[PATCH 0/3] kexec: refactor CONFIG_KEXEC/CONFIG_KEXEC_FILE Kconfig

[dyo...@redhat.com]

Previously Theodore Ts'o brought up an issue about kexec_load syscall bypassing
signature verification:
https://lkml.org/lkml/2015/6/14/280

Because we have two kexec load syscall, one kexec_load, another kexec_file_load,
the latter one was introduced by Vivek Goyal, it is mainly for supporting UEFI
secure boot. kexec_file_load verifies kernel signature, but even if with
CONFIG_KEXEC_VERIFY_SIG=y and CONFIG_KEXEC_FILE=y, kexec-tools still can use
old syscall and bypass signature verification.

KEXEC_FILE can also be used without UEFI, so kexec can always verify kernel
signature for security purpose.

The suggestion in above thread is add a new Kconfig option for kexec common
code, here I use KEXEC_CORE, KEXEC and KEXEC_FILE select KEXEC_CORE so one can
compile only KEXEC_FILE without old kexec_load syscall.

There's checkpatch warnings and errors, I would like to send furthuer cleanup
patches after this series. Please let me know if you have other suggestions.
checkpatch errors are for cases such as assign a value to static variables.

PATCH 3/3 can be sort out from the series if people do not like. It is a
cleanup for a macro.

Below is the diffstat of the patches:
---
arch/arm/Kconfig | 4
arch/ia64/Kconfig | 4
arch/m68k/Kconfig | 4
arch/mips/Kconfig | 4
arch/powerpc/Kconfig | 4
arch/sh/Kconfig | 4
arch/tile/Kconfig | 4
arch/x86/Kconfig | 6
arch/x86/boot/header.S | 2
arch/x86/include/asm/kdebug.h | 5
arch/x86/kernel/Makefile | 4
arch/x86/kernel/kvmclock.c | 4
arch/x86/kernel/reboot.c | 4
arch/x86/kernel/setup.c | 2
arch/x86/kernel/vmlinux.lds.S | 2
arch/x86/kvm/vmx.c | 8
arch/x86/platform/efi/efi.c | 4
arch/x86/platform/uv/uv_nmi.c | 6
drivers/firmware/efi/Kconfig | 2
drivers/pci/pci-driver.c | 2
include/linux/kexec.h | 12
init/initramfs.c | 4
kernel/Makefile | 2
kernel/events/core.c | 2
kernel/kexec.c | 2633 ------------------------------------------
kernel/kexec_core.c | 1594 +++++++++++++++++++++++++
kernel/kexec_file.c | 1044 ++++++++++++++++
kernel/kexec_internal.h | 22
kernel/ksysfs.c | 6
kernel/printk/printk.c | 2
kernel/reboot.c | 2
kernel/sysctl.c | 2
32 files changed, 2745 insertions(+), 2659 deletions(-)

Thanks
Dave

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

[dyo...@redhat.com]

[dyo...@redhat.com]

[dyo...@redhat.com]

[Geert Uytterhoeven]

