From: Christian Borntraeger <borntraeger@de.ibm.com>
To: Thomas Huth <thuth@redhat.com>,
David Hildenbrand <david@redhat.com>,
"Jason J. Herne" <jjherne@linux.ibm.com>,
qemu-devel@nongnu.org, qemu-s390x@nongnu.org, cohuck@redhat.com,
alifm@linux.ibm.com
Subject: Re: [Qemu-devel] [qemu-s390x] [PATCH] s390-bios: Skip bootmap signature entries
Date: Mon, 6 May 2019 12:18:42 +0200 [thread overview]
Message-ID: <98a268ee-17fb-079e-01d1-5dc554a24efd@de.ibm.com> (raw)
In-Reply-To: <55907be5-61a5-f251-4609-b0336818de17@redhat.com>
On 06.05.19 12:16, Thomas Huth wrote:
> On 06/05/2019 12.10, David Hildenbrand wrote:
>> On 06.05.19 12:01, David Hildenbrand wrote:
>>> On 29.04.19 15:09, Jason J. Herne wrote:
>>>> Newer versions of zipl have the ability to write signature entries to the boot
>>>> script for secure boot. We don't yet support secure boot, but we need to skip
>>>> over signature entries while reading the boot script in order to maintain our
>>>> ability to boot guest operating systems that have a secure bootloader.
>>>>
>>>> Signed-off-by: Jason J. Herne <jjherne@linux.ibm.com>
>>>> Reviewed-by: Farhan Ali <alifm@linux.ibm.com>
>>>> ---
>>>> pc-bios/s390-ccw/bootmap.c | 19 +++++++++++++++++--
>>>> pc-bios/s390-ccw/bootmap.h | 10 ++++++----
>>>> 2 files changed, 23 insertions(+), 6 deletions(-)
>>>>
>>>> diff --git a/pc-bios/s390-ccw/bootmap.c b/pc-bios/s390-ccw/bootmap.c
>>>> index 7aef65a..d13b7cb 100644
>>>> --- a/pc-bios/s390-ccw/bootmap.c
>>>> +++ b/pc-bios/s390-ccw/bootmap.c
>>>> @@ -254,7 +254,14 @@ static void run_eckd_boot_script(block_number_t bmt_block_nr,
>>>> memset(sec, FREE_SPACE_FILLER, sizeof(sec));
>>>> read_block(block_nr, sec, "Cannot read Boot Map Script");
>>>>
>>>> - for (i = 0; bms->entry[i].type == BOOT_SCRIPT_LOAD; i++) {
>>>> + for (i = 0; bms->entry[i].type == BOOT_SCRIPT_LOAD ||
>>>> + bms->entry[i].type == BOOT_SCRIPT_SIGNATURE; i++) {
>>>> +
>>>> + /* We don't support secure boot yet, so we skip signature entries */
>>>> + if (bms->entry[i].type == BOOT_SCRIPT_SIGNATURE) {
>>>> + continue;
>>>> + }
>>>> +
>>>> address = bms->entry[i].address.load_address;
>>>> block_nr = eckd_block_num(&bms->entry[i].blkptr.xeckd.bptr.chs);
>>>>
>>>> @@ -489,7 +496,15 @@ static void zipl_run(ScsiBlockPtr *pte)
>>>>
>>>> /* Load image(s) into RAM */
>>>> entry = (ComponentEntry *)(&header[1]);
>>>> - while (entry->component_type == ZIPL_COMP_ENTRY_LOAD) {
>>>> + while (entry->component_type == ZIPL_COMP_ENTRY_LOAD ||
>>>> + entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) {
>>>> +
>>>> + /* We don't support secure boot yet, so we skip signature entries */
>>>> + if (entry->component_type == ZIPL_COMP_ENTRY_SIGNATURE) {
>>>> + entry++;
>>>> + continue;
>>>> + }
>>>> +
>>>> zipl_load_segment(entry);
>>>>
>>>> entry++;
>>>> diff --git a/pc-bios/s390-ccw/bootmap.h b/pc-bios/s390-ccw/bootmap.h
>>>> index a085212..94f53a5 100644
>>>> --- a/pc-bios/s390-ccw/bootmap.h
>>>> +++ b/pc-bios/s390-ccw/bootmap.h
>>>> @@ -98,8 +98,9 @@ typedef struct ScsiMbr {
>>>> #define ZIPL_COMP_HEADER_IPL 0x00
>>>> #define ZIPL_COMP_HEADER_DUMP 0x01
>>>>
>>>> -#define ZIPL_COMP_ENTRY_LOAD 0x02
