[PATCH v2 0/2] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[PATCH v2 0/2] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Baoquan He]

Our customer reported that Kernel text may be located on non-mirror
region (movable zone) when both address range mirroring feature and
KASLR are enabled.

The functions of address range mirroring feature are as follows.
- The physical memory region whose descriptors in EFI memory map have
  EFI_MEMORY_MORE_RELIABLE attribute (bit: 16) are mirrored
- The function arranges such mirror region into normal zone and other region
  into movable zone in order to locate kernel code and data on mirror region

So we need restrict kernel to be located inside mirror regions if it
is existed.

The method is very simple. If efi is enabled, just iterate all efi
memory map and pick mirror region to process for adding candidate
of slot. If efi disabled or no mirror region existed, still process
e820 memory map. This won't bring much efficiency loss, at worst we
just go through all efi memory maps and found no mirror.

v1->v2:
  Removed debug code.

  Taku suggested that we should put kernel to mirrored region always
  whether or not "kernelcore=mirror" is specified since kernel text is
  important and mirrored region is reliable.

  Change code according to kbuild report and Chao Fan's comment.

Test:
Chao has tested the v1 (RFC patchset) 100 times. And he said in the 100
times, 50 times are with this patchset applied, 50 times are without it.
The test result showed the v1 patchset works very well.

Baoquan He (2):
  x86/boot/KASLR: Adapt process_e820_entry for any type of memory entry
  x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

 arch/x86/boot/compressed/kaslr.c | 108 +++++++++++++++++++++++++++++----------
 1 file changed, 82 insertions(+), 26 deletions(-)

-- 
2.5.5

[PATCH v2 1/2] x86/boot/KASLR: Adapt process_e820_entry for any type of memory entry

[Baoquan He]

Now function process_e820_entry is only used to process e820 memory
entries. Adapt it for any type of memory entry, not just for e820.
Later we will use it to process efi mirror regions.

So rename the old process_e820_entry to process_mem_region, and
extract and wrap the e820 specific processing code into process_e820_entry.

Signed-off-by: Baoquan He <bhe@redhat.com>
---
 arch/x86/boot/compressed/kaslr.c | 60 ++++++++++++++++++++++------------------
 1 file changed, 33 insertions(+), 27 deletions(-)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 91f27ab970ef..85c360eec4a6 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -479,35 +479,31 @@ static unsigned long slots_fetch_random(void)
 	return 0;
 }
 
-static void process_e820_entry(struct boot_e820_entry *entry,
+static void process_mem_region(struct mem_vector *entry,
 			       unsigned long minimum,
 			       unsigned long image_size)
 {
 	struct mem_vector region, overlap;
 	struct slot_area slot_area;
 	unsigned long start_orig, end;
-	struct boot_e820_entry cur_entry;
-
-	/* Skip non-RAM entries. */
-	if (entry->type != E820_TYPE_RAM)
-		return;
+	struct mem_vector cur_entry;
 
 	/* On 32-bit, ignore entries entirely above our maximum. */
-	if (IS_ENABLED(CONFIG_X86_32) && entry->addr >= KERNEL_IMAGE_SIZE)
+	if (IS_ENABLED(CONFIG_X86_32) && entry->start >= KERNEL_IMAGE_SIZE)
 		return;
 
 	/* Ignore entries entirely below our minimum. */
-	if (entry->addr + entry->size < minimum)
+	if (entry->start + entry->size < minimum)
 		return;
 
 	/* Ignore entries above memory limit */
-	end = min(entry->size + entry->addr, mem_limit);
-	if (entry->addr >= end)
+	end = min(entry->size + entry->start, mem_limit);
+	if (entry->start >= end)
 		return;
-	cur_entry.addr = entry->addr;
-	cur_entry.size = end - entry->addr;
+	cur_entry.start = entry->start;
+	cur_entry.size = end - entry->start;
 
-	region.start = cur_entry.addr;
+	region.start = cur_entry.start;
 	region.size = cur_entry.size;
 
 	/* Give up if slot area array is full. */
@@ -522,7 +518,7 @@ static void process_e820_entry(struct boot_e820_entry *entry,
 		region.start = ALIGN(region.start, CONFIG_PHYSICAL_ALIGN);
 