On Mon, Jul 13, 2015 at 4:13 AM, <dyo...@redhat.com> wrote:
> Because there's general code need CONFIG_KEXEC_CORE, so I updated all the
> architecture Kconfig with a new option KEXEC_CORE, and let KEXEC selects
> KEXEC_CORE in arch Kconfig. Also updated general kernel code with
> to kexec_load syscall.
>
> Signed-off-by: Dave Young <dyo...@redhat.com>
> ---
> arch/arm/Kconfig | 4 +
> arch/ia64/Kconfig | 4 +
> arch/m68k/Kconfig | 4 +
> arch/mips/Kconfig | 4 +
> arch/powerpc/Kconfig | 4 +
> arch/sh/Kconfig | 4 +
> arch/tile/Kconfig | 4 +
> arch/x86/Kconfig | 6 +-
> arch/x86/boot/header.S | 2 +-
> arch/x86/include/asm/kdebug.h | 2 +-
> arch/x86/kernel/Makefile | 4 +-
> arch/x86/kernel/kvmclock.c | 4 +-
> arch/x86/kernel/reboot.c | 4 +-
> arch/x86/kernel/setup.c | 2 +-
> arch/x86/kernel/vmlinux.lds.S | 2 +-
> arch/x86/kvm/vmx.c | 8 +-
> arch/x86/platform/efi/efi.c | 4 +-
> arch/x86/platform/uv/uv_nmi.c | 6 +-
> drivers/firmware/efi/Kconfig | 2 +-
> drivers/pci/pci-driver.c | 2 +-
> include/linux/kexec.h | 12 +-
> init/initramfs.c | 4 +-
> kernel/Makefile | 1 +
> kernel/events/core.c | 2 +-
> kernel/kexec.c | 1578 +---------------------------------------
> kernel/kexec_core.c | 1594 +++++++++++++++++++++++++++++++++++++++++
> kernel/ksysfs.c | 6 +-
> kernel/printk/printk.c | 2 +-
> kernel/reboot.c | 2 +-
> kernel/sysctl.c | 2 +-
> 30 files changed, 1668 insertions(+), 1611 deletions(-)
> create mode 100644 kernel/kexec_core.c
>
> diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
> index 1c50210..20c48b3 100644
> --- a/arch/arm/Kconfig
> +++ b/arch/arm/Kconfig
> @@ -2001,10 +2001,14 @@ config XIP_PHYS_ADDR
> be linked for and stored to. This address is dependent on your
> own flash usage.
>
> +config KEXEC_CORE
> + bool
> +
> config KEXEC
> bool "Kexec system call (EXPERIMENTAL)"
> depends on (!SMP || PM_SLEEP_SMP)
> depends on !CPU_V7M
> + select KEXEC_CORE
> help
> kexec is a system call that implements the ability to shutdown your
> current kernel, and to start another kernel. It is like a reboot

As this KEXEC_CORE is appearing in all arch/*/Kconfig files, I think it's
time to add an ARCH_HAS_KEXEC symbol (to a common Kconfig file),
and let arch/*/Kconfig select that if the architecture has kexec support.

Then KEXEC and KEXEC_CORE can live in the common Kconfig file,
without the need to duplicate it.

Gr{oetje,eeting}s,

Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- ge...@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds

[Dave Young]

Hi, Geert

Sorry for reply late, I'm occupied by other things.

I'm not sure I understand your idea well, do you means like
in arch/Kconfig add ARCH_HAS_KEXEC which depends on KEXEC_CORE?

How about simply move below chunk to arch/Kconfig instead of introducing
another ARCH_HAS_KEXEC:
config KEXEC_CORE
bool


BTW, I found I missed one arch that is s390, I need update the patches
and resend.

Thanks
Dave

[Geert Uytterhoeven]

Hi Dave,

No, ARCH_HAS_KEXEC and all other KEXEC config options in arch/Kconfig.
All other KEXEC config options should depend on ARCH_HAS_KEXEC,
which can be selected by architectures that support kexec.

> How about simply move below chunk to arch/Kconfig instead of introducing
> another ARCH_HAS_KEXEC:
> config KEXEC_CORE
> bool

Not all architectures support kexec, hence my proposed dependency on
ARCH_HAS_KEXEC.

Gr{oetje,eeting}s,

Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- ge...@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds

[Geert Uytterhoeven]

Hi Dave,

> So it will be like below? problem is KEXEC_FILE is x86 only now, how
> to handle it then?
>
> arch/Kconfig:
> config ARCH_HAS_KEXEC
> ...
> config KEXEC_CORE
> ...
> config KEXEC

depends on ARCH_HAS_KEXEC

> ...
> config KEXEC_FILE

depends on ARCH_HAS_KEXEC

> ...
>
> arch/arm/Kconfig:
> select ARCH_HAS_KEXEC

Right, that's the idea.

(Minor nit: ARM has dependencies for kexec, so it should be
"select ARCH_HAS_KEXEC if (!SMP || PM_SLEEP_SMP) && !CPU_V7M")

>> > How about simply move below chunk to arch/Kconfig instead of introducing
>> > another ARCH_HAS_KEXEC:
>> > config KEXEC_CORE
>> > bool
>>
>> Not all architectures support kexec, hence my proposed dependency on
>> ARCH_HAS_KEXEC.
>

> KEXEC_CORE is not visible in menuconfig, it is selected by KEXEC and KEXEC_FILE
> so move it in arch/Kconfig is ok?

