Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp3109165ybb; Mon, 6 Apr 2020 02:12:33 -0700 (PDT) X-Google-Smtp-Source: APiQypKUk9FNyuTVNiDSDhL5ApP+alBIEMWbEUJhaUhOFmOcTFg74rLwJ3oS91LUQJPEgwj9WIej X-Received: by 2002:a05:6820:346:: with SMTP id m6mr16782510ooe.22.1586164353568; Mon, 06 Apr 2020 02:12:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586164353; cv=none; d=google.com; s=arc-20160816; b=FKRfTh4LEV0Uy/hbAPIoeScZECDkY9QCBDZTlL47NF7zgkA6GtV+ZcIc/rJbwvhMs+ Wzjxi9f1VdFibw+hbuB3RxZbrlyjvcd4aCmeKE6NOfPAwofVc8IqTZGs8wX3DSr/Wu2s LxUHk/9jgynAIBY5Bwcirm5JNEcki9FGSxqz+PEaWGDHZ+QCSCdeZ3qzo7gTDIi7sHBS qw+8CyXMPwRe7D+w8b4RHTbLVW3FjwnbNxsyvU+X1kDmGzxCgR9HXeNt8akyTmXOyCn/ Stwk9hEYkL42P933Q30xc1nKj71nobVdkgTqH/o0vo2ImbuQ8ttTpe1mYtqF3VKJ3ck1 Ok/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=IEKnLroPOXhZZoEjwk2Sy7qHL1p/3PpX8cAZjySktEg=; b=n+jgpJGXN7veO6tp2UI0vfvdTYS1TlmE/19GGLXfg+09EOaG4cRB9rX5oVvwn/fsqQ RJRP9aLLeQZi5xD594z4BzJQtyN7Q5YXK3+a+5pcqAnqJe67AeWgk3/0+z1XBrIMdZqA xSyCKC6u1olgQDYmmtv3rmYAquYIG1sC7Ica3+P4AyLqOrfqUWJpNbH6Uepa8QtmMJsM oVBHDNdpR0WsC4kUeTaf6aK2ktD07k1p8zqqNB/5J38fjh61s/QVfOdQhCcytz7Cy/lr 2BSUFx5+++d2MLRRns0aSIGjZpCUMw87BIqbuqpVcMmZ2y1W1IhfwmyiHFeUUO2gZ8d0 sNFA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="x9/XnaHx"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m18si7029222otk.29.2020.04.06.02.12.21; Mon, 06 Apr 2020 02:12:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="x9/XnaHx"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726949AbgDFJLe (ORCPT + 99 others); Mon, 6 Apr 2020 05:11:34 -0400 Received: from mail.kernel.org ([198.145.29.99]:57746 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726689AbgDFJLe (ORCPT ); Mon, 6 Apr 2020 05:11:34 -0400 Received: from mail-io1-f47.google.com (mail-io1-f47.google.com [209.85.166.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 8C6E12078A; Mon, 6 Apr 2020 09:11:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1586164293; bh=IEKnLroPOXhZZoEjwk2Sy7qHL1p/3PpX8cAZjySktEg=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=x9/XnaHxSYASdAnWEA1KJzzEgemj3vDGBjEXM3ZS/mXiYMEt9DQ0mPtb0MiA+/29Y +kCeLxo9TBIfyZSeU3y51QeFqzPHoFJwv+7AsMuW4PnVgUifoqVMoKIWZOPhq55kOi pVVdq0uKWDmwPU73ZYVXd9jmL6nD/cuzCdeXqVa8= Received: by mail-io1-f47.google.com with SMTP id o3so15016926ioh.2; Mon, 06 Apr 2020 02:11:33 -0700 (PDT) X-Gm-Message-State: AGi0PuapjANHW4VO8VO6oiRiB4Y98aWNUuCGaZXoWBGpkzkewu0xYMuV jkaTDn8/aNZH+I6KsID7rmIvziKT/7zZJSP6ztA= X-Received: by 2002:a6b:f413:: with SMTP id i19mr18808491iog.203.1586164292977; Mon, 06 Apr 2020 02:11:32 -0700 (PDT) MIME-Version: 1.0 References: <20200109150218.16544-1-nivedita@alum.mit.edu> <20200405154245.11972-1-me@prok.pw> <20200405231845.GA3095309@rani.riverdale.lan> <20200406035110.GA3241052@rani.riverdale.lan> <20200406084738.GA2520@zn.tnic> In-Reply-To: <20200406084738.GA2520@zn.tnic> From: Ard Biesheuvel Date: Mon, 6 Apr 2020 11:11:21 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH 1/2] x86/boot/compressed/64: Remove .bss/.pgtable from bzImage To: Borislav Petkov Cc: Arvind Sankar , Sergey Shatunov , hpa@zytor.com, Linux Kernel Mailing List , mingo@redhat.com, Thomas Gleixner , x86@kernel.org, linux-efi , initramfs@vger.kernel.org, Donovan Tremura , Harald Hoyer Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 6 Apr 2020 at 10:47, Borislav Petkov wrote: > > On Mon, Apr 06, 2020 at 09:32:47AM +0200, Ard Biesheuvel wrote: > > The EFI handover protocol strikes again :-( > > > > It seems we did not include any guidance in the documentation in > > Documentation/x86/boot.rst regarding zero-initializing BSS, and come > > to think of it, we don't include any other requirements either, i.e., > > regarding placement wrt section alignment etc. This is a serious bug. > > Even though EFI usually lays out PE/COFF images in files the exact way > > they appear in memory, this is not actually required by the spec. Most > > notably, the virtual size can be smaller than the file size, and the > > loader is expected to zero-initialize the difference as well. > > Is that expectation stated explicitly somewhere? > Yes, it is in the PE/COFF specification. [0] The whole problem is that we are conflating 'loading a PE/COFF image' with 'copying a PE/COFF image into memory', which are not the same thing. It is not just the layout issue, we are running into other problems with things like UEFI secure boot and TPM-based measured boot, where the fact that omitting the standard LoadImage() boot service (which takes care of these things under the hood) means that you now have to do your own checks and measurements. These things are literally all over the place at the moment, shim, GRUB, systemd-boot etc, with no authoritative spec that describes which component should be doing what. > > Since the EFI handover protocol should be considered deprecated at > > this point (and is never going to be supported in upstream GRUB > > either, for instance), I would recommend the systemd-boot developers > > to start looking into deprecating this as well, and switch to the > > ordinary PE/COFF entry point, and use the new initrd callback protocol > > for initrd loading. > > Any pointers to that new initrd callback protocol? > Commit ec93fc371f014a6fb483e3556061ecad4b40735c has the background, but ... > In any case, I'd really appreciate a patch to boot.rst formulating those > requirements so that they're written down and people can find them. > ... I'll look into updating the documentation as well. Note that this stuff is hot off the press, so there may be some issues lurking (like this one) that we hadn't thought of yet. OVMF and u-boot already have implementations of this initrd loading approach. A GRUB version is under discussion. > > On the Linux/x86 side, we should at least add some code to the EFI > > handover protocol entry point to zero initialize BSS, and ensure that > > it is either not needed in other places, or add the code to deal with > > those as well. > > Sounds like a simple fix, if that would fix it. > Actually, it may be sufficient to #define __efistub_global to __section(.data) like we already do for ARM, to ensure that these global flags are always initialized correctly. (I'll wait for Sergey to confirm that the spurious enabling of the PCI DMA protection resulting from this BSS issue is causing the boot regression) [0] https://docs.microsoft.com/en-us/windows/win32/debug/pe-format