在 2019年03月26日 01:32, Borislav Petkov 写道:
> On Mon, Mar 25, 2019 at 05:17:55PM +, Singh, Brijesh wrote:
>> By default all the memory regions are mapped encrypted. The
>> set_memory_{encrypt,decrypt}() is a generic function which can be
>> called explicitly to clear/set the encryption mask from
On 3/25/19 9:32 PM, Borislav Petkov wrote:
> On Mon, Mar 25, 2019 at 08:23:02PM +0800, Dave Young wrote:
>> Kexec saved the original physical addresses, and pass them to kexeced
>> kernel via x86 setup_data, so both the early parsing or efi init code
>> need to get those physical values from
From: Dave Young
Kexec reboot in case secure boot being enabled does not keep the secure
boot mode in new kernel, so later one can load unsigned kernel via legacy
kexec_load. In this state, the system is missing the protections provided
by secure boot.
Adding a patch to fix this by retain the
From: Jiri Bohac
When KEXEC_SIG is not enabled, kernel should not load images through
kexec_file systemcall if the kernel is locked down.
[Modified by David Howells to fit with modifications to the previous patch
and to return -EPERM if the kernel is locked down for consistency with
other
From: Matthew Garrett
The kexec_load() syscall permits the loading and execution of arbitrary
code in ring 0, which is something that lock-down is meant to prevent. It
makes sense to disable kexec_load() in this situation.
This does not affect kexec_file_load() syscall which can check for a
From: Jiri Bohac
This is a preparatory patch for kexec_file_load() lockdown. A locked down
kernel needs to prevent unsigned kernel images from being loaded with
kexec_file_load(). Currently, the only way to force the signature
verification is compiling with KEXEC_VERIFY_SIG. This prevents
On Mon, 2019-03-25 at 16:09 +0800, Dave Young wrote:
> Hi Mimi
> On 03/22/19 at 03:35pm, Mimi Zohar wrote:
> > Verify IMA is enabled before failing tests or emitting irrelevant
> > messages. Also, don't skip the test if signatures are not required.
> >
> > Suggested-by: Dave Young
> >
On 3/25/19 1:17 PM, Singh, Brijesh wrote:
>
>
> On 3/25/19 12:32 PM, Borislav Petkov wrote:
>> On Mon, Mar 25, 2019 at 05:17:55PM +, Singh, Brijesh wrote:
>>> By default all the memory regions are mapped encrypted. The
>>> set_memory_{encrypt,decrypt}() is a generic function which can be
>>>
On 3/16/19 2:31 AM, lijiang wrote:
>
>
> 在 2018年12月05日 05:33, Lendacky, Thomas 写道:
>> On 11/29/2018 09:37 PM, Dave Young wrote:
>>> + more people
>>>
>>> On 11/29/18 at 04:09pm, Lianbo Jiang wrote:
When doing kexec_file_load, the first kernel needs to pass the e820
reserved ranges to
On 3/25/19 12:32 PM, Borislav Petkov wrote:
> On Mon, Mar 25, 2019 at 05:17:55PM +, Singh, Brijesh wrote:
>> By default all the memory regions are mapped encrypted. The
>> set_memory_{encrypt,decrypt}() is a generic function which can be
>> called explicitly to clear/set the encryption mask
On Mon, Mar 25, 2019 at 05:17:55PM +, Singh, Brijesh wrote:
> By default all the memory regions are mapped encrypted. The
> set_memory_{encrypt,decrypt}() is a generic function which can be
> called explicitly to clear/set the encryption mask from the existing
> memory mapping. The
Hi Boris,
On 3/25/19 1:37 AM, Borislav Petkov wrote:
> On Mon, Mar 25, 2019 at 09:58:07AM +0800, lijiang wrote:
>> For the SEV virtual machine, it maps the kexec memroy area as
>> encrypted, so, no need to invoke this function to change anything.
>
> Look at the code:
>
>
On Mon, Mar 25, 2019 at 08:23:02PM +0800, Dave Young wrote:
> efi_enter_virtual_mode() can only run once because of efi firmware/spec
> limitation, and after entered virtual mode, efi firmware just updated
I should remember that - I did it at the time.
