Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Subject: Re: [PATCH v12 16/16] arm64: kexec_file: add kaslr support
To:     AKASHI Takahiro <takahiro.akashi@linaro.org>
References: <20180724065759.19186-1-takahiro.akashi@linaro.org>
 <20180724065759.19186-17-takahiro.akashi@linaro.org>
 <50b31f17-fc85-aa72-06f5-d3b62060a91f@arm.com>
 <20180727083104.GI11258@linaro.org>
From:   James Morse <james.morse@arm.com>
Cc:     catalin.marinas@arm.com, will.deacon@arm.com, dhowells@redhat.com,
        vgoyal@redhat.com, herbert@gondor.apana.org.au,
        davem@davemloft.net, dyoung@redhat.com, bhe@redhat.com,
        arnd@arndb.de, schwidefsky@de.ibm.com, heiko.carstens@de.ibm.com,
        ard.biesheuvel@linaro.org, bhsharma@redhat.com,
        kexec@lists.infradead.org, linux-arm-kernel@lists.infradead.org,
        linux-kernel@vger.kernel.org
Message-ID: <405b6708-4518-d81e-3938-39032c2b487e@arm.com>
Date:   Fri, 27 Jul 2018 10:22:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <20180727083104.GI11258@linaro.org>
Content-Type: multipart/alternative;
 boundary="------------407CD8C3C2E520A787871B37"
Content-Language: en-US
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

This is a multi-part message in MIME format.
--------------407CD8C3C2E520A787871B37
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Hi Akashi,


On 07/27/2018 09:31 AM, AKASHI Takahiro wrote:
> On Thu, Jul 26, 2018 at 02:40:49PM +0100, James Morse wrote:
>> On 24/07/18 07:57, AKASHI Takahiro wrote:
>>> Adding "kaslr-seed" to dtb enables triggering kaslr, or kernel virtual
>>> address randomization, at secondary kernel boot.
>> Hmm, there are three things that get moved by CONFIG_RANDOMIZE_BASE. The kernel
>> physical placement when booted via the EFIstub, the kernel-text VAs and the
>> location of memory in the linear-map region. Adding the kaslr-seed only does the
>> last two.
> Yes, but I think that I and Mark has agreed that "kaslr" meant
> "virtual" randomisation, not including "physical" randomisation.
Okay, I'll update my terminology!


>> This means the physical placement of the new kernel is predictable from
>> /proc/iomem ... but this also tells you the physical placement of the current
>> kernel, so I don't think this is a problem.
>>
>>
>>> We always do this as it will have no harm on kaslr-incapable kernel.
>>> We don't have any "switch" to turn off this feature directly, but still
>>> can suppress it by passing "nokaslr" as a kernel boot argument.
>>
>>> diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
>>> index 7356da5a53d5..47a4fbd0dc34 100644
>>> --- a/arch/arm64/kernel/machine_kexec_file.c
>>> +++ b/arch/arm64/kernel/machine_kexec_file.c
>>> @@ -158,6 +160,12 @@ static int setup_dtb(struct kimage *image,
>> Don't you need to reserve some space in the area you vmalloc()d for the DT?
> No, I don't think so.
> All the data to be loaded are temporarily saved in kexec buffers,
> which will eventually be copied to target locations in machine_kexec
> (arm64_relocate_new_kernel, which, unlike its name, will handle
> not only kernel but also other data as well).

I think we're speaking at cross purposes. Don't you need:

| buf_size += fdt_prop_len("kaslr―seed", sizeof(u64));


You can't assume the existing DTB had a kaslr-seed property, and the 
difference may take us over a PAGE_SIZE boundary.


>
>>
>>> +	/* add kaslr-seed */
>>> +	get_random_bytes(&value, sizeof(value));
>> What happens if the crng isn't ready?
>>
>> It looks like this will print a warning that these random-bytes aren't really up
>> to standard, but the new kernel doesn't know this happened.
>>
>> crng_ready() isn't exposed, all we could do now is
>> wait_for_random_bytes(), but that may wait forever because we do this
>> unconditionally.
>>
>> I'd prefer to leave this feature until we can check crng_ready(), and skip
>> adding a dodgy-seed if its not-ready. This avoids polluting the next-kernel's
>> entropy pool.
> OK. I would try to follow the same way as Bhupesh's userspace patch
> does for kaslr-seed:
> http://lists.infradead.org/pipermail/kexec/2018-April/020564.html

(I really don't understand this 'copying code from user-space' that 
happens with kexec_file_load)


>    if (not found kaslr-seed in 1st kernel's dtb)
>       don't care; go ahead

Don' t bother. As you say in the commit-message its harmless if the new 
kernel doesn't support it.
Always having this would let you use kexec_file_load as a bootloader 
that can get the crng to
provide decent entropy even if the platform bootloader can't.


>    else
>       if (current kaslr-seed != 0)
>          error

Don't bother. If this happens its a bug in another part of the kernel 
that doesn't affect this one. We aren't second-guessing the file-system 
when we read the kernel-fd, lets keep this simple.

>       if (crng_ready()) ; FIXME, it's a local macro
>          get_random_bytes(non-blocking)
>          set new kaslr-seed
>       else
>          error
error? Something like pr_warn_once().

I thought the kaslr-seed was added to the entropy pool, but now I look 
again I see its a separate EFI table. So the new kernel will add the 
same entropy ... that doesn't sound clever. (I can't see where its 
zero'd or re-initialised)


Thanks,

James

--------------407CD8C3C2E520A787871B37
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>Hi Akashi,<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 07/27/2018 09:31 AM, AKASHI Takahiro
      wrote:<br>
    </div>
    <blockquote type="cite" cite="mid:20180727083104.GI11258@linaro.org">
      <pre wrap="">On Thu, Jul 26, 2018 at 02:40:49PM +0100, James Morse wrote:
</pre>
      <blockquote type="cite">
        <pre wrap="">On 24/07/18 07:57, AKASHI Takahiro wrote:
</pre>
        <blockquote type="cite">
          <pre wrap="">Adding "kaslr-seed" to dtb enables triggering kaslr, or kernel virtual
address randomization, at secondary kernel boot.
</pre>
        </blockquote>
        <pre wrap="">
Hmm, there are three things that get moved by CONFIG_RANDOMIZE_BASE. The kernel
physical placement when booted via the EFIstub, the kernel-text VAs and the
location of memory in the linear-map region. Adding the kaslr-seed only does the
last two.
</pre>
      </blockquote>
      <pre wrap="">
Yes, but I think that I and Mark has agreed that "kaslr" meant
"virtual" randomisation, not including "physical" randomisation.</pre>
    </blockquote>
    Okay, I'll update my terminology!<br>
    <br>
    <br>
    <blockquote type="cite" cite="mid:20180727083104.GI11258@linaro.org">
      <blockquote type="cite">
        <pre wrap="">This means the physical placement of the new kernel is predictable from
/proc/iomem ... but this also tells you the physical placement of the current
kernel, so I don't think this is a problem.


</pre>
        <blockquote type="cite">
          <pre wrap="">We always do this as it will have no harm on kaslr-incapable kernel.
</pre>
        </blockquote>
        <pre wrap="">
</pre>
        <blockquote type="cite">
          <pre wrap="">We don't have any "switch" to turn off this feature directly, but still
can suppress it by passing "nokaslr" as a kernel boot argument.
</pre>
        </blockquote>
        <pre wrap="">

</pre>
        <blockquote type="cite">
          <pre wrap="">diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index 7356da5a53d5..47a4fbd0dc34 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -158,6 +160,12 @@ static int setup_dtb(struct kimage *image,
</pre>
        </blockquote>
        <pre wrap="">
Don't you need to reserve some space in the area you vmalloc()d for the DT?
</pre>
      </blockquote>
      <pre wrap="">
No, I don't think so.
All the data to be loaded are temporarily saved in kexec buffers,
which will eventually be copied to target locations in machine_kexec
(arm64_relocate_new_kernel, which, unlike its name, will handle
not only kernel but also other data as well).</pre>
    </blockquote>
    <br>
    I think we're speaking at cross purposes. Don't you need:<br>
    <pre wrap="">| buf_size += fdt_prop_len("kaslr<span class="ILfuVd yZ8quc">―</span>seed", sizeof(u64));</pre>
    <br>
    You can't assume the existing DTB had a kaslr-seed property, and the
    difference may take us over a PAGE_SIZE boundary.<br>
    <br>
    <br>
    <blockquote type="cite" cite="mid:20180727083104.GI11258@linaro.org"><br>
      <blockquote type="cite"><br>
        <blockquote type="cite">
          <pre wrap="">+	/* add kaslr-seed */
+	get_random_bytes(&amp;value, sizeof(value));
</pre>
        </blockquote>
        <pre wrap="">
What happens if the crng isn't ready?

It looks like this will print a warning that these random-bytes aren't really up
to standard, but the new kernel doesn't know this happened.

crng_ready() isn't exposed, all we could do now is
wait_for_random_bytes(), but that may wait forever because we do this
unconditionally.

I'd prefer to leave this feature until we can check crng_ready(), and skip
adding a dodgy-seed if its not-ready. This avoids polluting the next-kernel's
entropy pool.
</pre>
      </blockquote>
      <pre wrap="">
OK. I would try to follow the same way as Bhupesh's userspace patch
does for kaslr-seed:
<a class="moz-txt-link-freetext" href="http://lists.infradead.org/pipermail/kexec/2018-April/020564.html">http://lists.infradead.org/pipermail/kexec/2018-April/020564.html</a></pre>
    </blockquote>
    <br>
    (I really don't understand this 'copying code from user-space' that
    happens with kexec_file_load)<br>
    <br>
    <br>
    <blockquote type="cite" cite="mid:20180727083104.GI11258@linaro.org">
      <pre wrap="">  if (not found kaslr-seed in 1st kernel's dtb)
     don't care; go ahead</pre>
    </blockquote>
    <br>
    Don' t bother. As you say in the commit-message its harmless if the
    new kernel doesn't support it.<br>
    Always having this would let you use kexec_file_load as a bootloader
    that can get the crng to<br>
    provide decent entropy even if the platform bootloader can't.<br>
    <br>
    <br>
    <blockquote type="cite" cite="mid:20180727083104.GI11258@linaro.org">
      <pre wrap="">  else
     if (current kaslr-seed != 0)
        error</pre>
    </blockquote>
    <br>
    Don't bother. If this happens its a bug in another part of the
    kernel that doesn't affect this one. We aren't second-guessing the
    file-system when we read the kernel-fd, lets keep this simple.<br>
    <br>
    <blockquote type="cite" cite="mid:20180727083104.GI11258@linaro.org">
      <pre wrap="">     if (crng_ready()) ; FIXME, it's a local macro
        get_random_bytes(non-blocking)
        set new kaslr-seed
     else
        error</pre>
    </blockquote>
    error? Something like pr_warn_once().<br>
    <br>
    I thought the kaslr-seed was added to the entropy pool, but now I
    look again I see its a separate EFI table. So the new kernel will
    add the same entropy ... that doesn't sound clever. (I can't see
    where its zero'd or re-initialised)<br>
    <br>
    <br>
    <br>
    Thanks,<br>
    <br>
    James<br>
  </body>
</html>

--------------407CD8C3C2E520A787871B37--