From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934899AbdCXJhq (ORCPT ); Fri, 24 Mar 2017 05:37:46 -0400 Received: from mail-io0-f180.google.com ([209.85.223.180]:36408 "EHLO mail-io0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933860AbdCXJhi (ORCPT ); Fri, 24 Mar 2017 05:37:38 -0400 MIME-Version: 1.0 In-Reply-To: <20170324092433.GA3237@gmail.com> References: <1490331592-31860-1-git-send-email-bhe@redhat.com> <20170324080833.GA15200@gmail.com> <20170324083451.GC30442@x1> <20170324084609.GA6807@dhcp-128-65.nay.redhat.com> <20170324092433.GA3237@gmail.com> From: Ard Biesheuvel Date: Fri, 24 Mar 2017 09:37:36 +0000 Message-ID: Subject: Re: [PATCH v2] x86/mm/KASLR: EFI region is mistakenly included into KASLR VA space for randomization To: Ingo Molnar Cc: Dave Young , Baoquan He , "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , "x86@kernel.org" , "linux-efi@vger.kernel.org" , Thomas Garnier , Kees Cook , Borislav Petkov , Andrew Morton , Masahiro Yamada , Bhupesh Sharma Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 24 March 2017 at 09:24, Ingo Molnar wrote: > > * Dave Young wrote: > >> > > So I applied this kexec fix and extended the changelog to clearly show why >> > > this fix matters in practice. >> > >> > I thought it only impacts kexec, but Dave thought it will impact 1st kenrel >> > either. >> >> Yes, I think no need to mention kexec, it is a general issue. >> >> First, the space is reserved for EFI, so kernel should not use it for kaslr. > > It's the kernel's EFI code, and we map whatever address we want (and then pass > that to the EFI runtime), so wether it's randomized or not is the Linux kernel's > policy decision... > No. It is the firmware's EFI code, and the virtual translation applied by the OS is made known to the firmware by means of a call into the runtime service SetVirtualAddressMap(). This service can only be called once after each boot, and so kexec kernels are forced to use the same VA mapping for runtime services as the first kernel. This is the whole point of having a VA region reserved for this, so that kexec kernels are guaranteed to be able to use the same VA mapping. > So that's my question: can these memory regions include security sensitive data, > and if yes, how can we best randomize it while kexec and other kernel and EFI > features still work? > > Preserving virtual addresses for kexec is a red herring: the randomized offset > could be passed to the kexec-ed kernel just fine. > > Thanks, > > Ingo > -- > To unsubscribe from this list: send the line "unsubscribe linux-efi" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 From: Ard Biesheuvel Subject: Re: [PATCH v2] x86/mm/KASLR: EFI region is mistakenly included into KASLR VA space for randomization Date: Fri, 24 Mar 2017 09:37:36 +0000 Message-ID: References: <1490331592-31860-1-git-send-email-bhe@redhat.com> <20170324080833.GA15200@gmail.com> <20170324083451.GC30442@x1> <20170324084609.GA6807@dhcp-128-65.nay.redhat.com> <20170324092433.GA3237@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Return-path: In-Reply-To: <20170324092433.GA3237-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> Sender: linux-efi-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: Ingo Molnar Cc: Dave Young , Baoquan He , "linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , "stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , "x86-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org" , "linux-efi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , Thomas Garnier , Kees Cook , Borislav Petkov , Andrew Morton , Masahiro Yamada , Bhupesh Sharma List-Id: linux-efi@vger.kernel.org On 24 March 2017 at 09:24, Ingo Molnar wrote: > > * Dave Young wrote: > >> > > So I applied this kexec fix and extended the changelog to clearly show why >> > > this fix matters in practice. >> > >> > I thought it only impacts kexec, but Dave thought it will impact 1st kenrel >> > either. >> >> Yes, I think no need to mention kexec, it is a general issue. >> >> First, the space is reserved for EFI, so kernel should not use it for kaslr. > > It's the kernel's EFI code, and we map whatever address we want (and then pass > that to the EFI runtime), so wether it's randomized or not is the Linux kernel's > policy decision... > No. It is the firmware's EFI code, and the virtual translation applied by the OS is made known to the firmware by means of a call into the runtime service SetVirtualAddressMap(). This service can only be called once after each boot, and so kexec kernels are forced to use the same VA mapping for runtime services as the first kernel. This is the whole point of having a VA region reserved for this, so that kexec kernels are guaranteed to be able to use the same VA mapping. > So that's my question: can these memory regions include security sensitive data, > and if yes, how can we best randomize it while kexec and other kernel and EFI > features still work? > > Preserving virtual addresses for kexec is a red herring: the randomized offset > could be passed to the kexec-ed kernel just fine. > > Thanks, > > Ingo > -- > To unsubscribe from this list: send the line "unsubscribe linux-efi" in > the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org > More majordomo info at http://vger.kernel.org/majordomo-info.html