[PATCH 0/4] Add support for kexec_file_load

[Eric Richter]

On 03/28/2017 07:51 PM, Samuel Mendoza-Jonas wrote:
> On Fri, 2017-03-24 at 13:40 -0500, Eric Richter wrote:
>> On 03/23/2017 09:17 PM, Samuel Mendoza-Jonas wrote:
>>> On Thu, 2017-03-23 at 11:46 -0500, Eric Richter wrote:
>>>> Secure and trusted boot on POWER relies on the use of kexec_file_load over
>>>> kexec_load, for uses such as kernel/initrd signature verification and
>>>> measurement[1]. This patch set defines a new configuration option for toggling
>>>> which syscall is used, or more specifically, which parameter is passed to
>>>> kexec-{tools,lite}[2].
>>>>
>>>> The default state of this option is to use the regular kexec_load, unless
>>>> otherwise enabled. On POWER, the state of this option is preserved via
>>>> the nvram key "petitboot,fileload?", which can be set ahead of time to avoid
>>>> traversing through menus at boot time.
>>>>
>>>> Thanks,
>>>> Eric Richter
>>>
>>> Hi Eric, thanks for the patches!
>>>
>>>>
>>>>
>>>> [1] The kexec_file_load syscall was included in Linux 4.10
>>>
>>> Ah great, I missed this getting merged.
>>>
>>>>
>>>> [2] Kexec-tools uses -s for kexec_file_load. Neither upstream -tools nor -lite
>>>> implement this for POWER, though I have an open pull request for the latter here:
>>>> https://github.com/antonblanchard/kexec-lite/pull/5
>>>
>>> This makes more sense for later when more of the security process is
>>> firmed up, but would it be worth adding a configure-time option to
>>> specify if kexec_file_load() is supported by the available kexec-
>>> {tools,lite}? Otherwise as long as we can return a useful error to the UI
>>> if it is chosen but isn't available that should be fine.
>>
>> At the moment, if you enable the option on an unsupported kernel, it
>> gives the "kexec failed" error on selecting a target. Ideally, this
>> should probably be a little more specific and differentiate between the
>> "syscall not supported" and "kexec_file_load actually failed" cases.
>>
>> Though, checking for support in kexec-{tools,lite} should be easy at
>> configure time by parsing the -h output and looking for the -s option.
>> This could be used to hide the option in the menu, and prevent it from
>> being toggled in the first place.
>
> This would be best, but probably isn't going to be an option if our build
> system is cross-compiling (eg. buildroot). Unfortunately (especially with
> kexec-lite) that's probably our only way of dynamically figuring out if
> we have file_load support.
>
>>
>> Ultimately, I considered this when I first submitted the patches as an
>> RFC, but there's multiple ways this could be handled. If you have a
>> preference, I'll gladly implement either :)
>
> I reckon we just go with a simple --enable-secure-kexec (or other name)
> and leave ensuring kexec has support to the (building) user, especially
> since if you're enabling secure-boot in this part of the stack you should
> be doing it in everything prior as well :)
>

I agree, this probably would be the best solution. I suspect in the 
op-build case this could be toggled by a higher level "enable secure 
boot support" option that would enable this flag in the Petitboot 
package build.

I just sent out a v2 of the patches that include your other suggestions. 
I'll look into the compile-time option shortly, would you prefer that in 
a v3 set, or as its own patch?

>>
>>>
>>>>
>>>>
>>>> Eric Richter (4):
>>>>   lib: Add system config option to enable kexec_file_load
>>>>   boot/pb-discover: Use kexec_method config option to determine kexec
>>>>     syscall
>>>>   ui/ncurses: Add system config checkbox to enable kexec_file load
>>>>   petitboot-powerpc: persist kexec_method option via nvram
>>>>
>>>>  discover/boot.c               |  4 +++-
>>>>  discover/boot.h               |  1 +
>>>>  discover/platform-powerpc.c   |  9 +++++++++
>>>>  lib/pb-protocol/pb-protocol.c |  9 +++++++++
>>>>  lib/types/types.h             |  2 ++
>>>>  ui/ncurses/nc-config.c        | 24 +++++++++++++++++++++++-
>>>>  6 files changed, 47 insertions(+), 2 deletions(-)
>>>>
>>
>>
>