After introducing zboot image, kexec_file can not load and jump to the
new style image. Hence it demands a method to load the new kernel.
The crux of the problem lies in when and how to decompress the Image.gz.
There are three possible courses to take: -1. in user space, but hard to
achieve due to the signature verification inside the kernel. -2. at the
boot time, let the efi_zboot_entry() handles it, which means a simulated
EFI service should be provided to that entry, especially about how to be
aware of the memory layout. -3. in kernel space, during the file load
of the zboot image. At that point, the kernel masters the whole memory
information, and easily allocates a suitable memory for the decompressed
kernel image. (I think this is similar to what grub does today).
The core of this series is [5/6]. [3,6/6] handles the config option.
The assumption of [3/6] is kexec_file_load is independent of zboot,
especially it can load kernel images compressed with different
compression method. [6/6] is if EFI_ZBOOT, the corresponding
decompression method should be included.
Cc: Catalin Marinas <[email protected]>
Cc: Will Deacon <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Ard Biesheuvel <[email protected]>
Cc: [email protected]
To: [email protected]
To: [email protected]
Pingfan Liu (6):
arm64: kexec: Rename kexec_image.c to kexec_raw_image.c
lib/decompress: Introduce decompress_method_by_name()
arm64: Kconfig: Pick decompressing method for kexec file load
lib/decompress: Keep decompress routines based on selection
arm64: kexec: Introduce zboot image loader
init/Kconfig: Select decompressing method if compressing kernel
arch/arm64/Kconfig | 59 ++++++
arch/arm64/include/asm/kexec.h | 4 +-
arch/arm64/kernel/Makefile | 2 +-
.../{kexec_image.c => kexec_raw_image.c} | 2 +-
arch/arm64/kernel/kexec_zboot_image.c | 186 ++++++++++++++++++
arch/arm64/kernel/machine_kexec.c | 1 +
arch/arm64/kernel/machine_kexec_file.c | 3 +-
include/linux/decompress/generic.h | 2 +
include/linux/decompress/mm.h | 9 +-
include/linux/zboot.h | 26 +++
init/Kconfig | 7 +
lib/Kconfig | 3 +
lib/decompress.c | 17 +-
13 files changed, 314 insertions(+), 7 deletions(-)
rename arch/arm64/kernel/{kexec_image.c => kexec_raw_image.c} (98%)
create mode 100644 arch/arm64/kernel/kexec_zboot_image.c
create mode 100644 include/linux/zboot.h
--
2.31.1
The zboot image packs the compressed file in the data section. Instead
of starting with the zip file header. It records the compressing method
name 'gzip','lzma' etc in the zboot image header.
Hence it is easier to decide the decompressing method by the name than
by the magic number.
Signed-off-by: Pingfan Liu <[email protected]>
Cc: Ard Biesheuvel <[email protected]>
Cc: [email protected]
To: [email protected]
---
include/linux/decompress/generic.h | 2 ++
lib/decompress.c | 14 +++++++++++++-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/include/linux/decompress/generic.h b/include/linux/decompress/generic.h
index 207d80138db5..077f15ce77b9 100644
--- a/include/linux/decompress/generic.h
+++ b/include/linux/decompress/generic.h
@@ -37,4 +37,6 @@ typedef int (*decompress_fn) (unsigned char *inbuf, long len,
decompress_fn decompress_method(const unsigned char *inbuf, long len,
const char **name);
+decompress_fn decompress_method_by_name(const unsigned char *name);
+
#endif
diff --git a/lib/decompress.c b/lib/decompress.c
index ab3fc90ffc64..8dd6f87e885f 100644
--- a/lib/decompress.c
+++ b/lib/decompress.c
@@ -2,7 +2,7 @@
/*
* decompress.c
*
- * Detect the decompression method based on magic number
+ * Detect the decompression method based on magic number or name
*/
#include <linux/decompress/generic.h>
@@ -82,3 +82,15 @@ decompress_fn __init decompress_method(const unsigned char *inbuf, long len,
*name = cf->name;
return cf->decompressor;
}
+
+decompress_fn __init decompress_method_by_name(const unsigned char *name)
+{
+ const struct compress_format *cf;
+
+ for (cf = compressed_formats; cf->name; cf++) {
+ if (!strcmp(name, cf->name))
+ break;
+
+ }
+ return cf->decompressor;
+}
--
2.31.1
At present, many decompressing routines in lib/decompress*.c are in
__section(".init.text"). But they are required to decompress the kernel
image when kexec file load compressed kernel.
To solve this issue, define 'INIT' conditional based on the macro
CONFIG_HAVE_KEXEC_DECOMPRESS. Also make lib/decompress.c adopt this way.