> Kexec saved the original physical
On Mon, Mar 25, 2019 at 02:53:02PM +0800, lijiang wrote:
> In this function, i printed its values, and only got the value of reserved
> type, so i changed the IORES_DESC_NONE to the IORES_DESC_RESERVED.
>
> In addition, after the new descriptor 'IORES_DESC_RESERVED' is introduced,
> the
On 03/25/19 at 01:01pm, Borislav Petkov wrote:
> On Mon, Mar 25, 2019 at 10:36:33AM +, Junichi Nomura wrote:
> > AFAIU, early parsing is new code in v5.1-rc1 to support kexec on systems
> > with hotpluggable memory with KASLR enabled. For systems that requires the
> > new feature, it may be ok
On Mon, Mar 25, 2019 at 05:20:43PM +0800, lijiang wrote:
> Let's look at the discussion in patch v8, please refer to this link:
> https://lkml.org/lkml/2019/3/16/15
>
> I did a test according to Tom's reply, and the test indicated his suggestion
> was
> correct, we should change this to check
On Mon, Mar 25, 2019 at 10:36:33AM +, Junichi Nomura wrote:
> AFAIU, early parsing is new code in v5.1-rc1 to support kexec on systems
> with hotpluggable memory with KASLR enabled. For systems that requires the
> new feature, it may be ok to say "you need to use another kexec interface"
>
On 03/25/19 at 10:36am, Junichi Nomura wrote:
> On 3/25/19 7:15 PM, Dave Young wrote:
> > On 03/25/19 at 09:54am, Boris Petkov wrote:
> >> On March 25, 2019 9:27:21 AM GMT+01:00, Junichi Nomura
> >> wrote:
> >>> On 3/25/19 3:59 PM, Dave Young wrote:
> On 03/25/19 at 06:47am, Junichi Nomura
On 3/25/19 7:15 PM, Dave Young wrote:
> On 03/25/19 at 09:54am, Boris Petkov wrote:
>> On March 25, 2019 9:27:21 AM GMT+01:00, Junichi Nomura
>> wrote:
>>> On 3/25/19 3:59 PM, Dave Young wrote:
On 03/25/19 at 06:47am, Junichi Nomura wrote:
> On 3/25/19 3:19 PM, Dave Young wrote:
>>
On 03/25/19 at 09:54am, Boris Petkov wrote:
> On March 25, 2019 9:27:21 AM GMT+01:00, Junichi Nomura
> wrote:
> >On 3/25/19 3:59 PM, Dave Young wrote:
> >> On 03/25/19 at 06:47am, Junichi Nomura wrote:
> >>> On 3/25/19 3:19 PM, Dave Young wrote:
> On 03/25/19 at 02:01pm, Dave Young wrote:
>
On 3/25/19 5:54 PM, Boris Petkov wrote:
> I'm going to repeat that again until you get it:
>
> If the kexec kernel should continue to use efi_systab_init() then you
> should make efi_get_rsdp_addr() exit early in the kexec-ed kernel.
Do you think this one is ok? Either works for me.
[PATCH v2]
在 2019年03月25日 14:40, Borislav Petkov 写道:
> On Mon, Mar 25, 2019 at 11:11:45AM +0800, lijiang wrote:
>> I mean it needs to find all the value of the 'IORES_DESC_ACPI_*' type.
>
> A function called __ioremap_check_desc_other() needs to find
> IORES_DESC_ACPI_* types...
