ed to get acpi_rsdp from boot_params according to commit message of
ae7e1238e68f2a472a125673ab506d49158c1889). Will add some comment and
discuss.
>
> --
> Regards/Gruss,
> Boris.
>
> Good mailing practices for 400: avoid top-posting and trim the reply.
--
Best Regards,
Kairui Song
On Wed, Jan 16, 2019 at 11:32 AM Dave Young wrote:
>
> On 01/16/19 at 12:10am, Borislav Petkov wrote:
> > On Tue, Jan 15, 2019 at 05:58:34PM +0800, Kairui Song wrote:
> > > When efi=noruntime or efi=oldmap is used, EFI services won't be available
> > > in the secon
On Tue, Jan 15, 2019 at 11:47 PM Mimi Zohar wrote:
>
> On Tue, 2019-01-15 at 17:45 +0800, Kairui Song wrote:
>
> > diff --git a/arch/x86/kernel/kexec-bzimage64.c
> > b/arch/x86/kernel/kexec-bzimage64.c
> > index 7d97e432cbbc..a06b04065bb1 100644
> > --- a/
On Tue, Jan 15, 2019 at 11:34 PM Mimi Zohar wrote:
>
> On Tue, 2019-01-15 at 17:45 +0800, Kairui Song wrote:
> [snip]
>
> > diff --git a/security/integrity/digsig.c b/security/integrity/digsig.c
> > index f45d6edecf99..bfabc2a8111d 100644
> > --- a/security/integri
use of it, detect and set the RSDP address when it's required for second
kernel to boot.
Tested with an EFI enabled KVM VM with efi=noruntime.
Suggested-by: Dave Young
Signed-off-by: Kairui Song
---
arch/x86/kernel/kexec-bzimage64.c | 21 +
drivers/acpi/acpica/tbxfroot.c
97.983962] entry_SYSCALL_64_after_hwframe+0x44/0xa9
When efi runtime is not enabled, efi memmap is not mapped, so just skip
EFI info setup.
Suggested-by: Dave Young
Signed-off-by: Kairui Song
---
arch/x86/kernel/kexec-bzimage64.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/x86/kernel/kexec
This patch series fix the kexec panic on efi=noruntime or efi=old_map
and leverage acpi_rsdp_addr to make the second kernel boot up properly.
Kairui Song (2):
x86, kexec_file_load: Don't setup EFI info if EFI runtime is not
enabled
x86, kexec_file_load: make it work with efi=noruntime
platform keyring. Also, decrease
the error message log level when verification failed with -ENOKEY,
so that if called tried multiple time with different keyring it
won't generate extra noises.
Signed-off-by: Kairui Song
---
arch/x86/kernel/kexec-bzimage64.c | 15 ---
certs/system_keyring.c
.
Tested in a VM with locally signed kernel with pesign and imported the
cert to EFI's MokList variable.
Kairui Song (2):
integrity, KEYS: add a reference to platform keyring
kexec, KEYS: Make use of platform keyring for signature verify
Update from V1:
- Make platform_trusted_keys static
the .platform, and makes it useable for other
components. For example, kexec_file_load could use this .platform
keyring to verify the kernel image's image.
Suggested-by: Mimi Zohar
Signed-off-by: Kairui Song
---
certs/system_keyring.c| 9 +
include/keys/system_keyring.h | 5 +
security
>
> >
> > Mimi
> >
>
> Thanks
> Dave
Yes, for now, I think it's good to fix the problem by following this
patch series and get kexec_file_load work with platform keyring first.
Will adopt suggestion from Mimi in the previous reply and update the
patch series.
For other remaining potential issues, kexec_load not being protected,
it could be disabled by config, and the improvement may require more
discussion. And issues like where the keyring is located, dependency
to making the keyring available for more general use could be
discussed later.
--
Best Regards,
Kairui Song
ng list). It's a bit late to be
> > asking to move it, isn't it?
>
> Hmm, apologize for being late, I did not get chance to have a look the
> old series. Since we have the needs now, it should be still fine
>
> Maybe Kairui can check Nayna's old series, see if he can do something
> again?
>
> >
> > Mimi
> >
>
> Thanks
> Dave
--
Best Regards,
Kairui Song
use the keyring and verify the image.
This patch exposes the .platform and makes other components, like
kexec_file_load, could use this .platform keyring to verify the
kernel image.
Suggested-by: Mimi Zohar
Signed-off-by: Kairui Song
---
certs/system_keyring.c| 3 +++
include/keys
MokList variable.
Kairui Song (2):
integrity, KEYS: add a reference to platform keyring
kexec, KEYS: Make use of platform keyring for signature verify
arch/x86/kernel/kexec-bzimage64.c | 13 ++---
certs/system_keyring.c| 10 +-
include/keys/system_keyring.h | 5
failed with -ENOKEY,
so that if called tried multiple time with different keyring it
won't generate extra noises.
