The vsyscall page should be visible only if
vsyscall=emulate/native when dumping /proc/kcore.
Signed-off-by: Jia Zhang
---
arch/x86/mm/init_64.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
index dab78f6..3d4cf33 100644
_from_user()
may work, but using a common way to handle this sort of user page may be
useful for future.
Currently, only vsyscall page requires KCORE_USER.
Signed-off-by: Jia Zhang
---
arch/x86/mm/init_64.c | 2 +-
fs/proc/kcore.c | 4
include/linux/kcore.h | 1 +
3 files changed, 6
Hi,
Are there any comments here?
Thanks,
Jia
On 2018/1/30 下午2:42, Jia Zhang wrote:
> The commit df04abfd181a
> ("fs/proc/kcore.c: Add bounce buffer for ktext data") introduces a
> bounce buffer to work around CONFIG_HARDENED_USERCOPY=y. However,
> accessing vsyscall use
atum BDF90 in document #334165 (Intel Xeon
Processor E7-8800/4800 v4 Product Family Specification Update) from
September 2017.
Signed-off-by: Jia Zhang
---
arch/x86/kernel/cpu/microcode/intel.c | 19 +--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/arch/x86/
在 2018/1/17 上午5:51, Borislav Petkov 写道:
> On Tue, Jan 16, 2018 at 01:30:19PM -0800, Luck, Tony wrote:
>> I could get you a list of model numbers that you can check against
>> model_name.
>
> Yeah, we're not doing that again. :)
>
>> But that seems way worse. Especially as the 2.5MB thing is wha
The fix further reduces the impact for the BDW model which has to launch
a machine reset in order to run microcode update in BIOS. This point is
important for some vendors without the concern about machine reboot in
order to fix up Spectre v2.
Jia Zhang (2):
x86/intel: introduce platform_id
useful to reduce the impact for microcode update launched
by BIOS with a must machine reset.
For more details, see erratum BDF90 in document #334165 (Intel Xeon
Processor E7-8800/4800 v4 Product Family Specification Update) from
September 2017.
Signed-off-by: Jia Zhang
---
arch/x86/kernel/cpu
Platform ID retrieved from MSR_IA32_PLATFORM_ID may be used as
a filtration condition in some cases.
Signed-off-by: Jia Zhang
---
arch/x86/include/asm/processor.h | 1 +
arch/x86/kernel/cpu/intel.c | 7 +++
2 files changed, 8 insertions(+)
diff --git a/arch/x86/include/asm/processor.h
Yes I'm wrong with platform id so drop it.
Jia
在 2018/1/15 下午6:10, Borislav Petkov 写道:
> On Mon, Jan 15, 2018 at 01:43:23PM +0800, Jia Zhang wrote:
>> The commit b94b73733171
>> ("x86/microcode/intel: Extend BDW late-loading with a revision check")
>> red
在 2018/1/15 下午7:48, Henrique de Moraes Holschuh 写道:
> On Mon, 15 Jan 2018, Jia Zhang wrote:
>> For more details, see erratum BDF90 in document #334165 (Intel Xeon
>> Processor E7-8800/4800 v4 Product Family Specification Update) from
>> September 2017.
>
> For the re
atum BDF90 in document #334165 (Intel Xeon
Processor E7-8800/4800 v4 Product Family Specification Update) from
September 2017.
Signed-off-by: Jia Zhang
---
arch/x86/kernel/cpu/microcode/intel.c | 15 +--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/cpu
在 2018/1/15 下午7:48, Henrique de Moraes Holschuh 写道:
> On Mon, 15 Jan 2018, Jia Zhang wrote:
>> For more details, see erratum BDF90 in document #334165 (Intel Xeon
>> Processor E7-8800/4800 v4 Product Family Specification Update) from
>> September 2017.