Yes.

Thanks!

[Dave Young]

On 07/14/15 at 10:50am, Geert Uytterhoeven wrote:

So it will be like below? problem is KEXEC_FILE is x86 only now, how
to handle it then?

arch/Kconfig:
config ARCH_HAS_KEXEC
...
config KEXEC_CORE
...
config KEXEC

...
config KEXEC_FILE
...

arch/arm/Kconfig:
select ARCH_HAS_KEXEC

>
> > How about simply move below chunk to arch/Kconfig instead of introducing
> > another ARCH_HAS_KEXEC:
> > config KEXEC_CORE
> > bool
>
> Not all architectures support kexec, hence my proposed dependency on
> ARCH_HAS_KEXEC.

KEXEC_CORE is not visible in menuconfig, it is selected by KEXEC and KEXEC_FILE
so move it in arch/Kconfig is ok?

>

[Dave Young]

Hi, Geert

But only x86 has KEXEC_FILE, if we make this change one will see KEXEC_FILE
on arches other than x86..

>
> > ...
> >
> > arch/arm/Kconfig:
> > select ARCH_HAS_KEXEC
>
> Right, that's the idea.
>
> (Minor nit: ARM has dependencies for kexec, so it should be
> "select ARCH_HAS_KEXEC if (!SMP || PM_SLEEP_SMP) && !CPU_V7M")
>
> >> > How about simply move below chunk to arch/Kconfig instead of introducing
> >> > another ARCH_HAS_KEXEC:
> >> > config KEXEC_CORE
> >> > bool
> >>
> >> Not all architectures support kexec, hence my proposed dependency on
> >> ARCH_HAS_KEXEC.
> >
> > KEXEC_CORE is not visible in menuconfig, it is selected by KEXEC and KEXEC_FILE
> > so move it in arch/Kconfig is ok?
>
> Yes.

I means how about only moving KEXEC_CORE to general Kconfig, but do not introduce
ARCH_HAS_KEXEC..

Thanks
Dave

[Geert Uytterhoeven]

Hi Dave,

Is there any technical reason why it's limited to x86?
Else we may need ARCH_HAS_KEXEC_FILE, too :-(

Gr{oetje,eeting}s,

Geert

--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- ge...@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds

[Dave Young]

Hi, Geert

It was implemented for UEFI secure boot, til now only done in x86. Of course it
is also doable for other archtecture even if there's no secure boot. Basiclly
one need port the userspace code in kexec-tools to kernel space, also need code
to verify kernel signature.

> Else we may need ARCH_HAS_KEXEC_FILE, too :-(

Hmm, I'm not sure it will have much benefits now to add two ARCH_HAS options.
I would prefer current solution, but I can move the KEXEC_CORE to arch/Kconfig

Thanks
Dave

[Dave Young]

On 07/13/15 at 10:13am, Dave Young wrote:
> Previously Theodore Ts'o brought up an issue about kexec_load syscall bypassing
> signature verification:
> https://lkml.org/lkml/2015/6/14/280
>
> Because we have two kexec load syscall, one kexec_load, another kexec_file_load,
> the latter one was introduced by Vivek Goyal, it is mainly for supporting UEFI
> secure boot. kexec_file_load verifies kernel signature, but even if with
> CONFIG_KEXEC_VERIFY_SIG=y and CONFIG_KEXEC_FILE=y, kexec-tools still can use
> old syscall and bypass signature verification.
>
> KEXEC_FILE can also be used without UEFI, so kexec can always verify kernel
> signature for security purpose.
>
> The suggestion in above thread is add a new Kconfig option for kexec common
> code, here I use KEXEC_CORE, KEXEC and KEXEC_FILE select KEXEC_CORE so one can
> compile only KEXEC_FILE without old kexec_load syscall.
>
> There's checkpatch warnings and errors, I would like to send furthuer cleanup
> patches after this series. Please let me know if you have other suggestions.
> checkpatch errors are for cases such as assign a value to static variables.
>
> PATCH 3/3 can be sort out from the series if people do not like. It is a
> cleanup for a macro.