Signed-off-by: Pingfan Liu <[email protected]>
Cc: Ard Biesheuvel <[email protected]>
Cc: [email protected]
To: [email protected]
---
include/linux/decompress/mm.h | 9 ++++++++-
lib/decompress.c | 5 +++--
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/include/linux/decompress/mm.h b/include/linux/decompress/mm.h
index 9192986b1a73..33d8fd13a5c6 100644
--- a/include/linux/decompress/mm.h
+++ b/include/linux/decompress/mm.h
@@ -92,11 +92,18 @@ MALLOC_VISIBLE void free(void *where)
#define large_malloc(a) vmalloc(a)
#define large_free(a) vfree(a)
-#define INIT __init
#define STATIC
#include <linux/init.h>
+#ifndef CONFIG_HAVE_KEXEC_DECOMPRESS
+#define INIT __init
+#else
+#define INIT
+#undef __initconst
+#define __initconst
+#endif
+
#endif /* STATIC */
#endif /* DECOMPR_MM_H */
diff --git a/lib/decompress.c b/lib/decompress.c
index 8dd6f87e885f..33f097fe4b51 100644
--- a/lib/decompress.c
+++ b/lib/decompress.c
@@ -6,6 +6,7 @@
*/
#include <linux/decompress/generic.h>
+#include <linux/decompress/mm.h>
#include <linux/decompress/bunzip2.h>
#include <linux/decompress/unlzma.h>
@@ -60,7 +61,7 @@ static const struct compress_format compressed_formats[] __initconst = {
{ {0, 0}, NULL, NULL }
};
-decompress_fn __init decompress_method(const unsigned char *inbuf, long len,
+decompress_fn INIT decompress_method(const unsigned char *inbuf, long len,
const char **name)
{
const struct compress_format *cf;
@@ -83,7 +84,7 @@ decompress_fn __init decompress_method(const unsigned char *inbuf, long len,
return cf->decompressor;
}
-decompress_fn __init decompress_method_by_name(const unsigned char *name)
+decompress_fn INIT decompress_method_by_name(const unsigned char *name)
{
const struct compress_format *cf;
--
2.31.1
If choosing an EFI_ZBOOT image, the corresponding decompressing method
should be selected so that kexec can load that zboot image.
This can be achieved when "Kernel compression mode" is determined.
Signed-off-by: Pingfan Liu <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Nick Desaulniers <[email protected]>
Cc: Masahiro Yamada <[email protected]>
Cc: Johannes Weiner <[email protected]>
Cc: Nathan Chancellor <[email protected]>
Cc: Miguel Ojeda <[email protected]>
Cc: Masami Hiramatsu <[email protected]>
Cc: Ard Biesheuvel <[email protected]>
Cc: [email protected]
To: [email protected]
---
init/Kconfig | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/init/Kconfig b/init/Kconfig
index 44e90b28a30f..046724208645 100644
--- a/init/Kconfig
+++ b/init/Kconfig
@@ -269,6 +269,7 @@ choice
config KERNEL_GZIP
bool "Gzip"
depends on HAVE_KERNEL_GZIP
+ select KEXEC_DECOMPRESS_GZIP if KEXEC_FILE && EFI_ZBOOT
help
The old and tried gzip compression. It provides a good balance
between compression ratio and decompression speed.
@@ -276,6 +277,7 @@ config KERNEL_GZIP
config KERNEL_BZIP2
bool "Bzip2"
depends on HAVE_KERNEL_BZIP2
+ select KEXEC_DECOMPRESS_BZIP2 if KEXEC_FILE && EFI_ZBOOT
help
Its compression ratio and speed is intermediate.
Decompression speed is slowest among the choices. The kernel
@@ -286,6 +288,7 @@ config KERNEL_BZIP2
config KERNEL_LZMA
bool "LZMA"
depends on HAVE_KERNEL_LZMA
+ select KEXEC_DECOMPRESS_LZMA if KEXEC_FILE && EFI_ZBOOT
help
This compression algorithm's ratio is best. Decompression speed
is between gzip and bzip2. Compression is slowest.
@@ -294,6 +297,7 @@ config KERNEL_LZMA
config KERNEL_XZ
bool "XZ"
depends on HAVE_KERNEL_XZ
+ select KEXEC_DECOMPRESS_XZ if KEXEC_FILE && EFI_ZBOOT
help
XZ uses the LZMA2 algorithm and instruction set specific
BCJ filters which can improve compression ratio of executable
@@ -309,6 +313,7 @@ config KERNEL_XZ
config KERNEL_LZO
bool "LZO"
depends on HAVE_KERNEL_LZO
+ select KEXEC_DECOMPRESS_LZO if KEXEC_FILE && EFI_ZBOOT
help
Its compression ratio is the poorest among the choices. The kernel
size is about 10% bigger than gzip; however its speed
@@ -317,6 +322,7 @@ config KERNEL_LZO
config KERNEL_LZ4
bool "LZ4"
depends on HAVE_KERNEL_LZ4
+ select KEXEC_DECOMPRESS_LZ4 if KEXEC_FILE && EFI_ZBOOT
help
LZ4 is an LZ77-type compressor with a fixed, byte-oriented encoding.
A preliminary version of LZ4 de/compression tool is available at
@@ -329,6 +335,7 @@ config KERNEL_LZ4
config KERNEL_ZSTD
bool "ZSTD"
depends on HAVE_KERNEL_ZSTD
+ select KEXEC_DECOMPRESS_ZSTD if KEXEC_FILE && EFI_ZBOOT
help
ZSTD is a compression algorithm targeting intermediate compression
with fast decompression speed. It will compress better than GZIP and
--
2.31.1
(cc Mark)
Hello Pingfan,
Thanks for working on this.