>
> For the re
在 2018/1/16 上午2:46, Borislav Petkov 写道:
> On Mon, Jan 15, 2018 at 09:11:57PM +0800, Jia Zhang wrote:
>> The commit b94b73733171
>> ("x86/microcode/intel: Extend BDW late-loading with a revision check")
>> reduces the impact of erratum BDF90 for Broadwell process
On 2018/3/12 下午9:28, Jessica Yu wrote:
> +++ Jia Zhang [08/03/18 12:26 +0800]:
>> This patch series allows to disable module validity enforcement
>> in runtime through /sys/kernel/security/modsign/enforce interface.
>>
>> Assuming CONFIG_MODULE_SIG_FORCE=y, h
This patch series allows to disable module validity enforcement
in runtime through the control switch located in securityfs.
In order to keep /sys/module/module/parameters/sig_enforce simple,
the disablement switch is located at
/sys/kernel/security/modsign/disable_enforce.
Assuming CONFIG_MODULE
This entry point currently includes the procfs initialization,
and will include a securityfs initialization.
Signed-off-by: Jia Zhang
---
kernel/module.c | 14 +-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/kernel/module.c b/kernel/module.c
index 003d0ab..79825ea
Call is_module_sig_enforced() instead.
Signed-off-by: Jia Zhang
---
kernel/module.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/module.c b/kernel/module.c
index ad2d420..003d0ab 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2789,7 +2789,7 @@ static int
\
-signer -outform der -out no_sig_enforce.p7s
$ sudo cat no_sig_enforce.p7s \
> /sys/kernel/security/modsign/disable_enforce
Note that the signing key must be a trust key located in
system trusted keyring. So even the root privilige cannot
simply disable the enforcement.
Signed-off-by: Jia Zh
Call is_module_sig_enforced() instead.
Signed-off-by: Jia Zhang
---
kernel/module.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/module.c b/kernel/module.c
index a6e43a5..f695474 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2785,7 +2785,7 @@ static int
The sig_enforce parameter could be always shown to reflect the
current status of modsign. For the case of CONFIG_MODULE_SIG_FORCE=y,
this modification does nothing harmless.
Signed-off-by: Jia Zhang
---
kernel/module.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/kernel/module.c b
On 2018/3/8 上午4:14, Jessica Yu wrote:
> +++ Jia Zhang [01/03/18 17:09 +0800]:
>> /sys/kernel/security/modsign/enforce gives the result of current
>> enforcement policy of loading module.
>>
>> Signed-off-by: Jia Zhang
>
> Why is this being added as part of s
/sys/kernel/security/modsign/enforce gives the result of current
enforcement policy of loading module.
Signed-off-by: Jia Zhang
---
kernel/module.c | 55 +++
1 file changed, 55 insertions(+)
diff --git a/kernel/module.c b/kernel/module.c
-out data.sig
Note that the signing key must be a trust key located in
system trusted keyring. So even the root privilige cannot
simply disable the enforcement.
Signed-off-by: Jia Zhang
---
kernel/module.c | 118 ++--
1 file changed, 114 ins
This patch series allows to disable module validity enforcement
in runtime through /sys/kernel/security/modsign/enforce interface.
Assuming CONFIG_MODULE_SIG_FORCE=y, here are the instructions to
disable the validity enforcement.
# cat /sys/kernel/security/modsign/enforce
# echo -n 0 > data
# ope
Call is_module_sig_enforced() instead.
Signed-off-by: Jia Zhang
---
kernel/module.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/module.c b/kernel/module.c
index ad2d420..003d0ab 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2789,7 +2789,7 @@ static int
This entry point currently includes the procfs initialization,
and will include a securityfs initialization.
Signed-off-by: Jia Zhang
---
kernel/module.c | 14 +-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/kernel/module.c b/kernel/module.c
index 003d0ab..79825ea
: Inspur
Product Name: SA5212M4
Version: 01
However, binary_bios_measurements should return it any way,
rather than nothing, after all its content is completely
valid.
Fix: 55a82ab("tpm: add bios measurement log")
Signed-off-by: Jia Zhang
---
drivers/char/tpm/eventlog/
The sanity check would be easier, especially for the first read
of binary_bios_measurements from the beginning.