>
> No, still don't know
On March 25, 2019 9:27:21 AM GMT+01:00, Junichi Nomura
wrote:
>On 3/25/19 3:59 PM, Dave Young wrote:
>> On 03/25/19 at 06:47am, Junichi Nomura wrote:
>>> On 3/25/19 3:19 PM, Dave Young wrote:
On 03/25/19 at 02:01pm, Dave Young wrote:
I think normally people do not see this bug, because
On 3/25/19 3:59 PM, Dave Young wrote:
> On 03/25/19 at 06:47am, Junichi Nomura wrote:
>> On 3/25/19 3:19 PM, Dave Young wrote:
>>> On 03/25/19 at 02:01pm, Dave Young wrote:
>>> I think normally people do not see this bug, because kernel will set the
>>> rsdp in boot_params->acpi_rsdp_addr. Maybe
Hi Mimi
On 03/22/19 at 03:35pm, Mimi Zohar wrote:
> Verify IMA is enabled before failing tests or emitting irrelevant
> messages. Also, don't skip the test if signatures are not required.
>
> Suggested-by: Dave Young
> Signed-off-by: Mimi Zohar
> ---
> Dave, if this patch resolves the
On 03/25/19 at 06:47am, Junichi Nomura wrote:
> On 3/25/19 3:19 PM, Dave Young wrote:
> > On 03/25/19 at 02:01pm, Dave Young wrote:
> >> On 03/25/19 at 12:27am, Junichi Nomura wrote:
> >>> On Fri, Mar 22, 2019 at 04:23:28PM +0100, Borislav Petkov wrote:
> On Fri, Mar 22, 2019 at 11:03:43AM
在 2019年03月23日 03:28, Borislav Petkov 写道:
> On Thu, Mar 21, 2019 at 06:33:08PM +0800, Lianbo Jiang wrote:
>> When doing kexec_file_load, the first kernel needs to pass the e820
>
> Please end function names with parentheses.
>
>> reserved ranges to the second kernel.
>
> ... because... ?
>
>>
On 3/25/19 3:19 PM, Dave Young wrote:
> On 03/25/19 at 02:01pm, Dave Young wrote:
>> On 03/25/19 at 12:27am, Junichi Nomura wrote:
>>> On Fri, Mar 22, 2019 at 04:23:28PM +0100, Borislav Petkov wrote:
On Fri, Mar 22, 2019 at 11:03:43AM +, Junichi Nomura wrote:
> Commit 3a63f70bf4c3a
On Mon, Mar 25, 2019 at 2:20 PM Dave Young wrote:
>
> On 03/25/19 at 02:01pm, Dave Young wrote:
> > On 03/25/19 at 12:27am, Junichi Nomura wrote:
> > > On Fri, Mar 22, 2019 at 04:23:28PM +0100, Borislav Petkov wrote:
> > > > On Fri, Mar 22, 2019 at 11:03:43AM +, Junichi Nomura wrote:
> > > >
On Mon, Mar 25, 2019 at 11:11:45AM +0800, lijiang wrote:
> I mean it needs to find all the value of the 'IORES_DESC_ACPI_*' type.
A function called __ioremap_check_desc_other() needs to find
IORES_DESC_ACPI_* types...
No, still don't know what you're trying to do.
> As above mentioned, it needs
On Mon, Mar 25, 2019 at 09:58:07AM +0800, lijiang wrote:
> For the SEV virtual machine, it maps the kexec memroy area as
> encrypted, so, no need to invoke this function to change anything.
Look at the code:
set_memory_decrypted->__set_memory_enc_dec
It already *does* invoke this function.
> >
On 03/25/19 at 02:01pm, Dave Young wrote:
> On 03/25/19 at 12:27am, Junichi Nomura wrote:
> > On Fri, Mar 22, 2019 at 04:23:28PM +0100, Borislav Petkov wrote:
> > > On Fri, Mar 22, 2019 at 11:03:43AM +, Junichi Nomura wrote:
> > > > Commit 3a63f70bf4c3a ("x86/boot: Early parse RSDP and save it
On 03/25/19 at 12:27am, Junichi Nomura wrote:
> On Fri, Mar 22, 2019 at 04:23:28PM +0100, Borislav Petkov wrote:
> > On Fri, Mar 22, 2019 at 11:03:43AM +, Junichi Nomura wrote:
> > > Commit 3a63f70bf4c3a ("x86/boot: Early parse RSDP and save it in
> > > boot_params") broke kexec boot on EFI
33 matches
Mail list logo