From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754163AbcGVUlx (ORCPT ); Fri, 22 Jul 2016 16:41:53 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:64142 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751998AbcGVUlv (ORCPT ); Fri, 22 Jul 2016 16:41:51 -0400 X-IBM-Helo: d24dlp02.br.ibm.com X-IBM-MailFrom: bauerman@linux.vnet.ibm.com X-IBM-RcptTo: linux-kernel@vger.kernel.org From: Thiago Jung Bauermann To: Michael Ellerman Cc: Arnd Bergmann , Russell King - ARM Linux , Vivek Goyal , Mark Rutland , Stewart Smith , Mimi Zohar , bhe@redhat.com, linuxppc-dev@lists.ozlabs.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, AKASHI Takahiro , "Eric W. Biederman" , Samuel Mendoza-Jonas , Dave Young , linux-arm-kernel@lists.infradead.org, Jeremy Kerr Subject: Re: [RFC 0/3] extend kexec_file_load system call Date: Fri, 22 Jul 2016 17:41:40 -0300 User-Agent: KMail/4.14.3 (Linux/3.13.0-92-generic; KDE/4.14.13; x86_64; ; ) In-Reply-To: <878twutmaj.fsf@concordia.ellerman.id.au> References: <20160712014201.11456-1-takahiro.akashi@linaro.org> <4197460.etrDupniY8@hactar> <878twutmaj.fsf@concordia.ellerman.id.au> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 16072220-1523-0000-0000-0000020A1A18 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 16072220-1524-0000-0000-0000275FBCA9 Message-Id: <1732711.nTAkJm8nA3@hactar> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2016-07-22_16:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=2 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1607220234 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am Freitag, 22 Juli 2016, 12:54:28 schrieb Michael Ellerman: > Thiago Jung Bauermann writes: > > So even if not ideal, the solution above is desirable for powerpc. We > > would like to preserve the ability of allowing userspace to pass > > parameters to the OS via the DTB, even if secure boot is enabled. > > > > I would like to turn the above into a proposal: > > > > Extend the syscall as shown in this RFC from Takahiro AKASHI, but > > instead of accepting a complete DTB from userspace, the syscall accepts > > a DTB containing only a /chosen node. If the DTB contains any other > > node, the syscall fails with EINVAL. If the DTB contains any subnode in > > /chosen, or if there's a compatible or device_type property in /chosen, > > the syscall fails with EINVAL as well. > > > > The kernel can then add the properties in /chosen to the device tree > > that it will pass to the next kernel. > > > > What do you think? > > I think we will inevitably have someone who wants to pass something > other than a child of /chosen. > > At that point we would be faced with adding yet another syscall, or at > best a new flag. > > I think we'd be better allowing userspace to pass a DTB, and having an > explicit whitelist (in the kernel) of which nodes & properties are > allowed in that DTB. Sounds good to me. > For starters it would only contain /chosen/stdout-path (for example). > But we would be able to add new nodes & properties in future. If we allow things outside of chosen, we can keep the offb.c hook in Petitboot and whitelist the framebuffer properties it adds to the vga node. > The downside is userspace would have no way of detecting the content of > the white list, other than trial and error. But in practice I'm not sure > that would be a big problem. For our use case in OpenPower I don't think it would be a problem, since the userspace and the kernel are developed together. -- []'s Thiago Jung Bauermann IBM Linux Technology Center