Signed-off-by: Jia Zhang
---
drivers/char/tpm/eventlog/tpm1.c | 37 ++---
1 file changed, 14 insertions(+), 23 deletions(-)
diff --git a/drivers/char
This entry point currently includes the procfs initialization,
and will include a securityfs initialization.
Signed-off-by: Jia Zhang
---
kernel/module.c | 14 +-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/kernel/module.c b/kernel/module.c
index 003d0ab..79825ea
/sys/kernel/security/modsign/enforce gives the result of current
enforcement policy of loading module.
Signed-off-by: Jia Zhang
---
kernel/module.c | 55 +++
1 file changed, 55 insertions(+)
diff --git a/kernel/module.c b/kernel/module.c
If module signature verification check is enabled but the
validity enforcement is configured to be disabled, it should
be allowed to enable it. Once enabled, it is disallowed to
disable it.
Signed-off-by: Jia Zhang
---
kernel/module.c | 39 ---
1 file changed
Call is_module_sig_enforced() instead.
Signed-off-by: Jia Zhang
---
kernel/module.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/module.c b/kernel/module.c
index ad2d420..003d0ab 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -2789,7 +2789,7 @@ static int
On 2018/3/28 上午6:11, Jessica Yu wrote:
> +++ Jia Zhang [24/03/18 10:59 +0800]:
>> This patch series allows to disable module validity enforcement
>> in runtime through the control switch located in securityfs.
>>
>> In order to keep /sys/module/module/parameters
On 2021/3/11 上午5:39, Jarkko Sakkinen wrote:
> On Wed, Mar 10, 2021 at 08:44:44PM +0800, Jia Zhang wrote:
>>
>>
>> On 2021/3/2 下午9:47, Jarkko Sakkinen wrote:
>>> On Mon, Mar 01, 2021 at 09:54:37PM -0800, Andy Lutomirski wrote:
>>>> On Mon, Mar 1,
On 2021/3/11 上午11:42, Jarkko Sakkinen wrote:
> On Thu, Mar 11, 2021 at 10:47:50AM +0800, Jia Zhang wrote:
>>
>>
>> On 2021/3/11 上午5:39, Jarkko Sakkinen wrote:
>>> On Wed, Mar 10, 2021 at 08:44:44PM +0800, Jia Zhang wrote:
>>>>
>>>>
>&g
On 2021/3/2 下午9:47, Jarkko Sakkinen wrote:
> On Mon, Mar 01, 2021 at 09:54:37PM -0800, Andy Lutomirski wrote:
>> On Mon, Mar 1, 2021 at 9:06 PM Tianjia Zhang
>> wrote:
>>>
>>>
>>>
>>> On 3/1/21 5:54 PM, Jarkko Sakkinen wrote:
On Mon, Mar 01, 2021 at 01:18:36PM +0800, Tianjia Zhang wrote:
>
On 2019/1/17 上午6:09, Jarkko Sakkinen wrote:
> Please use "tpm:" tag for commits, not "tpm/eventlog/tpm1".
>
> On Fri, Jan 11, 2019 at 04:59:32PM +0800, Jia Zhang wrote:
>> The responsibility of tpm1_bios_measurements_start() is to walk
>> over the firs
On 2019/1/18 下午11:18, Jarkko Sakkinen wrote:
> On Thu, Jan 17, 2019 at 09:32:55AM +0800, Jia Zhang wrote:
>>
>>
>> On 2019/1/17 上午6:09, Jarkko Sakkinen wrote:
>>> Please use "tpm:" tag for commits, not "tpm/eventlog/tpm1".
>>>
... sn
Similar to .ima, the cert imported to .ima_blacklist is able to be
authenticated by a secondary CA cert.
Signed-off-by: Jia Zhang
---
include/keys/system_keyring.h| 6 ++
security/integrity/digsig.c | 6 --
security/integrity/ima/ima_mok.c | 2 +-
3 files changed, 7 insertions
On 2019/8/2 上午6:57, Mimi Zohar wrote:
> Hi Jia,
>
> On Thu, 2019-08-01 at 09:23 +0800, Jia Zhang wrote:
>> Similar to .ima, the cert imported to .ima_blacklist is able to be
>> authenticated by a secondary CA cert.
