[PATCH 0/4] Add support for kexec_file_load

Samuel Mendoza-Jonas sam at mendozajonas.com
Fri Mar 31 13:41:13 AEDT 2017


On Thu, 2017-03-30 at 14:00 -0500, Eric Richter wrote:
> 
> On 03/28/2017 07:51 PM, Samuel Mendoza-Jonas wrote:
> > On Fri, 2017-03-24 at 13:40 -0500, Eric Richter wrote:
> > > On 03/23/2017 09:17 PM, Samuel Mendoza-Jonas wrote:
> > > > On Thu, 2017-03-23 at 11:46 -0500, Eric Richter wrote:
> > > > > Secure and trusted boot on POWER relies on the use of kexec_file_load over
> > > > > kexec_load, for uses such as kernel/initrd signature verification and
> > > > > measurement[1]. This patch set defines a new configuration option for toggling
> > > > > which syscall is used, or more specifically, which parameter is passed to
> > > > > kexec-{tools,lite}[2].
> > > > > 
> > > > > The default state of this option is to use the regular kexec_load, unless
> > > > > otherwise enabled. On POWER, the state of this option is preserved via
> > > > > the nvram key "petitboot,fileload?", which can be set ahead of time to avoid
> > > > > traversing through menus at boot time.
> > > > > 
> > > > > Thanks,
> > > > > Eric Richter
> > > > 
> > > > Hi Eric, thanks for the patches!
> > > > 
> > > > > 
> > > > > 
> > > > > [1] The kexec_file_load syscall was included in Linux 4.10
> > > > 
> > > > Ah great, I missed this getting merged.
> > > > 
> > > > > 
> > > > > [2] Kexec-tools uses -s for kexec_file_load. Neither upstream -tools nor -lite
> > > > > implement this for POWER, though I have an open pull request for the latter here:
> > > > > https://github.com/antonblanchard/kexec-lite/pull/5
> > > > 
> > > > This makes more sense for later when more of the security process is
> > > > firmed up, but would it be worth adding a configure-time option to
> > > > specify if kexec_file_load() is supported by the available kexec-
> > > > {tools,lite}? Otherwise as long as we can return a useful error to the UI
> > > > if it is chosen but isn't available that should be fine.
> > > 
> > > At the moment, if you enable the option on an unsupported kernel, it
> > > gives the "kexec failed" error on selecting a target. Ideally, this
> > > should probably be a little more specific and differentiate between the
> > > "syscall not supported" and "kexec_file_load actually failed" cases.
> > > 
> > > Though, checking for support in kexec-{tools,lite} should be easy at
> > > configure time by parsing the -h output and looking for the -s option.
> > > This could be used to hide the option in the menu, and prevent it from
> > > being toggled in the first place.
> > 
> > This would be best, but probably isn't going to be an option if our build
> > system is cross-compiling (eg. buildroot). Unfortunately (especially with
> > kexec-lite) that's probably our only way of dynamically figuring out if
> > we have file_load support.
> > 
> > > 
> > > Ultimately, I considered this when I first submitted the patches as an
> > > RFC, but there's multiple ways this could be handled. If you have a
> > > preference, I'll gladly implement either :)
> > 
> > I reckon we just go with a simple --enable-secure-kexec (or other name)
> > and leave ensuring kexec has support to the (building) user, especially
> > since if you're enabling secure-boot in this part of the stack you should
> > be doing it in everything prior as well :)
> > 
> 
> I agree, this probably would be the best solution. I suspect in the 
> op-build case this could be toggled by a higher level "enable secure 
> boot support" option that would enable this flag in the Petitboot 
> package build.
> 
> I just sent out a v2 of the patches that include your other suggestions. 
> I'll look into the compile-time option shortly, would you prefer that in 
> a v3 set, or as its own patch?

Whichever is easiest, a separate patch is fine :)

> 
> > > 
> > > > 
> > > > > 
> > > > > 
> > > > > Eric Richter (4):
> > > > >   lib: Add system config option to enable kexec_file_load
> > > > >   boot/pb-discover: Use kexec_method config option to determine kexec
> > > > >     syscall
> > > > >   ui/ncurses: Add system config checkbox to enable kexec_file load
> > > > >   petitboot-powerpc: persist kexec_method option via nvram
> > > > > 
> > > > >  discover/boot.c               |  4 +++-
> > > > >  discover/boot.h               |  1 +
> > > > >  discover/platform-powerpc.c   |  9 +++++++++
> > > > >  lib/pb-protocol/pb-protocol.c |  9 +++++++++
> > > > >  lib/types/types.h             |  2 ++
> > > > >  ui/ncurses/nc-config.c        | 24 +++++++++++++++++++++++-
> > > > >  6 files changed, 47 insertions(+), 2 deletions(-)
> > > > > 
> > > 
> > > 
> 
> 



More information about the Petitboot mailing list