From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752243AbcGMICt (ORCPT ); Wed, 13 Jul 2016 04:02:49 -0400 Received: from mout.kundenserver.de ([212.227.126.134]:58813 "EHLO mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751934AbcGMICl (ORCPT ); Wed, 13 Jul 2016 04:02:41 -0400 From: Arnd Bergmann To: linuxppc-dev@lists.ozlabs.org Cc: Dave Young , Mark Rutland , linux-arm-kernel@lists.infradead.org, bhe@redhat.com, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, AKASHI Takahiro , "Eric W. Biederman" , bauerman@linux.vnet.ibm.com, Vivek Goyal Subject: Re: [RFC 0/3] extend kexec_file_load system call Date: Wed, 13 Jul 2016 10:01:33 +0200 Message-ID: <5352106.oQ0Ff9gWJA@wuerfel> User-Agent: KMail/5.1.3 (Linux/4.4.0-28-generic; KDE/5.18.0; x86_64; ; ) In-Reply-To: <20160713023614.GB3222@dhcp-128-65.nay.redhat.com> References: <20160712014201.11456-1-takahiro.akashi@linaro.org> <20160712145010.GA8447@leverpostej> <20160713023614.GB3222@dhcp-128-65.nay.redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Provags-ID: V03:K0:eZz05uDganpuC/YCpUStsf9QsFWczd/sc3Z4oHqwwwmQUowxEOx yxrRf4kWLdATfSrWpqI6YQnQsyGnIcJZfM+k/kOyfUd6JZvNibQ9RGXz/9kqw9dYWR5NeFu Zmt1UskEcOYelPd3O0iFgMqQocs7+hbvCh5lxs9cJZVGknf3XAPn+RlDZ09ttW9+Yq7c7Ie cHj5BE3II57D+f5ZmKWGA== X-UI-Out-Filterresults: notjunk:1;V01:K0:hj2Dv/F+LXk=:JKxZwBWLZghDpIKZOOkSZb iNojIejJJ19CaOFRiAbZ1AiTmcfNwErUvq48xXlO7YqyCTVeqAjuteleeb2jHeJ7AO3I2uWZX 4RhQ1o4EmO2XvD3lZRilmFVaE1pajhsQy4AedSuv5fSvHxYRFMBXcI8oMyWBWTfX1HKPE9bmP mAlMViQ9WufcHHfTqUKLqrY2Fxz+fLfoqyGZDx1rkUSpaBxhKGJUpACPkUsISn+ni4JnqLcVL rB9mSk86zGGlRh/E/9MKejk5q4VZGbnD7e+ESut9p3BXL6yfZP6dTE20ph5WiZzBHpqw22/sF HobCqMlTyfLOcBA+yDhuJlNReNG5hnspCQiLGUlNW/TDpmU+BUERTb7wPpvks59CSnTS52hPC QQn1SOawWBSxCvChVW2pGtQx10zgL+yVJJzUxPcOTUyKemUWsQwYlDJSmhHmx+4xcJ2RIRHkU UKwBwGi1zIKFv51lkpnVXbJr2JrQOoYpMukgKcQCFiZHd9pw+C6UvAODJCezxOe9m04pb5AIx +nKgTkMRywXTHgeJ58nu/UVMHWoXlN1dsHSRarmtch7WwRGgEKSBYCmw1mcS+JlYHkqLq9E6y hPjSvPC0DnV2Vbgz/YrGgYrz33mRUjEbU8nF3Wkv/4uO3LDcQFION6/jvkqakBcIjsTckNebT t6LZjXw71MdgbWQwGh51AlfokryuYgeoGfi5ZoTbBQgDOXnQ0MNqHGvftCtGORbPHR7AVMdnl C5VeMuUVAZqqokox Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wednesday, July 13, 2016 10:36:14 AM CEST Dave Young wrote: > On 07/12/16 at 03:50pm, Mark Rutland wrote: > > On Tue, Jul 12, 2016 at 04:24:10PM +0200, Arnd Bergmann wrote: > > > On Tuesday, July 12, 2016 10:18:11 AM CEST Vivek Goyal wrote: > > > > /proc/devicetree (aka /sys/firmware/devicetree) is a filesystem derived > > from the raw DTB (which is exposed at /sys/firmware/fdt). > > > > The blob that was handed to the kernel at boot time is exposed at > > /sys/firmware/fdt. > > I believe the blob can be read and passed to kexec kernel in kernel code without > the extra fd. > > But consider we can kexec to a different kernel and a different initrd so there > will be use cases to pass a total different dtb as well. From my understanding > it is reasonable but yes I think we should think carefully about the design. Ok, I can see four interesting use cases here: - Using the dtb that the kernel has saved at boot time. Ideally this should not require an additional step of signing it, since the running kernel already trusts it. - A dtb blob from the file system that was produced along with the kernel image. If we require a signature on the kernel, the the same requirement should be made on the dtb. Whoever signs the kernel can also sign the dtb. The tricky part here is the kernel command line that is part of the dtb and that may need to be modified. - Modifying the dtb at for any of the reasons I listed: This should always be possible when we do not use secure boot, just like booting an unsigned kernel is. - kboot/petitboot with all of the user space being part of the trusted boot chain: it would be good to allow these to modify the dtb as needed without breaking the trust chain, just like we allow grub or u-boot to modify the dtb before passing it to the kernel. Arnd