Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp583252imm; Fri, 27 Jul 2018 02:24:12 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfo2wLmye7KmwQdYvYqiF/Jc3EqgsuSBAmk4pafQn+Nz7sjN6Ij0HhfybZIQKm7t5VaaChy X-Received: by 2002:a63:844:: with SMTP id 65-v6mr5461268pgi.406.1532683452580; Fri, 27 Jul 2018 02:24:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532683452; cv=none; d=google.com; s=arc-20160816; b=oFaARQ550x4L19+EiJjpOyjV4fYGE7jvLXBXzRrhNyokwi1hsT4gDa8duTGA+xdJtR ejKhRbhJzV9b+murfytxmRnuFXPYIsiiuffFUHaCrp+KP8R4HUuwodVgHMLqscM8BrH4 zdG+nMGcqBaJX1QgdDYvozWNbQKNoURc6xeomVEt2rtxKGpv1Oo2xXGt3XluOFXaYCfG o36mqSKqTFPZPr0m9fi3OxkmP0tTHkSrK3UgfY/9okf8lhZA5ZRDaVqe43ZekGVArALc W6HHvjCQoHW/5OZEGq3UQH07TS0YorCBm0C9iCV6qRf8sviL15Xr4cTRMMvw62lLcn6n gMsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language:in-reply-to:mime-version :user-agent:date:message-id:cc:from:references:to:subject :arc-authentication-results; bh=N8FFi5JHyL2Be8lSld5b9UAEa51Udg5CJxEr9ont9dw=; b=USo6n9Rvn7aK1SkK6ENxrDKhjUPafi9fRw+ScI3GbXycB7kLkOBi/XjpSILz7QNUgX 12j33azZpl1FuyM5eSp7DOAE34htKkfBeb359J5zXZhu7wkiG/wlMj3rJCHAgSBnpQgP K73DtfB+w70v3gtRp+OJUuQYa+AvS6AJGcQMLLn2NnAepJXZ8LtzqLahzxqzQcC7Dz8S LlWRvdYCS5HyKSz+sS3elUpSj8qB03/NKZUL437Ep82vA0uqRdSeO1FMCPuPC2fv1Qx+ m100XMwE/6xxRi8+95bmiRTbONP5nCV/cfpUiQYNbcocKuJr15nF6tM/HLy4tt5Us92x kGHg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d9-v6si3350676pgg.423.2018.07.27.02.23.57; Fri, 27 Jul 2018 02:24:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730376AbeG0Kna (ORCPT + 99 others); Fri, 27 Jul 2018 06:43:30 -0400 Received: from foss.arm.com ([217.140.101.70]:39468 "EHLO foss.arm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729488AbeG0Kn3 (ORCPT ); Fri, 27 Jul 2018 06:43:29 -0400 Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.72.51.249]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 980F515AD; Fri, 27 Jul 2018 02:22:29 -0700 (PDT) Received: from [10.37.8.224] (unknown [10.37.8.224]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 149C13F575; Fri, 27 Jul 2018 02:22:25 -0700 (PDT) Subject: Re: [PATCH v12 16/16] arm64: kexec_file: add kaslr support To: AKASHI Takahiro References: <20180724065759.19186-1-takahiro.akashi@linaro.org> <20180724065759.19186-17-takahiro.akashi@linaro.org> <50b31f17-fc85-aa72-06f5-d3b62060a91f@arm.com> <20180727083104.GI11258@linaro.org> From: James Morse Cc: catalin.marinas@arm.com, will.deacon@arm.com, dhowells@redhat.com, vgoyal@redhat.com, herbert@gondor.apana.org.au, davem@davemloft.net, dyoung@redhat.com, bhe@redhat.com, arnd@arndb.de, schwidefsky@de.ibm.com, heiko.carstens@de.ibm.com, ard.biesheuvel@linaro.org, bhsharma@redhat.com, kexec@lists.infradead.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Message-ID: <405b6708-4518-d81e-3938-39032c2b487e@arm.com> Date: Fri, 27 Jul 2018 10:22:31 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: <20180727083104.GI11258@linaro.org> Content-Type: multipart/alternative; boundary="------------407CD8C3C2E520A787871B37" Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This is a multi-part message in MIME format. --------------407CD8C3C2E520A787871B37 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Hi Akashi, On 07/27/2018 09:31 AM, AKASHI Takahiro wrote: > On Thu, Jul 26, 2018 at 02:40:49PM +0100, James Morse wrote: >> On 24/07/18 07:57, AKASHI Takahiro wrote: >>> Adding "kaslr-seed" to dtb enables triggering kaslr, or kernel virtual >>> address randomization, at secondary kernel boot. >> Hmm, there are three things that get moved by CONFIG_RANDOMIZE_BASE. The