>>
>> Signed-off-by: Jia Zhang
>
>
On 2019/1/11 上午1:32, Jarkko Sakkinen wrote:
> On Sun, Jan 06, 2019 at 03:23:18PM +0800, Jia Zhang wrote:
>> The sanity check would be easier, especially for the first read
>> of binary_bios_measurements from the beginning.
>>
>> Signed-off-by: Jia Zhang
>
>
: Inspur
Product Name: SA5212M4
Version: 01
However, binary_bios_measurements should return it any way,
rather than nothing, after all its content is completely
valid.
Fixes: 55a82ab("tpm: add bios measurement log")
Signed-off-by: Jia Zhang
---
drivers/char/tpm/eventlog/
Change since V1:
- Add test results with LTP.
- Rewrite patch 1's commit header.
Here is the test result with LTP testcase ima_tpm.sh which is used
to verify binary_bios_measurements.
ima_tpm 1 TINFO: timeout per run is 0h 5m 0s
ima_tpm 1 TINFO: /proc/cmdline: BOOT_IMAGE=/boot/vmlinuz-5.0.0-rc1+
-off-by: Jia Zhang
---
drivers/char/tpm/eventlog/tpm1.c | 37 ++---
1 file changed, 14 insertions(+), 23 deletions(-)
diff --git a/drivers/char/tpm/eventlog/tpm1.c b/drivers/char/tpm/eventlog/tpm1.c
index 58c8478..4cf8303 100644
--- a/drivers/char/tpm/eventlog/tpm1.c
Hi Jessica,
Could you review this patch series?
Thanks,
Jia
On 2018/3/1 下午5:09, Jia Zhang wrote:
> Call is_module_sig_enforced() instead.
>
> Signed-off-by: Jia Zhang
> ---
> kernel/module.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/
Hi,
Anybody else here who can give an attention on this review?
Thanks,
Jia
On 2018/2/5 下午5:26, Jiri Olsa wrote:
> On Tue, Jan 30, 2018 at 02:42:59PM +0800, Jia Zhang wrote:
>> The vsyscall page should be visible only if
>> vsyscall=emulate/native when dumping /proc/kcore.
>
Hi Jiri,
The maintainers are too busy to review this patchset. You are the author
of the commit df04abfd181a. Please help to review this patchset.
Thanks,
Jia
On 2018/1/30 下午2:42, Jia Zhang wrote:
> The commit df04abfd181a
> ("fs/proc/kcore.c: Add bounce buffer for ktext data&quo
This patchset was validated with the combinations of pti=on/off and
vsyscall=native/emulate/none.
In addition, CONFIG_HARDENED_USERCOPY is always enabled.
v2:
- Use { } around kclist_add() when there's more than 1 line code
Jia Zhang (2):
/proc/kcore: Fix SMAP violation when du
The vsyscall page should be visible only if
vsyscall=emulate/native when dumping /proc/kcore.
Signed-off-by: Jia Zhang
Reviewed-by: Jiri Olsa
---
arch/x86/mm/init_64.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
index
_from_user()
may work, but using a common way to handle this sort of user page may be
useful for future.
Currently, only vsyscall page requires KCORE_USER.
Signed-off-by: Jia Zhang
Reviewed-by: Jiri Olsa
---
arch/x86/mm/init_64.c | 2 +-
fs/proc/kcore.c | 4
include/linux/kcore.h | 1
在 2017/12/29 下午8:48, Ingo Molnar 写道:
>
> * Jia Zhang wrote:
>
>>
>>
>> 在 2017/12/28 下午8:24, Ingo Molnar 写道:
>>>
>>> * Jia Zhang wrote:
>>>
>>>> Instead of blacklisting all types of Broadwell processor when running
>>&
在 2017/12/29 下午9:44, Borislav Petkov 写道:
> On Fri, Dec 29, 2017 at 09:17:34PM +0800, Jia Zhang wrote:
>> Namely, the end user has to make a BIOS update to uprev the microcode.
>
> Not quite: end user is dependent on the OEM to get a BIOS update.
>
> What is meant with
x86_mask is a confusing name. It is hard to associate it with
processor's stepping.
Additionally, correct an indent issue in lib/cpu.c.
Signed-off-by: Jia Zhang
---
arch/x86/events/intel/core.c | 2 +-
arch/x86/events/intel/lbr.c | 2 +-
arch/x86/events/intel
x86_mask is a confusing name. It is hard to associate it with
processor's stepping.
Additionally, correct an indent issue in lib/cpu.c.
Signed-off-by: Jia Zhang
---
arch/x86/events/intel/core.c | 2 +-
arch/x86/events/intel/lbr.c | 2 +-
arch/x86/events/intel
the item BDF90 for details).
Signed-off-by: Jia Zhang
---
arch/x86/kernel/cpu/microcode/intel.c | 14 +++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kernel/cpu/microcode/intel.c
b/arch/x86/kernel/cpu/microcode/intel.c
index 99af05f..42896bb 100644
--- a
Thanks for your comments. Happy new year!
Jia
在 2018/1/2 上午6:10, Borislav Petkov 写道:
> On Mon, Jan 01, 2018 at 10:04:47AM +0800, Jia Zhang wrote:
>> Instead of blacklisting all types of Broadwell processor when running
>> a late loading, only BDW-EP (signature 0x406f1, aka fam
Instead of blacklisting all Broadwell processorsi for running a late
loading, only BDW-EP (signature 406f1) with the microcode version
less than 0x0b21 needs to be blacklisted.
This is documented in the the public documentation #334165 (See the
item BDF90 for details).
Signed-off-by: Jia
Sorry I should remove UTF-8 characters in comment lines. Plz ignore this
patch.
Cheers,
Jia
在 2017/12/25 下午3:30, Jia Zhang 写道:
> Instead of blacklisting all Broadwell processorsi for running a late
> loading, only BDW-EP (signature 406f1) with the microcode version
> less than 0x0b000
Instead of blacklisting all Broadwell processorsi for running a late
loading, only BDW-EP (signature 406f1) with the microcode version
less than 0x0b21 needs to be blacklisted.
This is documented in the the public documentation #334165 (See the
item BDF90 for details).
Signed-off-by: Jia
在 2017/12/25 下午9:34, Borislav Petkov 写道:
> + Tony.
>
> On Mon, Dec 25, 2017 at 03:49:29PM +0800, Jia Zhang wrote:
>> Instead of blacklisting all Broadwell processorsi for running a late
>> loading, only BDW-EP (signature 406f1) with the microcode version
>> less
Instead of blacklisting all Broadwell processorsi for running a late
loading, only BDW-EP (signature 406f1) with the microcode version
less than 0x0b21 needs to be blacklisted.
This is documented in the the public documentation #334165 (See the
item BDF90 for details).
Signed-off-by: Jia
在 2017/12/26 下午6:51, Borislav Petkov 写道:
> On Tue, Dec 26, 2017 at 09:44:31AM +0800, Jia Zhang wrote:
>> Instead of blacklisting all Broadwell processorsi for running a late
> ^^^
>
> Please run all text in this patch thro
the item BDF90 for details).