 		/* Did we raise the address above this e820 region? */
-		if (region.start > cur_entry.addr + cur_entry.size)
+		if (region.start > cur_entry.start + cur_entry.size)
 			return;
 
 		/* Reduce size by any delta from the original address. */
@@ -562,12 +558,31 @@ static void process_e820_entry(struct boot_e820_entry *entry,
 	}
 }
 
-static unsigned long find_random_phys_addr(unsigned long minimum,
-					   unsigned long image_size)
+static void process_e820_entry(unsigned long minimum, unsigned long image_size)
 {
 	int i;
-	unsigned long addr;
+	struct mem_vector region;
+	struct boot_e820_entry *entry;
+
+	/* Verify potential e820 positions, appending to slots list. */
+	for (i = 0; i < boot_params->e820_entries; i++) {
+		entry = &boot_params->e820_table[i];
+		/* Skip non-RAM entries. */
+		if (entry->type != E820_TYPE_RAM)
+			continue;
+		region.start = entry->addr;
+		region.size = entry->size;
+		process_mem_region(&region, minimum, image_size);
+		if (slot_area_index == MAX_SLOT_AREA) {
+			debug_putstr("Aborted e820 scan (slot_areas full)!\n");
+			break;
+		}
+	}
+}
 
+static unsigned long find_random_phys_addr(unsigned long minimum,
+					   unsigned long image_size)
+{
 	/* Check if we had too many memmaps. */
 	if (memmap_too_large) {
 		debug_putstr("Aborted e820 scan (more than 4 memmap= args)!\n");
@@ -577,16 +592,7 @@ static unsigned long find_random_phys_addr(unsigned long minimum,
 	/* Make sure minimum is aligned. */
 	minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN);
 
-	/* Verify potential e820 positions, appending to slots list. */
-	for (i = 0; i < boot_params->e820_entries; i++) {
-		process_e820_entry(&boot_params->e820_table[i], minimum,
-				   image_size);
-		if (slot_area_index == MAX_SLOT_AREA) {
-			debug_putstr("Aborted e820 scan (slot_areas full)!\n");
-			break;
-		}
-	}
-
+	process_e820_entry(minimum, image_size);
 	return slots_fetch_random();
 }
 
-- 
2.5.5

[PATCH v2 2/2] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Baoquan He]

Kernel text may be located in non-mirror regions (movable zone) when both
address range mirroring feature and KASLR are enabled.

The address range mirroring feature arranges such mirror region into
normal zone and other region into movable zone in order to locate
kernel code and data in mirror region. The physical memory region
whose descriptors in EFI memory map has EFI_MEMORY_MORE_RELIABLE
attribute (bit: 16) are mirrored.

If efi is detected, iterate efi memory map and pick the mirror region to
process for adding candidate of randomization slot. If efi is disabled
or no mirror region found, still process e820 memory map.

Signed-off-by: Baoquan He <bhe@redhat.com>
---
 arch/x86/boot/compressed/kaslr.c | 52 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 51 insertions(+), 1 deletion(-)

diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
index 85c360eec4a6..5f10e0b10ef4 100644
--- a/arch/x86/boot/compressed/kaslr.c
+++ b/arch/x86/boot/compressed/kaslr.c
@@ -37,7 +37,9 @@
 #include <linux/uts.h>
 #include <linux/utsname.h>
 #include <linux/ctype.h>
+#include <linux/efi.h>
 #include <generated/utsrelease.h>
+#include <asm/efi.h>
 
 /* Macros used by the included decompressor code below. */
 #define STATIC
@@ -558,6 +560,50 @@ static void process_mem_region(struct mem_vector *entry,
 	}
 }
 
