hw/i386/x86.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/i386/x86.c b/hw/i386/x86.c
> index ffbda48917fd..765899eebe43 100644
> --- a/hw/i386/x86.c
> +++ b/hw/i386/x86.c
> @@ -1108,7 +1108,7 @@ void x86_load_linux(X86MachineState *x86ms,
> * kernel on the other side of the fw_cfg interface matches the hash of the
> * file the user passed in.
> */
> - if (!sev_enabled()) {
> + if (!sev_enabled() && protocol > 0) {
> memcpy(setup, header, MIN(sizeof(header), setup_size));
> }
>
> --
> 2.44.0
next prev parent reply other threads:[~2024-04-10 7:30 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-10 7:21 [PATCH] x86/loader: only patch linux kernels Gerd Hoffmann
2024-04-10 7:26 ` Michael S. Tsirkin [this message]
2024-04-10 10:35 ` secure boot & direct kernel load (was: Re: [PATCH] x86/loader: only patch linux kernels) Gerd Hoffmann
2024-04-10 11:10 ` Michael S. Tsirkin
2024-04-10 11:52 ` Gerd Hoffmann
2024-04-10 15:01 ` Gerd Hoffmann
2024-04-15 11:59 ` Daniel P. Berrangé
2024-04-15 13:30 ` Gerd Hoffmann
2024-04-15 13:48 ` Daniel P. Berrangé
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240410032448-mutt-send-email-mst@kernel.org \
--to=mst@redhat.com \
--cc=eduardo@habkost.net \
--cc=kraxel@redhat.com \
--cc=marcel.apfelbaum@gmail.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).