On Mon, 6 Mar 2023 at 04:03, Pingfan Liu <[email protected]> wrote:
>
> After introducing zboot image, kexec_file can not load and jump to the
> new style image. Hence it demands a method to load the new kernel.
>
> The crux of the problem lies in when and how to decompress the Image.gz.
> There are three possible courses to take: -1. in user space, but hard to
> achieve due to the signature verification inside the kernel.
That depends. The EFI zboot image encapsulates another PE/COFF image,
which could be signed as well.
So there are at least three other options here:
- sign the encapsulated image with the same key as the zboot image
- sign the encapsulated image with a key that is only valid for kexec boot
- sign the encapsulated image with an ephemeral key that is only valid
for a kexec'ing an image that was produced by the same kernel build
> -2. at the
> boot time, let the efi_zboot_entry() handles it, which means a simulated
> EFI service should be provided to that entry, especially about how to be
> aware of the memory layout.
This is actually an idea I intend to explore: with the EFI runtime
services regions mapped 1:1, it wouldn't be too hard to implement a
minimal environment that can run the zboot image under the previous
kernel up to the point where it call ExitBootServices(), after which
kexec() would take over.
> -3. in kernel space, during the file load
> of the zboot image. At that point, the kernel masters the whole memory
> information, and easily allocates a suitable memory for the decompressed
> kernel image. (I think this is similar to what grub does today).
>
GRUB just calls LoadImage(), and the decompression code runs in the EFI context.
> The core of this series is [5/6]. [3,6/6] handles the config option.
> The assumption of [3/6] is kexec_file_load is independent of zboot,
> especially it can load kernel images compressed with different
> compression method. [6/6] is if EFI_ZBOOT, the corresponding
> decompression method should be included.
>
>
> Cc: Catalin Marinas <[email protected]>
> Cc: Will Deacon <[email protected]>
> Cc: Andrew Morton <[email protected]>
> Cc: Ard Biesheuvel <[email protected]>
> Cc: [email protected]
> To: [email protected]
> To: [email protected]
>
> Pingfan Liu (6):
> arm64: kexec: Rename kexec_image.c to kexec_raw_image.c
> lib/decompress: Introduce decompress_method_by_name()
> arm64: Kconfig: Pick decompressing method for kexec file load
> lib/decompress: Keep decompress routines based on selection
> arm64: kexec: Introduce zboot image loader
> init/Kconfig: Select decompressing method if compressing kernel
>
> arch/arm64/Kconfig | 59 ++++++
> arch/arm64/include/asm/kexec.h | 4 +-
> arch/arm64/kernel/Makefile | 2 +-
> .../{kexec_image.c => kexec_raw_image.c} | 2 +-
> arch/arm64/kernel/kexec_zboot_image.c | 186 ++++++++++++++++++
> arch/arm64/kernel/machine_kexec.c | 1 +
> arch/arm64/kernel/machine_kexec_file.c | 3 +-
> include/linux/decompress/generic.h | 2 +
> include/linux/decompress/mm.h | 9 +-
> include/linux/zboot.h | 26 +++
> init/Kconfig | 7 +
> lib/Kconfig | 3 +
> lib/decompress.c | 17 +-
> 13 files changed, 314 insertions(+), 7 deletions(-)
> rename arch/arm64/kernel/{kexec_image.c => kexec_raw_image.c} (98%)
> create mode 100644 arch/arm64/kernel/kexec_zboot_image.c
> create mode 100644 include/linux/zboot.h
>
> --
> 2.31.1
>
Hi Ard,
Thanks for sharing your idea. Please see the comment.
On Mon, Mar 06, 2023 at 09:08:03AM +0100, Ard Biesheuvel wrote:
> (cc Mark)
>
> Hello Pingfan,
>
> Thanks for working on this.
>
> On Mon, 6 Mar 2023 at 04:03, Pingfan Liu <[email protected]> wrote:
> >
> > After introducing zboot image, kexec_file can not load and jump to the
> > new style image. Hence it demands a method to load the new kernel.
> >
> > The crux of the problem lies in when and how to decompress the Image.gz.
> > There are three possible courses to take: -1. in user space, but hard to
> > achieve due to the signature verification inside the kernel.
>
> That depends. The EFI zboot image encapsulates another PE/COFF image,
> which could be signed as well.
>
> So there are at least three other options here:
> - sign the encapsulated image with the same key as the zboot image
> - sign the encapsulated image with a key that is only valid for kexec boot
> - sign the encapsulated image with an ephemeral key that is only valid
> for a kexec'ing an image that was produced by the same kernel build
>
> > -2. at the
> > boot time, let the efi_zboot_entry() handles it, which means a simulated
> > EFI service should be provided to that entry, especially about how to be
> > aware of the memory layout.
>
> This is actually an idea I intend to explore: with the EFI runtime
> services regions mapped 1:1, it wouldn't be too hard to implement a
> minimal environment that can run the zboot image under the previous
The idea of the minimal environment lools amazing. After digging
more deeply into it, I think it means to implement most of the function
members in efi_boot_services, besides that, some UEFI protocols due to
the reference of efi_call_proto(). So a clear boundary between zboot and
its dependent EFI service is demanded before the work.
> kernel up to the point where it call ExitBootServices(), after which
> kexec() would take over.
