Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp693175rwi;
        Thu, 20 Oct 2022 04:14:15 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM5h1r5G9y/sU6paxgZ9M5RIUDV5wvrOK6miM4AaHe1hJ7Tc6bQZTf/hNBbwPZCM1bMGjgVS
X-Received: by 2002:a17:906:9bf4:b0:78d:8893:7f77 with SMTP id de52-20020a1709069bf400b0078d88937f77mr10538293ejc.349.1666264454786;
        Thu, 20 Oct 2022 04:14:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666264454; cv=none;
        d=google.com; s=arc-20160816;
        b=kZxSfsPKhKaoW2L5VIK7ViPfqLJuUgrhU+P0XsHYLDC3yWQSvPtjIJo2v84YJscGmt
         zRKICNdSqUIDqKLM5ULRvLH0h61duZpIE5V5AJwqpQ1vGrMJ0HxaZbObaAdk+d3kavej
         eYB9Iuf1KUYMrqW9ZFatL9uwN+rRKI/Wl8lGCep3SOw4ZqVy13KZDLTgNTunLjf04Y3S
         sS5/9zZAKNJ4vIJq8VzuYW95aVHKcb4dN44Tmphts0T4oxil4k/dQGGctc6HBdPXnVXj
         dAkOwtL0ODS6FolLC3zy+IUk0Gfxam4hZri3HKD0/+OSviip2uNkfqsGV7clrt9uCOG2
         GSLg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:message-id:user-agent
         :references:in-reply-to:subject:cc:to:from:date:mime-version
         :dkim-signature:dkim-filter;
        bh=5nyZu9zbyZQkn1yMUyXsSQkh3IfzDySokwqJAcsKRCg=;
        b=EfFyh5ayukUCe37Z8ZwhTNxG3uu/iBoMmnC4RaFqxVEPgGGFyodjvj6TEU484Sdasf
         qxHc7AFgNIxjGvisoi/htBLe8zYzwOsU6lpIiYwJOeU2OvWBTlbfd9SUuCWZYPoHNorz
         k2F0f/hcDZJdW5ZJG6QhUru0dWmdoNYUhCxoDC/jSbXqbY9XYdIWYaMCE6QdHU8ET675
         s5ixkKWZqi1PQVFHsMbQqgJSiKTgFXPdfgLlmGQnfuvwZHJ6kG9AC/Yh7RbRIP39TyXV
         VPcxM2Z+FeAfOf5JIPJb7p22VETvY1ecxpbqAK/n1RcAyKN9PJNp++7dkSSeG2LGJlJ3
         Lx3w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=f3sXzuOR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id lv10-20020a170906bc8a00b00775326fb2ebsi14593893ejb.665.2022.10.20.04.13.48;
        Thu, 20 Oct 2022 04:14:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ispras.ru header.s=default header.b=f3sXzuOR;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231238AbiJTLFq (ORCPT <rfc822;arvinlake4755@gmail.com>
        + 99 others); Thu, 20 Oct 2022 07:05:46 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48558 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231233AbiJTLFm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 20 Oct 2022 07:05:42 -0400
Received: from mail.ispras.ru (mail.ispras.ru [83.149.199.84])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 28ED011F4BC;
        Thu, 20 Oct 2022 04:05:31 -0700 (PDT)
Received: from mail.ispras.ru (unknown [83.149.199.84])
        by mail.ispras.ru (Postfix) with ESMTPSA id 0A0B040D403D;
        Thu, 20 Oct 2022 11:05:28 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.ispras.ru 0A0B040D403D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ispras.ru;
        s=default; t=1666263928;
        bh=5nyZu9zbyZQkn1yMUyXsSQkh3IfzDySokwqJAcsKRCg=;
        h=Date:From:To:Cc:Subject:In-Reply-To:References:From;
        b=f3sXzuOR1nPhHEECi3o557B2M3QIspwU3OGXzVqGInFdxo605ltEoce4HANMYSMmM
         lT8OCKc1DicmXiXZG7CJVTJAJWpuDWPT1WVtw7hEkliT/UEPK07Txy1JzMIKL0Vo7n
         I/Zow9hRC77Wmwne4UyL4b0oRNg1lInSfI0/5Zqg=
MIME-Version: 1.0
Date:   Thu, 20 Oct 2022 14:05:27 +0300
From:   Evgeniy Baskov <baskov@ispras.ru>
To:     Peter Jones <pjones@redhat.com>
Cc:     Ard Biesheuvel <ardb@kernel.org>, Borislav Petkov <bp@alien8.de>,
        Andy Lutomirski <luto@kernel.org>,
        Dave Hansen <dave.hansen@linux.intel.com>,
        Ingo Molnar <mingo@redhat.com>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Alexey Khoroshilov <khoroshilov@ispras.ru>,
        lvc-project@linuxtesting.org, x86@kernel.org,
        linux-efi@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-hardening@vger.kernel.org
Subject: Re: [PATCH 00/16] x86_64: Improvements at compressed kernel stage
In-Reply-To: <20221018210447.sg3tddaujre6orgc@redhat.com>
References: <cover.1662459668.git.baskov@ispras.ru>
 <20221018210447.sg3tddaujre6orgc@redhat.com>
User-Agent: Roundcube Webmail/1.4.4
Message-ID: <a2aa9cf7f04a33080269ad351e81bafa@ispras.ru>
X-Sender: baskov@ispras.ru
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
        URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2022-10-19 00:04, Peter Jones wrote:
> On Tue, Sep 06, 2022 at 01:41:04PM +0300, Evgeniy Baskov wrote:
>> This patchset is aimed
>> * to improve UEFI compatibility of compressed kernel code for x86_64
>> * to setup proper memory access attributes for code and rodata 
>> sections
>> * to implement W^X protection policy throughout the whole execution
>>   of compressed kernel for EFISTUB code path.
> 
> Hi Evgeniy,
> 
> I've tested this set of patches with the Mu firmware that supports the 
> W^X
> feature and a modified bootloader to also support it, and also with an
> existing firmware and the grub2 build in fedora 36.  On the firmware
> without W^X support, this all works for me.  With W^X support, it works
> so long as I use CONFIG_EFI_STUB_EXTRACT_DIRECT, though I still need
> some changes in grub's loader.  IMO that's a big step forward.
> 
> I can't currently make it work with W^X enabled but without direct
> extraction, and I'm still investigating why not, but I figured I'd give
> you a heads up.

Hi Peter,

Thank you for testing!

Without direct extraction enabled this patch set does not implement 
total W^X
and needs to allocate RWX memory regions, since it should go through 
common
code path that relocates kernel. So if the firmware does not allow 
allocating
RWX regions, it might prevent the kernel from booting, I think. I will 
look
into that problem soon and let you know it I find anything.

Thanks,
Evgeniy Baskov