>>>> -#define ZIPL_COMP_ENTRY_EXEC 0x01
>>>> +#define ZIPL_COMP_ENTRY_EXEC 0x01
>>>> +#define ZIPL_COMP_ENTRY_LOAD 0x02
>>>> +#define ZIPL_COMP_ENTRY_SIGNATURE 0x03
>>>>
>>>> typedef struct XEckdMbr {
>>>> uint8_t magic[4]; /* == "xIPL" */
>>>> @@ -117,8 +118,9 @@ typedef struct BootMapScriptEntry {
>>>> BootMapPointer blkptr;
>>>> uint8_t pad[7];
>>>> uint8_t type; /* == BOOT_SCRIPT_* */
>>>> -#define BOOT_SCRIPT_EXEC 0x01
>>>> -#define BOOT_SCRIPT_LOAD 0x02
>>>> +#define BOOT_SCRIPT_EXEC 0x01
>>>> +#define BOOT_SCRIPT_LOAD 0x02
>>>> +#define BOOT_SCRIPT_SIGNATURE 0x03
>>>> union {
>>>> uint64_t load_address;
>>>> uint64_t load_psw;
>>>>
>>>
>>> Naive question from me:
>>>
>>> Can't we place the signatures somewhere else, and instead associate them
>>> with entries? This avoids breaking backwards compatibility for the sake
>>> of signatures we want unmodified zipl loaders to ignore.
>>>
>>
>>
>> ... but I guess this is already documented somewhere internally and
>> other components have been adjusted. IOW, cannot be changed anymore.
>>
>> Guess our implementation should have tolerated other entries than
>> "BOOT_SCRIPT_LOAD" right from the beginning.
>
> Hmm, now we only tolerate the _LOAD and _SIGNATURE entries, but still
> nothing else... would it make sense to rewrite the code a little bit to
> tolerate all other kind of entries, but just act on the well-known _LOAD
> entries, so that we do not step into this trap in the future anymore?
I think we should not. Those entries might have sematic elements that the guest
wants to enforce. I do not think that this will come, but imagine a boot entry
that mandates some security wishes (e.g. do only run on non-shared cores).
next prev parent reply other threads:[~2019-05-06 10:20 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-29 13:09 [Qemu-devel] [PATCH] s390-bios: Skip bootmap signature entries Jason J. Herne
2019-04-29 13:09 ` Jason J. Herne
2019-04-29 13:40 ` Cornelia Huck
2019-04-29 13:40 ` Cornelia Huck
2019-04-29 13:45 ` Christian Borntraeger
2019-04-29 13:45 ` Christian Borntraeger
2019-04-30 9:24 ` Peter Oberparleiter
2019-04-30 9:24 ` Peter Oberparleiter
2019-04-30 9:44 ` Cornelia Huck
2019-04-30 9:44 ` Cornelia Huck
2019-05-03 9:34 ` Thomas Huth
2019-05-03 9:34 ` Thomas Huth
2019-05-06 8:08 ` Christian Borntraeger
2019-05-06 13:03 ` Jason J. Herne
2019-05-06 10:01 ` [Qemu-devel] [qemu-s390x] " David Hildenbrand
2019-05-06 10:10 ` David Hildenbrand
2019-05-06 10:16 ` Thomas Huth
2019-05-06 10:18 ` Christian Borntraeger [this message]
2019-05-06 10:34 ` Cornelia Huck
2019-05-06 10:46 ` Christian Borntraeger
2019-05-06 11:05 ` Cornelia Huck
2019-05-06 11:13 ` Christian Borntraeger
2019-05-06 11:23 ` Cornelia Huck
2019-05-06 11:24 ` Christian Borntraeger
2019-05-06 10:14 ` Christian Borntraeger
2019-05-06 10:30 ` Cornelia Huck
2019-05-06 10:45 ` Christian Borntraeger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=98a268ee-17fb-079e-01d1-5dc554a24efd@de.ibm.com \
--to=borntraeger@de.ibm.com \
--cc=alifm@linux.ibm.com \
--cc=cohuck@redhat.com \
--cc=david@redhat.com \
--cc=jjherne@linux.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).