>
IIUC, after kexec switches to efi_zboot_entry(), it will not return,
right?
> > -3. in kernel space, during the file load
> > of the zboot image. At that point, the kernel masters the whole memory
> > information, and easily allocates a suitable memory for the decompressed
> > kernel image. (I think this is similar to what grub does today).
> >
>
> GRUB just calls LoadImage(), and the decompression code runs in the EFI context.
>
Ah, thanks for the correcting. I had made an wrong assumption of grub
based on [1], from which, I thought that grub is the case "For
compatibility with non-EFI loaders, the payload can be decompressed and
executed by the loader as well, provided that the loader implements the
decompression algorithm and that non-EFI boot is supported by the
encapsulated image"
[1]: https://www.phoronix.com/news/Linux-6.1-Generic-EFI-Zboot
Eager to find a solution to kexec a zboot image. Hope it will come soon.
Thanks,
Pingfan
> > The core of this series is [5/6]. [3,6/6] handles the config option.
> > The assumption of [3/6] is kexec_file_load is independent of zboot,
> > especially it can load kernel images compressed with different
> > compression method. [6/6] is if EFI_ZBOOT, the corresponding
> > decompression method should be included.
> >
> >
> > Cc: Catalin Marinas <[email protected]>
> > Cc: Will Deacon <[email protected]>
> > Cc: Andrew Morton <[email protected]>
> > Cc: Ard Biesheuvel <[email protected]>
> > Cc: [email protected]
> > To: [email protected]
> > To: [email protected]
> >
> > Pingfan Liu (6):
> > arm64: kexec: Rename kexec_image.c to kexec_raw_image.c
> > lib/decompress: Introduce decompress_method_by_name()
> > arm64: Kconfig: Pick decompressing method for kexec file load
> > lib/decompress: Keep decompress routines based on selection
> > arm64: kexec: Introduce zboot image loader
> > init/Kconfig: Select decompressing method if compressing kernel
> >
> > arch/arm64/Kconfig | 59 ++++++
> > arch/arm64/include/asm/kexec.h | 4 +-
> > arch/arm64/kernel/Makefile | 2 +-
> > .../{kexec_image.c => kexec_raw_image.c} | 2 +-
> > arch/arm64/kernel/kexec_zboot_image.c | 186 ++++++++++++++++++
> > arch/arm64/kernel/machine_kexec.c | 1 +
> > arch/arm64/kernel/machine_kexec_file.c | 3 +-
> > include/linux/decompress/generic.h | 2 +
> > include/linux/decompress/mm.h | 9 +-
> > include/linux/zboot.h | 26 +++
> > init/Kconfig | 7 +
> > lib/Kconfig | 3 +
> > lib/decompress.c | 17 +-
> > 13 files changed, 314 insertions(+), 7 deletions(-)
> > rename arch/arm64/kernel/{kexec_image.c => kexec_raw_image.c} (98%)
> > create mode 100644 arch/arm64/kernel/kexec_zboot_image.c
> > create mode 100644 include/linux/zboot.h
> >
> > --
> > 2.31.1
> >
On Tue, Mar 07, 2023 at 04:08:55PM +0800, Pingfan Liu wrote:
> Hi Ard,
>
> Thanks for sharing your idea. Please see the comment.
>
> On Mon, Mar 06, 2023 at 09:08:03AM +0100, Ard Biesheuvel wrote:
> > (cc Mark)
> >
> > Hello Pingfan,
> >
> > Thanks for working on this.
> >
> > On Mon, 6 Mar 2023 at 04:03, Pingfan Liu <[email protected]> wrote:
> > >
> > > After introducing zboot image, kexec_file can not load and jump to the
> > > new style image. Hence it demands a method to load the new kernel.
> > >
> > > The crux of the problem lies in when and how to decompress the Image.gz.
> > > There are three possible courses to take: -1. in user space, but hard to
> > > achieve due to the signature verification inside the kernel.
> >
> > That depends. The EFI zboot image encapsulates another PE/COFF image,
> > which could be signed as well.
> >
> > So there are at least three other options here:
> > - sign the encapsulated image with the same key as the zboot image
> > - sign the encapsulated image with a key that is only valid for kexec boot
> > - sign the encapsulated image with an ephemeral key that is only valid
> > for a kexec'ing an image that was produced by the same kernel build
> >
> > > -2. at the
> > > boot time, let the efi_zboot_entry() handles it, which means a simulated
> > > EFI service should be provided to that entry, especially about how to be
> > > aware of the memory layout.
> >
> > This is actually an idea I intend to explore: with the EFI runtime
> > services regions mapped 1:1, it wouldn't be too hard to implement a
> > minimal environment that can run the zboot image under the previous
>
> The idea of the minimal environment lools amazing. After digging
> more deeply into it, I think it means to implement most of the function
> members in efi_boot_services, besides that, some UEFI protocols due to
> the reference of efi_call_proto(). So a clear boundary between zboot and
> its dependent EFI service is demanded before the work.
>
Looking deeper into it. This approach may be splitted into the following
chunks:
-1. Estimation the memory demanded by the decompression of zboot, which
roughly includes the size of Image, the size of the emulated service and
the stack used by zboot. Finally we need a kexec_add_buffer() for this
range.
