Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754279AbdHYBVP (ORCPT ); Thu, 24 Aug 2017 21:21:15 -0400 Received: from mail-pg0-f54.google.com ([74.125.83.54]:36632 "EHLO mail-pg0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753891AbdHYBVN (ORCPT ); Thu, 24 Aug 2017 21:21:13 -0400 Date: Fri, 25 Aug 2017 10:21:06 +0900 From: AKASHI Takahiro To: Mark Rutland Cc: catalin.marinas@arm.com, will.deacon@arm.com, bauerman@linux.vnet.ibm.com, dhowells@redhat.com, vgoyal@redhat.com, herbert@gondor.apana.org.au, davem@davemloft.net, akpm@linux-foundation.org, mpe@ellerman.id.au, dyoung@redhat.com, bhe@redhat.com, arnd@arndb.de, ard.biesheuvel@linaro.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org Subject: Re: [PATCH 09/14] arm64: kexec_file: add sha256 digest check in purgatory Message-ID: <20170825012103.GB7245@akashi-kouhiroshi-no-MacBook-Air.local> Mail-Followup-To: AKASHI Takahiro , Mark Rutland , catalin.marinas@arm.com, will.deacon@arm.com, bauerman@linux.vnet.ibm.com, dhowells@redhat.com, vgoyal@redhat.com, herbert@gondor.apana.org.au, davem@davemloft.net, akpm@linux-foundation.org, mpe@ellerman.id.au, dyoung@redhat.com, bhe@redhat.com, arnd@arndb.de, ard.biesheuvel@linaro.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org References: <20170824081811.19299-1-takahiro.akashi@linaro.org> <20170824081811.19299-10-takahiro.akashi@linaro.org> <20170824170440.GD29665@leverpostej> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20170824170440.GD29665@leverpostej> User-Agent: Mutt/1.8.3 (2017-05-23) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4533 Lines: 180 On Thu, Aug 24, 2017 at 06:04:40PM +0100, Mark Rutland wrote: > On Thu, Aug 24, 2017 at 05:18:06PM +0900, AKASHI Takahiro wrote: > > Most of sha256 code is based on crypto/sha256-glue.c, particularly using > > non-neon version. > > > > Please note that we won't be able to re-use lib/mem*.S for purgatory > > because unaligned memory access is not allowed in purgatory where mmu > > is turned off. > > > > Since purgatory is not linked with the other part of kernel, care must be > > taken of selecting an appropriate set of compiler options in order to > > prevent undefined symbol references from being generated. > > What is the point in performing this check in the purgatory code, when > this will presumably have been checked when the image is loaded? Well, this is what x86 does :) On powerpc, meanwhile, they don't have this check. Maybe to avoid booting corrupted kernel after loading? (loaded data are now protected by making them unmapped, though.) > [...] > > > diff --git a/arch/arm64/purgatory/entry.S b/arch/arm64/purgatory/entry.S > > index bc4e6b3bf8a1..74d028b838bd 100644 > > --- a/arch/arm64/purgatory/entry.S > > +++ b/arch/arm64/purgatory/entry.S > > @@ -6,6 +6,11 @@ > > .text > > > > ENTRY(purgatory_start) > > + adr x19, .Lstack > > + mov sp, x19 > > + > > + bl purgatory > > + > > /* Start new image. */ > > ldr x17, arm64_kernel_entry > > ldr x0, arm64_dtb_addr > > @@ -15,6 +20,14 @@ ENTRY(purgatory_start) > > br x17 > > END(purgatory_start) > > > > +.ltorg > > + > > +.align 4 > > + .rept 256 > > + .quad 0 > > + .endr > > +.Lstack: > > + > > .data > > Why is the stack in .text? to call verify_sha256_digest() from asm > Does this need to be zeroed? No :) > If it does, why not something like: > > .fill PURGATORY_STACK_SIZE 1, 0 > > > > > .align 3 > > diff --git a/arch/arm64/purgatory/purgatory.c b/arch/arm64/purgatory/purgatory.c > > new file mode 100644 > > index 000000000000..7fcbefa786bc > > --- /dev/null > > +++ b/arch/arm64/purgatory/purgatory.c > > @@ -0,0 +1,20 @@ > > +/* > > + * purgatory: Runs between two kernels > > + * > > + * Copyright (c) 2017 Linaro Limited > > + * Author: AKASHI Takahiro > > + */ > > + > > +#include "sha256.h" > > + > > +void purgatory(void) > > +{ > > + int ret; > > + > > + ret = verify_sha256_digest(); > > + if (ret) { > > + /* loop forever */ > > + for (;;) > > + ; > > + } > > +} > > Surely we can do something slightly better than a busy loop? e.g. > something like the __no_granule_support loop in head.s? Okey. > > diff --git a/arch/arm64/purgatory/sha256-core.S b/arch/arm64/purgatory/sha256-core.S > > new file mode 100644 > > index 000000000000..24f5ce25b61e > > --- /dev/null > > +++ b/arch/arm64/purgatory/sha256-core.S > > @@ -0,0 +1 @@ > > +#include "../crypto/sha256-core.S_shipped" > > diff --git a/arch/arm64/purgatory/sha256.c b/arch/arm64/purgatory/sha256.c > > new file mode 100644 > > index 000000000000..5d20d81767e3 > > --- /dev/null > > +++ b/arch/arm64/purgatory/sha256.c > > @@ -0,0 +1,79 @@ > > +#include > > +#include > > +#include > > + > > +/* > > + * Under KASAN, those are defined as un-instrumented version, __memxxx() > > + */ > > +#undef memcmp > > +#undef memcpy > > +#undef memset > > This doesn't look like the right place for this undeffery; it looks > rather fragile. Yeah, I agree, but if not there, __memxxx() are used. > > diff --git a/arch/arm64/purgatory/string.c b/arch/arm64/purgatory/string.c > > new file mode 100644 > > index 000000000000..33233a210a65 > > --- /dev/null > > +++ b/arch/arm64/purgatory/string.c > > @@ -0,0 +1,32 @@ > > +#include > > + > > +void *memcpy(void *dst, const void *src, size_t len) > > +{ > > + int i; > > + > > + for (i = 0; i < len; i++) > > + ((u8 *)dst)[i] = ((u8 *)src)[i]; > > + > > + return NULL; > > +} > > + > > +void *memset(void *dst, int c, size_t len) > > +{ > > + int i; > > + > > + for (i = 0; i < len; i++) > > + ((u8 *)dst)[i] = (u8)c; > > + > > + return NULL; > > +} > > + > > +int memcmp(const void *src, const void *dst, size_t len) > > +{ > > + int i; > > + > > + for (i = 0; i < len; i++) > > + if (*(char *)src != *(char *)dst) > > + return 1; > > + > > + return 0; > > +} > > How is the compiler prevented from "optimising" these into calls to > themselves? I don't get what you mean by "calls to themselves." Thanks, -Takahiro AKASHI > I suspect these will need to be written in asm. > > Thanks, > Mark.