+/* Marks if efi mirror regions have been found and handled. */
+static bool efi_mirror_found;
+
+static void process_efi_entry(unsigned long minimum, unsigned long image_size)
+{
+	struct efi_info *e = &boot_params->efi_info;
+	struct mem_vector region;
+	efi_memory_desc_t *md;
+	unsigned long pmap;
+	char *signature;
+	u32 nr_desc;
+	int i;
+
+
+#ifdef CONFIG_EFI
+	signature = (char *)&boot_params->efi_info.efi_loader_signature;
+#endif
+	if (strncmp(signature, EFI32_LOADER_SIGNATURE, 4) &&
+	    strncmp(signature, EFI64_LOADER_SIGNATURE, 4))
+		return;
+
+#ifdef CONFIG_X86_32
+	/* Can't handle data above 4GB at this time */
+	if (e->efi_memmap_hi) {
+		warn("Memory map is above 4GB, EFI should be disabled.\n");
+		return;
+	}
+	pmap =  e->efi_memmap;
+#else
+	pmap = (e->efi_memmap | ((__u64)e->efi_memmap_hi << 32));
+#endif
+
+	nr_desc = e->efi_memmap_size / e->efi_memdesc_size;
+	for (i = 0; i < nr_desc; i++) {
+		md = (efi_memory_desc_t *)(pmap + (i * e->efi_memdesc_size));
+		if (md->attribute & EFI_MEMORY_MORE_RELIABLE) {
+			region.start = md->phys_addr;
+			region.size = md->num_pages << EFI_PAGE_SHIFT;
+			process_mem_region(&region, minimum, image_size);
+			efi_mirror_found = true;
+		}
+	}
+}
+
 static void process_e820_entry(unsigned long minimum, unsigned long image_size)
 {
 	int i;
@@ -592,6 +638,10 @@ static unsigned long find_random_phys_addr(unsigned long minimum,
 	/* Make sure minimum is aligned. */
 	minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN);
 
+	process_efi_entry(minimum, image_size);
+	if (efi_mirror_found)
+		return slots_fetch_random();
+
 	process_e820_entry(minimum, image_size);
 	return slots_fetch_random();
 }
@@ -651,7 +701,7 @@ void choose_random_location(unsigned long input,
 	 */
 	min_addr = min(*output, 512UL << 20);
 
-	/* Walk e820 and find a random address. */
+	/* Walk available memory entries to find a random address. */
 	random_addr = find_random_phys_addr(min_addr, output_size);
 	if (!random_addr) {
 		warn("Physical KASLR disabled: no suitable memory region!");
-- 
2.5.5

Re: [PATCH v2 2/2] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Thomas Gleixner]

On Tue, 4 Jul 2017, Baoquan He wrote:
> +/* Marks if efi mirror regions have been found and handled. */
> +static bool efi_mirror_found;
> +
> +static void process_efi_entry(unsigned long minimum, unsigned long image_size)
> +{
> +	struct efi_info *e = &boot_params->efi_info;
> +	struct mem_vector region;
> +	efi_memory_desc_t *md;
> +	unsigned long pmap;
> +	char *signature;
> +	u32 nr_desc;
> +	int i;
> +
> +
> +#ifdef CONFIG_EFI
> +	signature = (char *)&boot_params->efi_info.efi_loader_signature;
> +#endif

So if CONFIG_EFI=n you happily dereference the uninitialized signature
pointer ...

Why is process_efi_entry() invoked at all if EFI is not enabled?

> +	if (strncmp(signature, EFI32_LOADER_SIGNATURE, 4) &&
> +	    strncmp(signature, EFI64_LOADER_SIGNATURE, 4))
> +		return;
> +

Thanks,

	tglx

Re: [PATCH v2 2/2] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Baoquan He]

On 07/04/17 at 04:00pm, Thomas Gleixner wrote:
> On Tue, 4 Jul 2017, Baoquan He wrote:
> > +/* Marks if efi mirror regions have been found and handled. */
> > +static bool efi_mirror_found;
> > +
> > +static void process_efi_entry(unsigned long minimum, unsigned long image_size)
> > +{
> > +	struct efi_info *e = &boot_params->efi_info;
> > +	struct mem_vector region;
> > +	efi_memory_desc_t *md;
> > +	unsigned long pmap;
> > +	char *signature;
> > +	u32 nr_desc;
> > +	int i;
> > +
> > +
> > +#ifdef CONFIG_EFI
> > +	signature = (char *)&boot_params->efi_info.efi_loader_signature;
> > +#endif
> 
> So if CONFIG_EFI=n you happily dereference the uninitialized signature
> pointer ...