Signed-off-by: Kairui Song
---
arch/x86/kernel/kexec-bzimage64.c | 13 ++---
certs/system_keyring.c| 7 ++-
include/linux/verification.h | 1 +
3 files
CCing more people
On Wed, Jan 9, 2019 at 2:45 PM Kairui Song wrote:
>
> Currenly with "efi=noruntime" in kernel command line, calling
> kexec_file_load will raise below problem:
>
> [ 97.967067] BUG: unable to handle kernel NULL pointer dereference at
> 0
CCing more people
On Wed, Jan 9, 2019 at 2:47 PM Kairui Song wrote:
>
> When efi=noruntime or efi=oldmap is used, EFI services won't be available
> in the second kernel, therefore the second kernel will not be able to get
> the ACPI RSDP address from firmware by calling EFI servic
use of it, detect and set the RSDP address when it's required for second
kernel to boot.
Tested with an EFI enabled KVM VM with efi=noruntime.
Suggested-by: Dave Young
Signed-off-by: Kairui Song
---
arch/x86/kernel/kexec-bzimage64.c | 21 +
drivers/acpi/acpica/tbxfroot.c
97.983962] entry_SYSCALL_64_after_hwframe+0x44/0xa9
When efi runtime is not enabled, efi memmap is not mapped, so just skip
EFI info setup.
Suggested-by: Dave Young
Signed-off-by: Kairui Song
---
arch/x86/kernel/kexec-bzimage64.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/x86/kernel/kexec-b
ort the key
> then to reuse kexec_file_load.
>
> I think we do not care if platform key can be added to secondary or not,
> any suggestions how can kexec_file to use the platform key?
>
> >
> > Mimi
> >
> >
> > On Tue, 2019-01-08 at 16:12 +0800, K
to .secondary_trusted_keys so
kexec_file_load could also leverage the .platform keyring to verify the
kernel image.
Signed-off-by: Kairui Song
---
certs/system_keyring.c | 30 ++
include/keys/platform_keyring.h | 12
security/integrity/digsig.c
the
INTEGRITY_PLATFORM_KEYRING to certs/ and let integrity subsystem use
the keyring there, so just linked the .platform keyring into kernel's
.secondary_trusted_keys keyring.
It workd for my case, tested in a VM, I signed the kernel image locally
with pesign and imported the cert to EFI's MokList variable.
Kairui
_oldmem_pfn_is_ram introduced in
'commit 2a3e83c6f96c ("x86/gart: Exclude GART aperture from vmcore"),'
as the hook function, but rename to gart_mem_pfn_is_ram as now it's
for a more generic use.
Suggested-by: Baoquan He
Signed-off-by: Kairui Song
---
Update from V1:
- Fix a complie error w
_oldmem_pfn_is_ram introduced in
'commit 2a3e83c6f96c ("x86/gart: Exclude GART aperture from vmcore"),'
as the hook function, but rename to gart_mem_pfn_is_ram as now it's
for a more generic use.
Suggested-by: Baoquan He
Signed-off-by: Kairui Song
---
arch/x86/kernel/aperture_64
Commit-ID: bdec8d7fa55e6f5314ed72e5a0b435d90ff90548
Gitweb: https://git.kernel.org/tip/bdec8d7fa55e6f5314ed72e5a0b435d90ff90548
Author: Kairui Song
AuthorDate: Thu, 27 Sep 2018 20:38:45 +0800
Committer: Borislav Petkov
CommitDate: Thu, 27 Sep 2018 19:35:03 +0200
x86/boot: Fix kexec
Commit-ID: bdec8d7fa55e6f5314ed72e5a0b435d90ff90548
Gitweb: https://git.kernel.org/tip/bdec8d7fa55e6f5314ed72e5a0b435d90ff90548
Author: Kairui Song
AuthorDate: Thu, 27 Sep 2018 20:38:45 +0800
Committer: Borislav Petkov
CommitDate: Thu, 27 Sep 2018 19:35:03 +0200
x86/boot: Fix kexec
unning with SEV
active")
Suggested-by: Borislav Petkov
Signed-off-by: Kairui Song
---
arch/x86/boot/compressed/mem_encrypt.S | 19 ---
1 file changed, 19 deletions(-)
diff --git a/arch/x86/boot/compressed/mem_encrypt.S
b/arch/x86/boot/compressed/mem_encrypt.S
index eaa843
unning with SEV
active")
Suggested-by: Borislav Petkov
Signed-off-by: Kairui Song
---
arch/x86/boot/compressed/mem_encrypt.S | 19 ---
1 file changed, 19 deletions(-)
diff --git a/arch/x86/boot/compressed/mem_encrypt.S
b/arch/x86/boot/compressed/mem_encrypt.S
index eaa843
101 - 128 of 128 matches
Mail list logo