Since it is not related to the Kconfig cleanup thus I will drop it in
next update, will send out as a standalone patch later.

Also there's a kexec-tools patch needed for testing KEXEC_FILE only, I forgot
to mention, will take it in cover letter when I repost:

---
kexec/crashdump-elf.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)

--- kexec-tools.orig/kexec/crashdump-elf.c
+++ kexec-tools/kexec/crashdump-elf.c
@@ -145,11 +145,12 @@ int FUNC(struct kexec_info *info,

count_cpu = nr_cpus;
for (i = 0; count_cpu > 0; i++) {
- if (get_note_info(i, &notes_addr, &notes_len) < 0) {
- /* This cpu is not present. Skip it. */
- continue;
- }
+ int ret;
+
+ ret = get_note_info(i, &notes_addr, &notes_len);
count_cpu--;
+ if (ret < 0) /* This cpu is not present. Skip it. */
+ continue;

phdr = (PHDR *) bufp;
bufp += sizeof(PHDR);

[Dave Young]

On 07/15/15 at 05:16pm, Dave Young wrote:
> On 07/13/15 at 10:13am, Dave Young wrote:
> > Previously Theodore Ts'o brought up an issue about kexec_load syscall bypassing
> > signature verification:
> > https://lkml.org/lkml/2015/6/14/280
> >
> > Because we have two kexec load syscall, one kexec_load, another kexec_file_load,
> > the latter one was introduced by Vivek Goyal, it is mainly for supporting UEFI
> > secure boot. kexec_file_load verifies kernel signature, but even if with
> > CONFIG_KEXEC_VERIFY_SIG=y and CONFIG_KEXEC_FILE=y, kexec-tools still can use
> > old syscall and bypass signature verification.
> >
> > KEXEC_FILE can also be used without UEFI, so kexec can always verify kernel
> > signature for security purpose.
> >
> > The suggestion in above thread is add a new Kconfig option for kexec common
> > code, here I use KEXEC_CORE, KEXEC and KEXEC_FILE select KEXEC_CORE so one can
> > compile only KEXEC_FILE without old kexec_load syscall.
> >
> > There's checkpatch warnings and errors, I would like to send furthuer cleanup
> > patches after this series. Please let me know if you have other suggestions.
> > checkpatch errors are for cases such as assign a value to static variables.
> >
> > PATCH 3/3 can be sort out from the series if people do not like. It is a
> > cleanup for a macro.
>
> Since it is not related to the Kconfig cleanup thus I will drop it in
> next update, will send out as a standalone patch later.
>
> Also there's a kexec-tools patch needed for testing KEXEC_FILE only, I forgot
> to mention, will take it in cover letter when I repost:

BTW, it is the case below:
kernel: CONFIG_KEXEC_FILE only,
kexec-tools: do not use '-s' option, it should check kexec_load(2) earlier
and fail out. but below code is still a fix to a code problem.

kexec -s -p work ok without the fix.

>
> ---
> kexec/crashdump-elf.c | 9 +++++----
> 1 file changed, 5 insertions(+), 4 deletions(-)
>
> --- kexec-tools.orig/kexec/crashdump-elf.c
> +++ kexec-tools/kexec/crashdump-elf.c
> @@ -145,11 +145,12 @@ int FUNC(struct kexec_info *info,
>
> count_cpu = nr_cpus;
> for (i = 0; count_cpu > 0; i++) {
> - if (get_note_info(i, &notes_addr, &notes_len) < 0) {
> - /* This cpu is not present. Skip it. */
> - continue;
> - }
> + int ret;
> +
> + ret = get_note_info(i, &notes_addr, &notes_len);
> count_cpu--;
> + if (ret < 0) /* This cpu is not present. Skip it. */
> + continue;
>
> phdr = (PHDR *) bufp;
> bufp += sizeof(PHDR);
>
> Thanks
> Dave
>

> _______________________________________________
> kexec mailing list
> ke...@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec