2022-07-25 08:48:07

by 黄杰

[permalink] [raw]
Subject: [PATCH 2/4] kexec: add CONFING_KEXEC_PURGATORY_SKIP_SIG

From: "huangjie.albert" <[email protected]>

the verify_sha256_digest may cost 300+ ms in my test environment:
bzImage: 53M initramfs:28M

We can add a macro to control whether to enable this check. If we
can confirm that the data in this will not change, we can turn off
the check and get a faster startup.

Signed-off-by: huangjie.albert <[email protected]>
---
arch/x86/Kconfig | 9 +++++++++
arch/x86/purgatory/purgatory.c | 7 +++++++
2 files changed, 16 insertions(+)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 52a7f91527fe..adbd3a2bd60f 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2052,6 +2052,15 @@ config KEXEC_BZIMAGE_VERIFY_SIG
help
Enable bzImage signature verification support.

+config KEXEC_PURGATORY_SKIP_SIG
+ bool "skip kexec purgatory signature verification"
+ depends on ARCH_HAS_KEXEC_PURGATORY
+ help
+ this options makes the kexec purgatory do not signature verification
+ which would get hundreds of milliseconds saved during kexec boot. If we can
+ confirm that the data of each segment loaded by kexec will not change we may
+ enable this option
+
config CRASH_DUMP
bool "kernel crash dumps"
depends on X86_64 || (X86_32 && HIGHMEM)
diff --git a/arch/x86/purgatory/purgatory.c b/arch/x86/purgatory/purgatory.c
index 7558139920f8..b3f15774d86d 100644
--- a/arch/x86/purgatory/purgatory.c
+++ b/arch/x86/purgatory/purgatory.c
@@ -20,6 +20,12 @@ u8 purgatory_sha256_digest[SHA256_DIGEST_SIZE] __section(".kexec-purgatory");

struct kexec_sha_region purgatory_sha_regions[KEXEC_SEGMENT_MAX] __section(".kexec-purgatory");

+#ifdef CONFIG_KEXEC_PURGATORY_SKIP_SIG
+static int verify_sha256_digest(void)
+{
+ return 0;
+}
+#else
static int verify_sha256_digest(void)
{
struct kexec_sha_region *ptr, *end;
@@ -39,6 +45,7 @@ static int verify_sha256_digest(void)

return 0;
}
+#endif

void purgatory(void)
{
--
2.31.1


2022-07-25 12:36:59

by Jason A. Donenfeld

[permalink] [raw]
Subject: Re: [PATCH 2/4] kexec: add CONFING_KEXEC_PURGATORY_SKIP_SIG

Hi Albert,

On Mon, Jul 25, 2022 at 04:38:54PM +0800, Albert Huang wrote:
> +config KEXEC_PURGATORY_SKIP_SIG
> + bool "skip kexec purgatory signature verification"
> + depends on ARCH_HAS_KEXEC_PURGATORY
> + help
> + this options makes the kexec purgatory do not signature verification
> + which would get hundreds of milliseconds saved during kexec boot. If we can
> + confirm that the data of each segment loaded by kexec will not change we may
> + enable this option
> +

Some grammar nits here, but actually, wouldn't it be better to make this
depend on some other signature things instead? Like if the parent kernel
actually did a big signature computation, then maybe the purgatory step
is needed, but if it didn't bother, then maybe you can skip it. This
way, you don't need a compile-time option that might change some aspect
of signature verification people might otherwise be relying on.

Jason

2022-07-25 13:10:26

by 黄杰

[permalink] [raw]
Subject: Fwd: [PATCH 2/4] kexec: add CONFING_KEXEC_PURGATORY_SKIP_SIG

---------- Forwarded message ---------
发件人: Albert Huang <[email protected]>
Date: 2022年7月25日周一 16:40
Subject: [PATCH 2/4] kexec: add CONFING_KEXEC_PURGATORY_SKIP_SIG
To:
Cc: huangjie.albert <[email protected]>, Thomas Gleixner
<[email protected]>, Ingo Molnar <[email protected]>, Borislav Petkov
<[email protected]>, Dave Hansen <[email protected]>,
<[email protected]>, H. Peter Anvin <[email protected]>, Eric Biederman
<[email protected]>, Masahiro Yamada <[email protected]>,
Michal Marek <[email protected]>, Nick Desaulniers
<[email protected]>, Kirill A. Shutemov
<[email protected]>, Brijesh Singh
<[email protected]>, Michael Roth <[email protected]>, Nathan
Chancellor <[email protected]>, Kuppuswamy Sathyanarayanan
<[email protected]>, Ard Biesheuvel
<[email protected]>, Peter Zijlstra <[email protected]>, Sean
Christopherson <[email protected]>, Joerg Roedel <[email protected]>,
Mark Rutland <[email protected]>, Kees Cook
<[email protected]>, <[email protected]>,
<[email protected]>, <[email protected]>


From: "huangjie.albert" <[email protected]>

the verify_sha256_digest may cost 300+ ms in my test environment:
bzImage: 53M initramfs:28M

We can add a macro to control whether to enable this check. If we
can confirm that the data in this will not change, we can turn off
the check and get a faster startup.

Signed-off-by: huangjie.albert <[email protected]>
---
arch/x86/Kconfig | 9 +++++++++
arch/x86/purgatory/purgatory.c | 7 +++++++
2 files changed, 16 insertions(+)

diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 52a7f91527fe..adbd3a2bd60f 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2052,6 +2052,15 @@ config KEXEC_BZIMAGE_VERIFY_SIG
help
Enable bzImage signature verification support.

+config KEXEC_PURGATORY_SKIP_SIG
+ bool "skip kexec purgatory signature verification"
+ depends on ARCH_HAS_KEXEC_PURGATORY
+ help
+ this options makes the kexec purgatory do not signature verification
+ which would get hundreds of milliseconds saved during kexec
boot. If we can
+ confirm that the data of each segment loaded by kexec will
not change we may
+ enable this option
+
config CRASH_DUMP
bool "kernel crash dumps"
depends on X86_64 || (X86_32 && HIGHMEM)
diff --git a/arch/x86/purgatory/purgatory.c b/arch/x86/purgatory/purgatory.c
index 7558139920f8..b3f15774d86d 100644
--- a/arch/x86/purgatory/purgatory.c
+++ b/arch/x86/purgatory/purgatory.c
@@ -20,6 +20,12 @@ u8 purgatory_sha256_digest[SHA256_DIGEST_SIZE]
__section(".kexec-purgatory");

struct kexec_sha_region purgatory_sha_regions[KEXEC_SEGMENT_MAX]
__section(".kexec-purgatory");

+#ifdef CONFIG_KEXEC_PURGATORY_SKIP_SIG
+static int verify_sha256_digest(void)
+{
+ return 0;
+}
+#else
static int verify_sha256_digest(void)
{
struct kexec_sha_region *ptr, *end;
@@ -39,6 +45,7 @@ static int verify_sha256_digest(void)

return 0;
}
+#endif

void purgatory(void)
{
--
2.31.1

2022-07-25 13:47:23

by 黄杰

[permalink] [raw]
Subject: Re: [External] Re: [PATCH 2/4] kexec: add CONFING_KEXEC_PURGATORY_SKIP_SIG

maybe a boot parameter ?

Jason A. Donenfeld <[email protected]> 于2022年7月25日周一 20:15写道:
>
> Hi Albert,
>
> On Mon, Jul 25, 2022 at 04:38:54PM +0800, Albert Huang wrote:
> > +config KEXEC_PURGATORY_SKIP_SIG
> > + bool "skip kexec purgatory signature verification"
> > + depends on ARCH_HAS_KEXEC_PURGATORY
> > + help
> > + this options makes the kexec purgatory do not signature verification
> > + which would get hundreds of milliseconds saved during kexec boot. If we can
> > + confirm that the data of each segment loaded by kexec will not change we may
> > + enable this option
> > +
>
> Some grammar nits here, but actually, wouldn't it be better to make this
> depend on some other signature things instead? Like if the parent kernel
> actually did a big signature computation, then maybe the purgatory step
> is needed, but if it didn't bother, then maybe you can skip it. This
> way, you don't need a compile-time option that might change some aspect
> of signature verification people might otherwise be relying on.
>
> Jason

2022-07-28 03:03:06

by 黄杰

[permalink] [raw]
Subject: Re: [External] Re: [PATCH 2/4] kexec: add CONFING_KEXEC_PURGATORY_SKIP_SIG

Does anyone know why this sha256 checksum is put here? I feel that it
is better to put it in the system call of kexec -e.
If the verification is not passed, the second kernel will not be
started, and some prompt information will be printed at the
same time, which seems to be better than when the second kernel is
started. Doing the verification operation will be more friendly,
and it can also reduce downtime.

黄杰 <[email protected]> 于2022年7月25日周一 21:32写道:
>
> maybe a boot parameter ?
>
> Jason A. Donenfeld <[email protected]> 于2022年7月25日周一 20:15写道:
> >
> > Hi Albert,
> >
> > On Mon, Jul 25, 2022 at 04:38:54PM +0800, Albert Huang wrote:
> > > +config KEXEC_PURGATORY_SKIP_SIG
> > > + bool "skip kexec purgatory signature verification"
> > > + depends on ARCH_HAS_KEXEC_PURGATORY
> > > + help
> > > + this options makes the kexec purgatory do not signature verification
> > > + which would get hundreds of milliseconds saved during kexec boot. If we can
> > > + confirm that the data of each segment loaded by kexec will not change we may
> > > + enable this option
> > > +
> >
> > Some grammar nits here, but actually, wouldn't it be better to make this
> > depend on some other signature things instead? Like if the parent kernel
> > actually did a big signature computation, then maybe the purgatory step
> > is needed, but if it didn't bother, then maybe you can skip it. This
> > way, you don't need a compile-time option that might change some aspect
> > of signature verification people might otherwise be relying on.
> >
> > Jason