-2. The emulated EFI services and some initial data such as the physical
address of dtb, the usable memory start address and size should be set
by kexec_purgatory_get_set_symbol()
-3. Set up an identity mapping of the usable memory by zboot, prepare
stack and turn on MMU at the last point just before 'br efi_zboot_entry'
in relocate_kernel.S, which means relocate_kernel.S should support two
kinds of payload.
-4. For efi_zboot_entry(), if jumping from kexec, limit its requirement
to only a few boot services: e.g. allocate_pages, allocate_pool. So the
emulated services can be deduced.
> > kernel up to the point where it call ExitBootServices(), after which
> > kexec() would take over.
> >
>
> IIUC, after kexec switches to efi_zboot_entry(), it will not return,
> right?
>
I have this assumption because letting the control path switch between
kernel and non-kernel code is not a good idea.
Thanks,
Pingfan
> > > -3. in kernel space, during the file load
> > > of the zboot image. At that point, the kernel masters the whole memory
> > > information, and easily allocates a suitable memory for the decompressed
> > > kernel image. (I think this is similar to what grub does today).
> > >
> >
> > GRUB just calls LoadImage(), and the decompression code runs in the EFI context.
> >
>
> Ah, thanks for the correcting. I had made an wrong assumption of grub
> based on [1], from which, I thought that grub is the case "For
> compatibility with non-EFI loaders, the payload can be decompressed and
> executed by the loader as well, provided that the loader implements the
> decompression algorithm and that non-EFI boot is supported by the
> encapsulated image"
>
>
> [1]: https://www.phoronix.com/news/Linux-6.1-Generic-EFI-Zboot
>
>
> Eager to find a solution to kexec a zboot image. Hope it will come soon.
>
>
> Thanks,
>
> Pingfan
> > > The core of this series is [5/6]. [3,6/6] handles the config option.
> > > The assumption of [3/6] is kexec_file_load is independent of zboot,
> > > especially it can load kernel images compressed with different
> > > compression method. [6/6] is if EFI_ZBOOT, the corresponding
> > > decompression method should be included.
> > >
> > >
> > > Cc: Catalin Marinas <[email protected]>
> > > Cc: Will Deacon <[email protected]>
> > > Cc: Andrew Morton <[email protected]>
> > > Cc: Ard Biesheuvel <[email protected]>
> > > Cc: [email protected]
> > > To: [email protected]
> > > To: [email protected]
> > >
> > > Pingfan Liu (6):
> > > arm64: kexec: Rename kexec_image.c to kexec_raw_image.c
> > > lib/decompress: Introduce decompress_method_by_name()
> > > arm64: Kconfig: Pick decompressing method for kexec file load
> > > lib/decompress: Keep decompress routines based on selection
> > > arm64: kexec: Introduce zboot image loader
> > > init/Kconfig: Select decompressing method if compressing kernel
> > >
> > > arch/arm64/Kconfig | 59 ++++++
> > > arch/arm64/include/asm/kexec.h | 4 +-
> > > arch/arm64/kernel/Makefile | 2 +-
> > > .../{kexec_image.c => kexec_raw_image.c} | 2 +-
> > > arch/arm64/kernel/kexec_zboot_image.c | 186 ++++++++++++++++++
> > > arch/arm64/kernel/machine_kexec.c | 1 +
> > > arch/arm64/kernel/machine_kexec_file.c | 3 +-
> > > include/linux/decompress/generic.h | 2 +
> > > include/linux/decompress/mm.h | 9 +-
> > > include/linux/zboot.h | 26 +++
> > > init/Kconfig | 7 +
> > > lib/Kconfig | 3 +
> > > lib/decompress.c | 17 +-
> > > 13 files changed, 314 insertions(+), 7 deletions(-)
> > > rename arch/arm64/kernel/{kexec_image.c => kexec_raw_image.c} (98%)
> > > create mode 100644 arch/arm64/kernel/kexec_zboot_image.c
> > > create mode 100644 include/linux/zboot.h
> > >
> > > --
> > > 2.31.1
> > >
Results from Linaro’s test farm.
> After introducing zboot image, kexec_file can not load and jump to the
> new style image. Hence it demands a method to load the new kernel.
...
This patch set build and boot tested on arm, arm64 and FVP.
> Cc: Catalin Marinas <[email protected]>
> Cc: Will Deacon <[email protected]>
> Cc: Andrew Morton <[email protected]>
> Cc: Ard Biesheuvel <[email protected]>
> Cc: [email protected]
> To: [email protected]
> To: [email protected]
Tested-by: Linux Kernel Functional Testing <[email protected]>
links to test results,
- https://qa-reports.linaro.org/~anders.roxell/linux-mainline-patches/build/lore_kernel_org_linux-arm-kernel_20230306030305_15595-1-kernelfans_gmail_com/?failures_only=false#!#test-results
--
Linaro LKFT
https://lkft.linaro.org
On Fri, 10 Mar 2023 at 12:18, Pingfan Liu <[email protected]> wrote:
>
> On Tue, Mar 07, 2023 at 04:08:55PM +0800, Pingfan Liu wrote:
> > Hi Ard,
> >
> > Thanks for sharing your idea. Please see the comment.
> >
> > On Mon, Mar 06, 2023 at 09:08:03AM +0100, Ard Biesheuvel wrote:
> > > (cc Mark)
> > >
> > > Hello Pingfan,
> > >
> > > Thanks for working on this.
> > >
> > > On Mon, 6 Mar 2023 at 04:03, Pingfan Liu <[email protected]> wrote:
> > > >
> > > > After introducing zboot image, kexec_file can not load and jump to the
> > > > new style image. Hence it demands a method to load the new kernel.
> > > >
> > > > The crux of the problem lies in when and how to decompress the Image.gz.
> > > > There are three possible courses to take: -1. in user space, but hard to
> > > > achieve due to the signature verification inside the kernel.
> > >
> > > That depends. The EFI zboot image encapsulates another PE/COFF image,
> > > which could be signed as well.
> > >
> > > So there are at least three other options here:
> > > - sign the encapsulated image with the same key as the zboot image
> > > - sign the encapsulated image with a key that is only valid for kexec boot
> > > - sign the encapsulated image with an ephemeral key that is only valid
> > > for a kexec'ing an image that was produced by the same kernel build
> > >
> > > > -2. at the
> > > > boot time, let the efi_zboot_entry() handles it, which means a simulated
> > > > EFI service should be provided to that entry, especially about how to be
> > > > aware of the memory layout.
> > >
> > > This is actually an idea I intend to explore: with the EFI runtime
> > > services regions mapped 1:1, it wouldn't be too hard to implement a
> > > minimal environment that can run the zboot image under the previous
> >
> > The idea of the minimal environment lools amazing. After digging
> > more deeply into it, I think it means to implement most of the function
> > members in efi_boot_services, besides that, some UEFI protocols due to
> > the reference of efi_call_proto(). So a clear boundary between zboot and
> > its dependent EFI service is demanded before the work.
> >
>
> Looking deeper into it. This approach may be splitted into the following
> chunks:
> -1. Estimation the memory demanded by the decompression of zboot, which
> roughly includes the size of Image, the size of the emulated service and
> the stack used by zboot. Finally we need a kexec_add_buffer() for this
> range.
>
> -2. The emulated EFI services and some initial data such as the physical
> address of dtb, the usable memory start address and size should be set
> by kexec_purgatory_get_set_symbol()
>
> -3. Set up an identity mapping of the usable memory by zboot, prepare
> stack and turn on MMU at the last point just before 'br efi_zboot_entry'
> in relocate_kernel.S, which means relocate_kernel.S should support two
> kinds of payload.
>
> -4. For efi_zboot_entry(), if jumping from kexec, limit its requirement
> to only a few boot services: e.g. allocate_pages, allocate_pool. So the
> emulated services can be deduced.
Hi Pingfan,
I'm not sure how hard it will be although Ard thinks it could be
doable. If it is not easy I suspect it is not worth the effort.
For your current series, my suggestion is you can try to move the
major code in the generic code path in kernel/kexec_file.c and keep
the arch code minimum so that in the future other arches can avoid
redundant code.
Otherwise a fallback solution could be using the same key to sign both
the zboot image and the internal kernel image like below:
1. sign the kernel with the same key twice (kernel image and zboot
image) in distro kernel
2. introduce a kconfig in mainline to sign the kernel image with an
ephemeral key same to kernel modules. Distro can disable the config
option. (in this way kexec can only load the same kernel, it is not
useful if people want to load older/newer kernels)
3. patch kexec-tools to decompress the zboot image and load the kernel image
>
> > > kernel up to the point where it call ExitBootServices(), after which
> > > kexec() would take over.
> > >
> >
> > IIUC, after kexec switches to efi_zboot_entry(), it will not return,
> > right?
> >
>
> I have this assumption because letting the control path switch between
> kernel and non-kernel code is not a good idea.
>
>
> Thanks,
>
> Pingfan
>
> > > > -3. in kernel space, during the file load
> > > > of the zboot image. At that point, the kernel masters the whole memory
> > > > information, and easily allocates a suitable memory for the decompressed
> > > > kernel image. (I think this is similar to what grub does today).
> > > >
> > >
> > > GRUB just calls LoadImage(), and the decompression code runs in the EFI context.
> > >
> >
> > Ah, thanks for the correcting. I had made an wrong assumption of grub
> > based on [1], from which, I thought that grub is the case "For
> > compatibility with non-EFI loaders, the payload can be decompressed and
> > executed by the loader as well, provided that the loader implements the
> > decompression algorithm and that non-EFI boot is supported by the
> > encapsulated image"
> >
> >
> > [1]: https://www.phoronix.com/news/Linux-6.1-Generic-EFI-Zboot
> >
> >
> > Eager to find a solution to kexec a zboot image. Hope it will come soon.
> >
> >
> > Thanks,
> >
> > Pingfan
> > > > The core of this series is [5/6]. [3,6/6] handles the config option.
> > > > The assumption of [3/6] is kexec_file_load is independent of zboot,
> > > > especially it can load kernel images compressed with different
> > > > compression method. [6/6] is if EFI_ZBOOT, the corresponding
> > > > decompression method should be included.