kernel >> physical placement when booted via the EFIstub, the kernel-text VAs and the >> location of memory in the linear-map region. Adding the kaslr-seed only does the >> last two. > Yes, but I think that I and Mark has agreed that "kaslr" meant > "virtual" randomisation, not including "physical" randomisation. Okay, I'll update my terminology! >> This means the physical placement of the new kernel is predictable from >> /proc/iomem ... but this also tells you the physical placement of the current >> kernel, so I don't think this is a problem. >> >> >>> We always do this as it will have no harm on kaslr-incapable kernel. >>> We don't have any "switch" to turn off this feature directly, but still >>> can suppress it by passing "nokaslr" as a kernel boot argument. >> >>> diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c >>> index 7356da5a53d5..47a4fbd0dc34 100644 >>> --- a/arch/arm64/kernel/machine_kexec_file.c >>> +++ b/arch/arm64/kernel/machine_kexec_file.c >>> @@ -158,6 +160,12 @@ static int setup_dtb(struct kimage *image, >> Don't you need to reserve some space in the area you vmalloc()d for the DT? > No, I don't think so. > All the data to be loaded are temporarily saved in kexec buffers, > which will eventually be copied to target locations in machine_kexec > (arm64_relocate_new_kernel, which, unlike its name, will handle > not only kernel but also other data as well). I think we're speaking at cross purposes. Don't you need: | buf_size += fdt_prop_len("kaslr―seed", sizeof(u64)); You can't assume the existing DTB had a kaslr-seed property, and the difference may take us over a PAGE_SIZE boundary. > >> >>> + /* add kaslr-seed */ >>> + get_random_bytes(&value, sizeof(value)); >> What happens if the crng isn't ready? >> >> It looks like this will print a warning that these random-bytes aren't really up >> to standard, but the new kernel doesn't know this happened. >> >> crng_ready() isn't exposed, all we could do now is >> wait_for_random_bytes(), but that may wait forever because we do this >> unconditionally. >> >> I'd prefer to leave this feature until we can check crng_ready(), and skip >> adding a dodgy-seed if its not-ready. This avoids polluting the next-kernel's >> entropy pool. > OK. I would try to follow the same way as Bhupesh's userspace patch > does for kaslr-seed: > http://lists.infradead.org/pipermail/kexec/2018-April/020564.html (I really don't understand this 'copying code from user-space' that happens with kexec_file_load) > if (not found kaslr-seed in 1st kernel's dtb) > don't care; go ahead Don' t bother. As you say in the commit-message its harmless if the new kernel doesn't support it. Always having this would let you use kexec_file_load as a bootloader that can get the crng to provide decent entropy even if the platform bootloader can't. > else > if (current kaslr-seed != 0) > error Don't bother. If this happens its a bug in another part of the kernel that doesn't affect this one. We aren't second-guessing the file-system when we read the kernel-fd, lets keep this simple. > if (crng_ready()) ; FIXME, it's a local macro > get_random_bytes(non-blocking) > set new kaslr-seed > else > error error? Something like pr_warn_once(). I thought the kaslr-seed was added to the entropy pool, but now I look again I see its a separate EFI table. So the new kernel will add the same entropy ... that doesn't sound clever. (I can't see where its zero'd or re-initialised) Thanks, James --------------407CD8C3C2E520A787871B37 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