Signed-off-by: Jia Zhang
---
arch/x86/kernel/cpu/microcode/intel.c | 12 ++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/arch/x86/kernel/cpu/microcode/intel.c
b/arch/x86/kernel/cpu/microcode/intel.c
index 8ccdca6..79cad85 100644
--- a
在 2017/12/28 下午8:24, Ingo Molnar 写道:
>
> * Jia Zhang wrote:
>
>> Instead of blacklisting all types of Broadwell processor when running
>> a late loading, only BDW-EP (signature 0x406f1, aka family 6, model 79,
>> stepping 1) with the microcode version less tha
80102]
>> [cannot apply to tip/x86/core]
>> [if your patch is applied to the wrong git tree, please drop us a note to
>> help improve the system]
>>
>> url:
>> https://github.com/0day-ci/linux/commits/Jia-Zhang/x86-microcode-intel-Blacklist-the-specific-BDW
Commit-ID: 7e702d17ed138cf4ae7c00e8c00681ed464587c7
Gitweb: https://git.kernel.org/tip/7e702d17ed138cf4ae7c00e8c00681ed464587c7
Author: Jia Zhang
AuthorDate: Tue, 23 Jan 2018 11:41:32 +0100
Committer: Thomas Gleixner
CommitDate: Wed, 24 Jan 2018 13:00:35 +0100
x86/microcode/intel
Commit-ID: b94b7373317164402ff7728d10f7023127a02b60
Gitweb: https://git.kernel.org/tip/b94b7373317164402ff7728d10f7023127a02b60
Author: Jia Zhang
AuthorDate: Mon, 1 Jan 2018 10:04:47 +0800
Committer: Thomas Gleixner
CommitDate: Sat, 6 Jan 2018 14:44:57 +0100
x86/microcode/intel
Commit-ID: 81d30225bc0c246b53270eb90b23cfbb941a186d
Gitweb: https://git.kernel.org/tip/81d30225bc0c246b53270eb90b23cfbb941a186d
Author: Jia Zhang
AuthorDate: Mon, 1 Apr 2019 19:40:45 +0800
Committer: Ingo Molnar
CommitDate: Wed, 8 May 2019 13:13:57 +0200
x86/vdso: Remove hpet_page
Commit-ID: 705acedd7fcb81a1e2be2560a1fdd16a429357f6
Gitweb: https://git.kernel.org/tip/705acedd7fcb81a1e2be2560a1fdd16a429357f6
Author: Jia Zhang
AuthorDate: Mon, 1 Apr 2019 19:40:45 +0800
Committer: Thomas Gleixner
CommitDate: Fri, 5 Apr 2019 13:07:03 +0200
x86/vdso: Remove hpet_page
Commit-ID: b399151cb48db30ad1e0e93dd40d68c6d007b637
Gitweb: https://git.kernel.org/tip/b399151cb48db30ad1e0e93dd40d68c6d007b637
Author: Jia Zhang
AuthorDate: Mon, 1 Jan 2018 09:52:10 +0800
Committer: Ingo Molnar
CommitDate: Thu, 15 Feb 2018 01:15:52 +0100
x86/cpu: Rename
Commit-ID: 595dd46ebfc10be041a365d0a3fa99df50b6ba73
Gitweb: https://git.kernel.org/tip/595dd46ebfc10be041a365d0a3fa99df50b6ba73
Author: Jia Zhang
AuthorDate: Mon, 12 Feb 2018 22:44:53 +0800
Committer: Ingo Molnar
CommitDate: Tue, 13 Feb 2018 09:15:58 +0100
vfs/proc/kcore, x86/mm/kcore
Commit-ID: cd026ca2861e7f384d677626a483da797c76b9da
Gitweb: https://git.kernel.org/tip/cd026ca2861e7f384d677626a483da797c76b9da
Author: Jia Zhang
AuthorDate: Mon, 12 Feb 2018 22:44:54 +0800
Committer: Ingo Molnar
CommitDate: Tue, 13 Feb 2018 09:15:59 +0100
x86/mm/kcore: Add vsyscall
Commit-ID: 93cce6eeafb7c90b9175ffe01913c4930fc4
Gitweb: https://git.kernel.org/tip/93cce6eeafb7c90b9175ffe01913c4930fc4
Author: Jia Zhang
AuthorDate: Mon, 1 Jan 2018 09:52:10 +0800
Committer: Ingo Molnar
CommitDate: Tue, 13 Feb 2018 19:23:43 +0100
x86/cpu: Rename
73 matches
Mail list logo