Right, this is a mistake. Thanks for pointing it out. I should have
checked if the pointer is NULL.

In fact I just referred to code in setup_arch(). Now I have a question,
though CONFIG_EFI=y but efi firmware is not enabled,
boot_params.efi_info.efi_loader_signature should be initilized to 0.
Then below code is also problematic.

#ifdef CONFIG_EFI
        if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature,                                                                         
                     EFI32_LOADER_SIGNATURE, 4)) {
                set_bit(EFI_BOOT, &efi.flags);
        } else if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature,
                     EFI64_LOADER_SIGNATURE, 4)) {
                set_bit(EFI_BOOT, &efi.flags);
                set_bit(EFI_64BIT, &efi.flags);
        }

        if (efi_enabled(EFI_BOOT))
                efi_memblock_x86_reserve_range();
#endif

> 
> Why is process_efi_entry() invoked at all if EFI is not enabled?


Yeah, and it's better to check if CONFIG_EFI is enabled before
invocation of process_efi_entry(). Let me change it as below and repost.
Thanks again for looking into this patchset.

+#ifdef CONFIG_EFI
        process_efi_entry(minimum, image_size);
+#endif

> 
> > +	if (strncmp(signature, EFI32_LOADER_SIGNATURE, 4) &&
> > +	    strncmp(signature, EFI64_LOADER_SIGNATURE, 4))
> > +		return;
> > +
> 
> Thanks,
> 
> 	tglx

Re: [PATCH v2 2/2] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Thomas Gleixner]

On Tue, 4 Jul 2017, Baoquan He wrote:

> On 07/04/17 at 04:00pm, Thomas Gleixner wrote:
> > On Tue, 4 Jul 2017, Baoquan He wrote:
> > > +/* Marks if efi mirror regions have been found and handled. */
> > > +static bool efi_mirror_found;
> > > +
> > > +static void process_efi_entry(unsigned long minimum, unsigned long image_size)
> > > +{
> > > +	struct efi_info *e = &boot_params->efi_info;
> > > +	struct mem_vector region;
> > > +	efi_memory_desc_t *md;
> > > +	unsigned long pmap;
> > > +	char *signature;
> > > +	u32 nr_desc;
> > > +	int i;
> > > +
> > > +
> > > +#ifdef CONFIG_EFI
> > > +	signature = (char *)&boot_params->efi_info.efi_loader_signature;
> > > +#endif
> > 
> > So if CONFIG_EFI=n you happily dereference the uninitialized signature
> > pointer ...
> 
> Right, this is a mistake. Thanks for pointing it out. I should have
> checked if the pointer is NULL.

The pointer is not NULL, it's not initialized.
 
> In fact I just referred to code in setup_arch(). Now I have a question,
> though CONFIG_EFI=y but efi firmware is not enabled,
> boot_params.efi_info.efi_loader_signature should be initilized to 0.
> Then below code is also problematic.
>
> #ifdef CONFIG_EFI
>         if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature,                                                                         
>                      EFI32_LOADER_SIGNATURE, 4)) {
>                 set_bit(EFI_BOOT, &efi.flags);
>         } else if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature,
>                      EFI64_LOADER_SIGNATURE, 4)) {
>                 set_bit(EFI_BOOT, &efi.flags);
>                 set_bit(EFI_64BIT, &efi.flags);
>         }
> 
>         if (efi_enabled(EFI_BOOT))
>                 efi_memblock_x86_reserve_range();
> #endif

Indeed. Matt?

Thanks,

	tglx

Re: [PATCH v2 2/2] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Matt Fleming]

On Tue, 04 Jul, at 04:46:58PM, Thomas Gleixner wrote:
> On Tue, 4 Jul 2017, Baoquan He wrote:
>  
> > In fact I just referred to code in setup_arch(). Now I have a question,
> > though CONFIG_EFI=y but efi firmware is not enabled,
> > boot_params.efi_info.efi_loader_signature should be initilized to 0.
> > Then below code is also problematic.
> >
> > #ifdef CONFIG_EFI
> >         if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature,                                                                         
> >                      EFI32_LOADER_SIGNATURE, 4)) {
> >                 set_bit(EFI_BOOT, &efi.flags);
> >         } else if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature,
> >                      EFI64_LOADER_SIGNATURE, 4)) {
> >                 set_bit(EFI_BOOT, &efi.flags);
> >                 set_bit(EFI_64BIT, &efi.flags);
> >         }
> > 
> >         if (efi_enabled(EFI_BOOT))
> >                 efi_memblock_x86_reserve_range();
> > #endif
> 
> Indeed. Matt?

It's possibly that I'm missing some context, but boot_params should be
zero'd -- the x86 boot protocol requires that the entire data
structure be zero'd on allocation.

Have I missed something?

Re: [PATCH v2 2/2] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Thomas Gleixner]

On Tue, 4 Jul 2017, Matt Fleming wrote:
> On Tue, 04 Jul, at 04:46:58PM, Thomas Gleixner wrote:
> > On Tue, 4 Jul 2017, Baoquan He wrote:
> >  
> > > In fact I just referred to code in setup_arch(). Now I have a question,
> > > though CONFIG_EFI=y but efi firmware is not enabled,
> > > boot_params.efi_info.efi_loader_signature should be initilized to 0.
> > > Then below code is also problematic.
> > >
> > > #ifdef CONFIG_EFI
> > >         if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature,                                                                         
> > >                      EFI32_LOADER_SIGNATURE, 4)) {
> > >                 set_bit(EFI_BOOT, &efi.flags);
> > >         } else if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature,
> > >                      EFI64_LOADER_SIGNATURE, 4)) {
> > >                 set_bit(EFI_BOOT, &efi.flags);
> > >                 set_bit(EFI_64BIT, &efi.flags);
> > >         }
> > > 
> > >         if (efi_enabled(EFI_BOOT))
> > >                 efi_memblock_x86_reserve_range();
> > > #endif
> > 
> > Indeed. Matt?
> 
> It's possibly that I'm missing some context, but boot_params should be
> zero'd -- the x86 boot protocol requires that the entire data
> structure be zero'd on allocation.
> 
> Have I missed something?

No. I misread the code. The strncmp() operates on
boot_params.efi_info.efi_loader_signature itself, so yes, all is fine.

It's just Baoquans copy and paste wreckage which is busted.

Thanks,

	tglx

Re: [PATCH v2 2/2] x86/boot/KASLR: Restrict kernel to be randomized in mirror regions

[Baoquan He]

On 07/04/17 at 05:46pm, Thomas Gleixner wrote:
> On Tue, 4 Jul 2017, Matt Fleming wrote:
> > On Tue, 04 Jul, at 04:46:58PM, Thomas Gleixner wrote:
> > > On Tue, 4 Jul 2017, Baoquan He wrote:
> > >  
> > > > In fact I just referred to code in setup_arch(). Now I have a question,
> > > > though CONFIG_EFI=y but efi firmware is not enabled,
> > > > boot_params.efi_info.efi_loader_signature should be initilized to 0.
> > > > Then below code is also problematic.
> > > >
> > > > #ifdef CONFIG_EFI
> > > >         if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature,                                                                         
> > > >                      EFI32_LOADER_SIGNATURE, 4)) {
> > > >                 set_bit(EFI_BOOT, &efi.flags);
> > > >         } else if (!strncmp((char *)&boot_params.efi_info.efi_loader_signature,
> > > >                      EFI64_LOADER_SIGNATURE, 4)) {
> > > >                 set_bit(EFI_BOOT, &efi.flags);
> > > >                 set_bit(EFI_64BIT, &efi.flags);
> > > >         }
> > > > 
> > > >         if (efi_enabled(EFI_BOOT))
> > > >                 efi_memblock_x86_reserve_range();
> > > > #endif
> > > 
> > > Indeed. Matt?
> > 
> > It's possibly that I'm missing some context, but boot_params should be
> > zero'd -- the x86 boot protocol requires that the entire data
> > structure be zero'd on allocation.
> > 
> > Have I missed something?
> 
> No. I misread the code. The strncmp() operates on
> boot_params.efi_info.efi_loader_signature itself, so yes, all is fine.

Sorry, I must be dizzy at late night of yesterday, just gave wrong
answer when questioned.