> > > >
> > > >
> > > > Cc: Catalin Marinas <[email protected]>
> > > > Cc: Will Deacon <[email protected]>
> > > > Cc: Andrew Morton <[email protected]>
> > > > Cc: Ard Biesheuvel <[email protected]>
> > > > Cc: [email protected]
> > > > To: [email protected]
> > > > To: [email protected]
> > > >
> > > > Pingfan Liu (6):
> > > > arm64: kexec: Rename kexec_image.c to kexec_raw_image.c
> > > > lib/decompress: Introduce decompress_method_by_name()
> > > > arm64: Kconfig: Pick decompressing method for kexec file load
> > > > lib/decompress: Keep decompress routines based on selection
> > > > arm64: kexec: Introduce zboot image loader
> > > > init/Kconfig: Select decompressing method if compressing kernel
> > > >
> > > > arch/arm64/Kconfig | 59 ++++++
> > > > arch/arm64/include/asm/kexec.h | 4 +-
> > > > arch/arm64/kernel/Makefile | 2 +-
> > > > .../{kexec_image.c => kexec_raw_image.c} | 2 +-
> > > > arch/arm64/kernel/kexec_zboot_image.c | 186 ++++++++++++++++++
> > > > arch/arm64/kernel/machine_kexec.c | 1 +
> > > > arch/arm64/kernel/machine_kexec_file.c | 3 +-
> > > > include/linux/decompress/generic.h | 2 +
> > > > include/linux/decompress/mm.h | 9 +-
> > > > include/linux/zboot.h | 26 +++
> > > > init/Kconfig | 7 +
> > > > lib/Kconfig | 3 +
> > > > lib/decompress.c | 17 +-
> > > > 13 files changed, 314 insertions(+), 7 deletions(-)
> > > > rename arch/arm64/kernel/{kexec_image.c => kexec_raw_image.c} (98%)
> > > > create mode 100644 arch/arm64/kernel/kexec_zboot_image.c
> > > > create mode 100644 include/linux/zboot.h
> > > >
> > > > --
> > > > 2.31.1
> > > >
>
> _______________________________________________
> kexec mailing list
> [email protected]
> http://lists.infradead.org/mailman/listinfo/kexec
>
Hi Dave,
Thanks for your suggestion. Please see the comment inlined.
On Wed, Mar 22, 2023 at 11:44:52AM +0800, Dave Young wrote:
> On Fri, 10 Mar 2023 at 12:18, Pingfan Liu <[email protected]> wrote:
> >
> > On Tue, Mar 07, 2023 at 04:08:55PM +0800, Pingfan Liu wrote:
> > > Hi Ard,
> > >
> > > Thanks for sharing your idea. Please see the comment.
> > >
> > > On Mon, Mar 06, 2023 at 09:08:03AM +0100, Ard Biesheuvel wrote:
> > > > (cc Mark)
> > > >
> > > > Hello Pingfan,
> > > >
> > > > Thanks for working on this.
> > > >
> > > > On Mon, 6 Mar 2023 at 04:03, Pingfan Liu <[email protected]> wrote:
> > > > >
> > > > > After introducing zboot image, kexec_file can not load and jump to the
> > > > > new style image. Hence it demands a method to load the new kernel.
> > > > >
> > > > > The crux of the problem lies in when and how to decompress the Image.gz.
> > > > > There are three possible courses to take: -1. in user space, but hard to
> > > > > achieve due to the signature verification inside the kernel.
> > > >
> > > > That depends. The EFI zboot image encapsulates another PE/COFF image,
> > > > which could be signed as well.
> > > >
> > > > So there are at least three other options here:
> > > > - sign the encapsulated image with the same key as the zboot image
> > > > - sign the encapsulated image with a key that is only valid for kexec boot
> > > > - sign the encapsulated image with an ephemeral key that is only valid
> > > > for a kexec'ing an image that was produced by the same kernel build
> > > >
> > > > > -2. at the
> > > > > boot time, let the efi_zboot_entry() handles it, which means a simulated
> > > > > EFI service should be provided to that entry, especially about how to be
> > > > > aware of the memory layout.
> > > >
> > > > This is actually an idea I intend to explore: with the EFI runtime
> > > > services regions mapped 1:1, it wouldn't be too hard to implement a
> > > > minimal environment that can run the zboot image under the previous
> > >
> > > The idea of the minimal environment lools amazing. After digging
> > > more deeply into it, I think it means to implement most of the function
> > > members in efi_boot_services, besides that, some UEFI protocols due to
> > > the reference of efi_call_proto(). So a clear boundary between zboot and
> > > its dependent EFI service is demanded before the work.
> > >
> >
> > Looking deeper into it. This approach may be splitted into the following
> > chunks:
> > -1. Estimation the memory demanded by the decompression of zboot, which
> > roughly includes the size of Image, the size of the emulated service and
> > the stack used by zboot. Finally we need a kexec_add_buffer() for this
> > range.
> >
> > -2. The emulated EFI services and some initial data such as the physical
> > address of dtb, the usable memory start address and size should be set
> > by kexec_purgatory_get_set_symbol()
> >
> > -3. Set up an identity mapping of the usable memory by zboot, prepare
> > stack and turn on MMU at the last point just before 'br efi_zboot_entry'
> > in relocate_kernel.S, which means relocate_kernel.S should support two
> > kinds of payload.
> >
> > -4. For efi_zboot_entry(), if jumping from kexec, limit its requirement
> > to only a few boot services: e.g. allocate_pages, allocate_pool. So the
> > emulated services can be deduced.
>
> Hi Pingfan,
>
> I'm not sure how hard it will be although Ard thinks it could be
> doable. If it is not easy I suspect it is not worth the effort.
>
Yes, it is a little hard comparing to the original patch. But I am also
trying in that direction.
> For your current series, my suggestion is you can try to move the
> major code in the generic code path in kernel/kexec_file.c and keep
> the arch code minimum so that in the future other arches can avoid
> redundant code.
>
OK. I will do it.
> Otherwise a fallback solution could be using the same key to sign both
> the zboot image and the internal kernel image like below:
> 1. sign the kernel with the same key twice (kernel image and zboot
> image) in distro kernel
> 2. introduce a kconfig in mainline to sign the kernel image with an
> ephemeral key same to kernel modules. Distro can disable the config
> option. (in this way kexec can only load the same kernel, it is not
> useful if people want to load older/newer kernels)
> 3. patch kexec-tools to decompress the zboot image and load the kernel image
>
Yes, this is also a doable way. I will try it if more votes for it.
Thanks,
Pingfan
> >
> > > > kernel up to the point where it call ExitBootServices(), after which
> > > > kexec() would take over.
> > > >
> > >
> > > IIUC, after kexec switches to efi_zboot_entry(), it will not return,
> > > right?
> > >
> >
> > I have this assumption because letting the control path switch between
> > kernel and non-kernel code is not a good idea.
> >
> >
> > Thanks,
> >
> > Pingfan
> >
> > > > > -3. in kernel space, during the file load
> > > > > of the zboot image. At that point, the kernel masters the whole memory
> > > > > information, and easily allocates a suitable memory for the decompressed
> > > > > kernel image. (I think this is similar to what grub does today).
> > > > >
> > > >
> > > > GRUB just calls LoadImage(), and the decompression code runs in the EFI context.
> > > >
> > >
> > > Ah, thanks for the correcting. I had made an wrong assumption of grub
> > > based on [1], from which, I thought that grub is the case "For
> > > compatibility with non-EFI loaders, the payload can be decompressed and
> > > executed by the loader as well, provided that the loader implements the
> > > decompression algorithm and that non-EFI boot is supported by the
> > > encapsulated image"
> > >
> > >
> > > [1]: https://www.phoronix.com/news/Linux-6.1-Generic-EFI-Zboot
> > >
> > >
> > > Eager to find a solution to kexec a zboot image. Hope it will come soon.
> > >
> > >
> > > Thanks,
> > >
> > > Pingfan
> > > > > The core of this series is [5/6]. [3,6/6] handles the config option.
> > > > > The assumption of [3/6] is kexec_file_load is independent of zboot,
> > > > > especially it can load kernel images compressed with different
> > > > > compression method. [6/6] is if EFI_ZBOOT, the corresponding
> > > > > decompression method should be included.
> > > > >
> > > > >
> > > > > Cc: Catalin Marinas <[email protected]>
> > > > > Cc: Will Deacon <[email protected]>
> > > > > Cc: Andrew Morton <[email protected]>
> > > > > Cc: Ard Biesheuvel <[email protected]>
> > > > > Cc: [email protected]
> > > > > To: [email protected]
> > > > > To: [email protected]
> > > > >
> > > > > Pingfan Liu (6):
> > > > > arm64: kexec: Rename kexec_image.c to kexec_raw_image.c
> > > > > lib/decompress: Introduce decompress_method_by_name()
> > > > > arm64: Kconfig: Pick decompressing method for kexec file load
> > > > > lib/decompress: Keep decompress routines based on selection
> > > > > arm64: kexec: Introduce zboot image loader
> > > > > init/Kconfig: Select decompressing method if compressing kernel
> > > > >
> > > > > arch/arm64/Kconfig | 59 ++++++
> > > > > arch/arm64/include/asm/kexec.h | 4 +-
> > > > > arch/arm64/kernel/Makefile | 2 +-
> > > > > .../{kexec_image.c => kexec_raw_image.c} | 2 +-
> > > > > arch/arm64/kernel/kexec_zboot_image.c | 186 ++++++++++++++++++
> > > > > arch/arm64/kernel/machine_kexec.c | 1 +
> > > > > arch/arm64/kernel/machine_kexec_file.c | 3 +-
> > > > > include/linux/decompress/generic.h | 2 +
> > > > > include/linux/decompress/mm.h | 9 +-
> > > > > include/linux/zboot.h | 26 +++
> > > > > init/Kconfig | 7 +
> > > > > lib/Kconfig | 3 +
> > > > > lib/decompress.c | 17 +-
> > > > > 13 files changed, 314 insertions(+), 7 deletions(-)
> > > > > rename arch/arm64/kernel/{kexec_image.c => kexec_raw_image.c} (98%)
> > > > > create mode 100644 arch/arm64/kernel/kexec_zboot_image.c
> > > > > create mode 100644 include/linux/zboot.h
> > > > >
> > > > > --
> > > > > 2.31.1
> > > > >
> >
> > _______________________________________________
> > kexec mailing list
> > [email protected]
> > http://lists.infradead.org/mailman/listinfo/kexec
> >
>