Hi Akashi,


On 07/27/2018 09:31 AM, AKASHI Takahiro wrote:
On Thu, Jul 26, 2018 at 02:40:49PM +0100, James Morse wrote:
On 24/07/18 07:57, AKASHI Takahiro wrote:
Adding "kaslr-seed" to dtb enables triggering kaslr, or kernel virtual
address randomization, at secondary kernel boot.
Hmm, there are three things that get moved by CONFIG_RANDOMIZE_BASE. The kernel
physical placement when booted via the EFIstub, the kernel-text VAs and the
location of memory in the linear-map region. Adding the kaslr-seed only does the
last two.
Yes, but I think that I and Mark has agreed that "kaslr" meant
"virtual" randomisation, not including "physical" randomisation.
Okay, I'll update my terminology!


This means the physical placement of the new kernel is predictable from
/proc/iomem ... but this also tells you the physical placement of the current
kernel, so I don't think this is a problem.


We always do this as it will have no harm on kaslr-incapable kernel.

        
We don't have any "switch" to turn off this feature directly, but still
can suppress it by passing "nokaslr" as a kernel boot argument.

diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index 7356da5a53d5..47a4fbd0dc34 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -158,6 +160,12 @@ static int setup_dtb(struct kimage *image,
Don't you need to reserve some space in the area you vmalloc()d for the DT?
No, I don't think so.
All the data to be loaded are temporarily saved in kexec buffers,
which will eventually be copied to target locations in machine_kexec
(arm64_relocate_new_kernel, which, unlike its name, will handle
not only kernel but also other data as well).

I think we're speaking at cross purposes. Don't you need:
| buf_size += fdt_prop_len("kaslrseed", sizeof(u64));

You can't assume the existing DTB had a kaslr-seed property, and the difference may take us over a PAGE_SIZE boundary.




+	/* add kaslr-seed */
+	get_random_bytes(&value, sizeof(value));
What happens if the crng isn't ready?

It looks like this will print a warning that these random-bytes aren't really up
to standard, but the new kernel doesn't know this happened.

crng_ready() isn't exposed, all we could do now is
wait_for_random_bytes(), but that may wait forever because we do this
unconditionally.

I'd prefer to leave this feature until we can check crng_ready(), and skip
adding a dodgy-seed if its not-ready. This avoids polluting the next-kernel's
entropy pool.
OK. I would try to follow the same way as Bhupesh's userspace patch
does for kaslr-seed:
http://lists.infradead.org/pipermail/kexec/2018-April/020564.html

(I really don't understand this 'copying code from user-space' that happens with kexec_file_load)


  if (not found kaslr-seed in 1st kernel's dtb)
     don't care; go ahead

Don' t bother. As you say in the commit-message its harmless if the new kernel doesn't support it.
Always having this would let you use kexec_file_load as a bootloader that can get the crng to
provide decent entropy even if the platform bootloader can't.


  else
     if (current kaslr-seed != 0)
        error

Don't bother. If this happens its a bug in another part of the kernel that doesn't affect this one. We aren't second-guessing the file-system when we read the kernel-fd, lets keep this simple.

     if (crng_ready()) ; FIXME, it's a local macro
        get_random_bytes(non-blocking)
        set new kaslr-seed
     else
        error
error? Something like pr_warn_once().

I thought the kaslr-seed was added to the entropy pool, but now I look again I see its a separate EFI table. So the new kernel will add the same entropy ... that doesn't sound clever. (I can't see where its zero'd or re-initialised)



Thanks,

James
--------------407CD8C3C2E520A787871B37--