> 
> It's just Baoquans copy and paste wreckage which is busted.
> 
> Thanks,
> 
> 	tglx
> 

Re: [PATCH v2 1/2] x86/boot/KASLR: Adapt process_e820_entry for any type of memory entry

[Kees Cook]

On Tue, Jul 4, 2017 at 1:04 AM, Baoquan He <bhe@redhat.com> wrote:
> Now function process_e820_entry is only used to process e820 memory
> entries. Adapt it for any type of memory entry, not just for e820.
> Later we will use it to process efi mirror regions.
>
> So rename the old process_e820_entry to process_mem_region, and
> extract and wrap the e820 specific processing code into process_e820_entry.

This mixes changing the structure internals (.addr vs .start) with
changing the processing logic (adding a wrapper). I would prefer this
was done in several stages to make review easier:

1) lift e820 walking into a new function process_e820_entries(), and
move TYPE_RAM logic there.

2) switch process_e820_entry() from struct boot_e820_entry to struct mem_vector.

3) rename (and adjust comments!) of process_e820_entry() into
process_mem_region().

-Kees

>
> Signed-off-by: Baoquan He <bhe@redhat.com>
> ---
>  arch/x86/boot/compressed/kaslr.c | 60 ++++++++++++++++++++++------------------
>  1 file changed, 33 insertions(+), 27 deletions(-)
>
> diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
> index 91f27ab970ef..85c360eec4a6 100644
> --- a/arch/x86/boot/compressed/kaslr.c
> +++ b/arch/x86/boot/compressed/kaslr.c
> @@ -479,35 +479,31 @@ static unsigned long slots_fetch_random(void)
>         return 0;
>  }
>
> -static void process_e820_entry(struct boot_e820_entry *entry,
> +static void process_mem_region(struct mem_vector *entry,
>                                unsigned long minimum,
>                                unsigned long image_size)
>  {
>         struct mem_vector region, overlap;
>         struct slot_area slot_area;
>         unsigned long start_orig, end;
> -       struct boot_e820_entry cur_entry;
> -
> -       /* Skip non-RAM entries. */
> -       if (entry->type != E820_TYPE_RAM)
> -               return;
> +       struct mem_vector cur_entry;
>
>         /* On 32-bit, ignore entries entirely above our maximum. */
> -       if (IS_ENABLED(CONFIG_X86_32) && entry->addr >= KERNEL_IMAGE_SIZE)
> +       if (IS_ENABLED(CONFIG_X86_32) && entry->start >= KERNEL_IMAGE_SIZE)
>                 return;
>
>         /* Ignore entries entirely below our minimum. */
> -       if (entry->addr + entry->size < minimum)
> +       if (entry->start + entry->size < minimum)
>                 return;
>
>         /* Ignore entries above memory limit */
> -       end = min(entry->size + entry->addr, mem_limit);
> -       if (entry->addr >= end)
> +       end = min(entry->size + entry->start, mem_limit);
> +       if (entry->start >= end)
>                 return;
> -       cur_entry.addr = entry->addr;
> -       cur_entry.size = end - entry->addr;
> +       cur_entry.start = entry->start;
> +       cur_entry.size = end - entry->start;
>
> -       region.start = cur_entry.addr;
> +       region.start = cur_entry.start;
>         region.size = cur_entry.size;
>
>         /* Give up if slot area array is full. */
> @@ -522,7 +518,7 @@ static void process_e820_entry(struct boot_e820_entry *entry,
>                 region.start = ALIGN(region.start, CONFIG_PHYSICAL_ALIGN);
>
>                 /* Did we raise the address above this e820 region? */
> -               if (region.start > cur_entry.addr + cur_entry.size)
> +               if (region.start > cur_entry.start + cur_entry.size)
>                         return;
>
>                 /* Reduce size by any delta from the original address. */
> @@ -562,12 +558,31 @@ static void process_e820_entry(struct boot_e820_entry *entry,
>         }
>  }
>
> -static unsigned long find_random_phys_addr(unsigned long minimum,
> -                                          unsigned long image_size)
> +static void process_e820_entry(unsigned long minimum, unsigned long image_size)
>  {
>         int i;
> -       unsigned long addr;
> +       struct mem_vector region;
> +       struct boot_e820_entry *entry;
> +
> +       /* Verify potential e820 positions, appending to slots list. */
> +       for (i = 0; i < boot_params->e820_entries; i++) {
> +               entry = &boot_params->e820_table[i];
> +               /* Skip non-RAM entries. */
> +               if (entry->type != E820_TYPE_RAM)
> +                       continue;
> +               region.start = entry->addr;
> +               region.size = entry->size;
> +               process_mem_region(&region, minimum, image_size);
> +               if (slot_area_index == MAX_SLOT_AREA) {
> +                       debug_putstr("Aborted e820 scan (slot_areas full)!\n");
> +                       break;
> +               }
> +       }
> +}
>
> +static unsigned long find_random_phys_addr(unsigned long minimum,
> +                                          unsigned long image_size)
> +{
>         /* Check if we had too many memmaps. */
>         if (memmap_too_large) {
>                 debug_putstr("Aborted e820 scan (more than 4 memmap= args)!\n");
> @@ -577,16 +592,7 @@ static unsigned long find_random_phys_addr(unsigned long minimum,
>         /* Make sure minimum is aligned. */
>         minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN);
>
> -       /* Verify potential e820 positions, appending to slots list. */
> -       for (i = 0; i < boot_params->e820_entries; i++) {
> -               process_e820_entry(&boot_params->e820_table[i], minimum,
> -                                  image_size);
> -               if (slot_area_index == MAX_SLOT_AREA) {
> -                       debug_putstr("Aborted e820 scan (slot_areas full)!\n");
> -                       break;
> -               }
> -       }
> -
> +       process_e820_entry(minimum, image_size);
>         return slots_fetch_random();
>  }
>
> --
> 2.5.5
>



-- 
Kees Cook
Pixel Security

Re: [PATCH v2 1/2] x86/boot/KASLR: Adapt process_e820_entry for any type of memory entry

[Baoquan He]

On 07/05/17 at 03:06pm, Kees Cook wrote:
> On Tue, Jul 4, 2017 at 1:04 AM, Baoquan He <bhe@redhat.com> wrote:
> > Now function process_e820_entry is only used to process e820 memory
> > entries. Adapt it for any type of memory entry, not just for e820.
> > Later we will use it to process efi mirror regions.
> >
> > So rename the old process_e820_entry to process_mem_region, and
> > extract and wrap the e820 specific processing code into process_e820_entry.
> 
> This mixes changing the structure internals (.addr vs .start) with
> changing the processing logic (adding a wrapper). I would prefer this
> was done in several stages to make review easier:

OK, will do following below steps. Thanks!

> 
> 1) lift e820 walking into a new function process_e820_entries(), and
> move TYPE_RAM logic there.
> 
> 2) switch process_e820_entry() from struct boot_e820_entry to struct mem_vector.
> 
> 3) rename (and adjust comments!) of process_e820_entry() into
> process_mem_region().
> 
> -Kees
> 
> >
> > Signed-off-by: Baoquan He <bhe@redhat.com>
> > ---
> >  arch/x86/boot/compressed/kaslr.c | 60 ++++++++++++++++++++++------------------
> >  1 file changed, 33 insertions(+), 27 deletions(-)
> >
> > diff --git a/arch/x86/boot/compressed/kaslr.c b/arch/x86/boot/compressed/kaslr.c
> > index 91f27ab970ef..85c360eec4a6 100644
> > --- a/arch/x86/boot/compressed/kaslr.c
> > +++ b/arch/x86/boot/compressed/kaslr.c
> > @@ -479,35 +479,31 @@ static unsigned long slots_fetch_random(void)
> >         return 0;
> >  }
> >
> > -static void process_e820_entry(struct boot_e820_entry *entry,
> > +static void process_mem_region(struct mem_vector *entry,
> >                                unsigned long minimum,
> >                                unsigned long image_size)
> >  {
> >         struct mem_vector region, overlap;
> >         struct slot_area slot_area;
> >         unsigned long start_orig, end;
> > -       struct boot_e820_entry cur_entry;
> > -
> > -       /* Skip non-RAM entries. */
> > -       if (entry->type != E820_TYPE_RAM)
> > -               return;
> > +       struct mem_vector cur_entry;
> >
> >         /* On 32-bit, ignore entries entirely above our maximum. */
> > -       if (IS_ENABLED(CONFIG_X86_32) && entry->addr >= KERNEL_IMAGE_SIZE)
> > +       if (IS_ENABLED(CONFIG_X86_32) && entry->start >= KERNEL_IMAGE_SIZE)
> >                 return;
> >
> >         /* Ignore entries entirely below our minimum. */
> > -       if (entry->addr + entry->size < minimum)
> > +       if (entry->start + entry->size < minimum)
> >                 return;
> >
> >         /* Ignore entries above memory limit */
> > -       end = min(entry->size + entry->addr, mem_limit);
> > -       if (entry->addr >= end)
> > +       end = min(entry->size + entry->start, mem_limit);
> > +       if (entry->start >= end)
> >                 return;
> > -       cur_entry.addr = entry->addr;
> > -       cur_entry.size = end - entry->addr;
> > +       cur_entry.start = entry->start;
> > +       cur_entry.size = end - entry->start;
> >
> > -       region.start = cur_entry.addr;
> > +       region.start = cur_entry.start;
> >         region.size = cur_entry.size;
> >
> >         /* Give up if slot area array is full. */
> > @@ -522,7 +518,7 @@ static void process_e820_entry(struct boot_e820_entry *entry,
> >                 region.start = ALIGN(region.start, CONFIG_PHYSICAL_ALIGN);
> >
> >                 /* Did we raise the address above this e820 region? */
> > -               if (region.start > cur_entry.addr + cur_entry.size)
> > +               if (region.start > cur_entry.start + cur_entry.size)
> >                         return;
> >
> >                 /* Reduce size by any delta from the original address. */
> > @@ -562,12 +558,31 @@ static void process_e820_entry(struct boot_e820_entry *entry,
> >         }
> >  }
> >
> > -static unsigned long find_random_phys_addr(unsigned long minimum,
> > -                                          unsigned long image_size)
> > +static void process_e820_entry(unsigned long minimum, unsigned long image_size)
> >  {
> >         int i;
> > -       unsigned long addr;
> > +       struct mem_vector region;
> > +       struct boot_e820_entry *entry;
> > +
> > +       /* Verify potential e820 positions, appending to slots list. */
> > +       for (i = 0; i < boot_params->e820_entries; i++) {
> > +               entry = &boot_params->e820_table[i];
> > +               /* Skip non-RAM entries. */
> > +               if (entry->type != E820_TYPE_RAM)
> > +                       continue;
> > +               region.start = entry->addr;
> > +               region.size = entry->size;
> > +               process_mem_region(&region, minimum, image_size);
> > +               if (slot_area_index == MAX_SLOT_AREA) {
> > +                       debug_putstr("Aborted e820 scan (slot_areas full)!\n");
> > +                       break;
> > +               }
> > +       }
> > +}
> >
> > +static unsigned long find_random_phys_addr(unsigned long minimum,
> > +                                          unsigned long image_size)
> > +{
> >         /* Check if we had too many memmaps. */
> >         if (memmap_too_large) {
> >                 debug_putstr("Aborted e820 scan (more than 4 memmap= args)!\n");
> > @@ -577,16 +592,7 @@ static unsigned long find_random_phys_addr(unsigned long minimum,
> >         /* Make sure minimum is aligned. */
> >         minimum = ALIGN(minimum, CONFIG_PHYSICAL_ALIGN);
> >
> > -       /* Verify potential e820 positions, appending to slots list. */
> > -       for (i = 0; i < boot_params->e820_entries; i++) {
> > -               process_e820_entry(&boot_params->e820_table[i], minimum,
> > -                                  image_size);
> > -               if (slot_area_index == MAX_SLOT_AREA) {
> > -                       debug_putstr("Aborted e820 scan (slot_areas full)!\n");
> > -                       break;
> > -               }
> > -       }
> > -
> > +       process_e820_entry(minimum, image_size);
> >         return slots_fetch_random();
> >  }
> >
> > --
> > 2.5.5
> >
> 
> 
> 
> -- 
> Kees Cook
> Pixel Security