From: Juergen Gross <jgross@suse.com>
To: "H. Peter Anvin" <hpa@zytor.com>,
linux-kernel@vger.kernel.org, xen-devel@lists.xenproject.org,
x86@kernel.org, linux-doc@vger.kernel.org
Cc: tglx@linutronix.de, mingo@redhat.com, bp@alien8.de,
corbet@lwn.net, boris.ostrovsky@oracle.com
Subject: Re: PLEASE REVERT URGENTLY: Re: [PATCH v5 2/3] x86/boot: add acpi rsdp address to setup_header
Date: Sat, 10 Nov 2018 07:26:01 +0100 [thread overview]
Message-ID: <bd2d17cd-072c-cad6-94ad-52373700a1c9@suse.com> (raw)
In-Reply-To: <f7c78ee7-b548-7f04-24da-7321b6c64c97@zytor.com>
On 09/11/2018 23:23, H. Peter Anvin wrote:
> I just noticed this patch -- I missed it because the cover message
> seemed far more harmless so I didn't notice this change.
>
> THIS PATCH IS FATALLY WRONG AND NEEDS TO BE IMMEDIATELY REVERTED BEFORE
> ANYONE STARTS RELYING ON IT; IT HAS THE POTENTIAL OF BREAKING THE
> BOOTLOADER PROTOCOL FOR ALL FUTURE.
It is already broken and this patch tries to repair it.
> It seems to be based on fundamental misconceptions about the various
> data structures in the protocol, and does so in a way that completely
> breaks the way the protocol is designed to work.
>
> The protocol is specifically designed such that fields are not version
> dependencies. The version number is strictly to inform the boot loader
> about which capabilities the kernel has, so that the boot loader can
> know if a certain data field is meaningful and/or honored.
Right. That was where I started in early 2018.
Unfortunately there are many major distros shipping boot loaders which
write crap data past the end of setup_header.
>
>> +Protocol 2.14: (Kernel 4.20) Added acpi_rsdp_addr holding the physical
>> + address of the ACPI RSDP table.
>> + The bootloader updates version with:
>> + 0x8000 | min(kernel-version, bootloader-version)
>> + kernel-version being the protocol version supported by
>> + the kernel and bootloader-version the protocol version
>> + supported by the bootloader.
>
> [...]
>
>> **** MEMORY LAYOUT
>>
>> The traditional memory map for the kernel loader, used for Image or
>> @@ -197,6 +209,7 @@ Offset Proto Name Meaning
>> 0258/8 2.10+ pref_address Preferred loading address
>> 0260/4 2.10+ init_size Linear memory required during initialization
>> 0264/4 2.11+ handover_offset Offset of handover entry point
>> +0268/8 2.14+ acpi_rsdp_addr Physical address of RSDP table
>
> NO.
>
> That is not how struct setup_header works, nor does this belong here.
>
> struct setup_header contains *initialized data*, and has a length byte
> at offset 0x201. The bootloader is responsible for copying the full
> structure into the appropriate offset (0x1f1) in struct boot_params.
Yes, but some boot loaders copy more than that clobbering initialized
kernel data (like in my case acpi_rsdp_addr).
> The length byte isn't actually a requirement, since the maximum possible
> size of this structure is 144 bytes, and the kernel will (obviously) not
> look at the older fields anyway, but it is good practice. The kernel or
> any other entity is free to zero out the bytes past this length pointer.
>
> There are only 24 bytes left in this structure, and this would occupy 8
> of them for no valid reason. The *only* valid reason to put a
> zero-initialized field in struct setup_header is if it used by the
> 16-bit legacy BIOS boot, which is obviously not the case here.
>
> This field thus belongs in struct boot_params, not struct setup_header.
Okay, I can change that. Hoping that all boot loaders really write
zeroes to that field in case they don't know it.
>> @@ -317,6 +330,12 @@ Protocol: 2.00+
>> e.g. 0x0204 for version 2.04, and 0x0a11 for a hypothetical version
>> 10.17.
>>
>> + Up to protocol version 2.13 this information is only read by the
>> + bootloader. From protocol version 2.14 onwards the bootloader will
>> + write the used protocol version ored with 0x8000 to the field. The
>> + used protocol version will be the minimum of the supported protocol
>> + versions of the bootloader and the kernel.
>> +
>
> Again, this is completely wrong. The version number is communication to
> the bootloader, which may end up going through multiple stages.
> Modifying this field breaks this invariant in a not-very-subtle way.
>
> Fields in struct setup_header are to be initialized from the image
> provided in the kernel header.
>
> Fields in struct boot_params are to be initialized to zero.
See above. grub2 in Debian, RHEL, ... doesn't do that reliably.
> There is a field called "sentinel" which attempts to detect broken
> bootloaders which do not do this correctly; however, when enabling new
> bootloaders the Right Thing to do is to make sure they adhere to the
> protocol as defined, rather than pushing a new hack onto the kernel.
>
> Thus:
>
> 1. Please revert this patch immediately, and destroy any boot loaders
> which tries to implement this.> 2. Add the acpi_rsdp_addr to struct boot_params.
> 3. DO NOT modify the boot protocol version header field. Instead
> make sure that the bootloader follows the protocol and zeroes
> all unknown fields in struct boot_params.
How can I do this for boot loaders shipped since several years?
> 4. Possibly make the kernel panic if it notices that the boot version
> header has been mucked with, in case some of these boot loaders
> have already escaped into the field.
So don't let a new kernel boot from a disk with above grub2?
I don't think so.
Juergen
next prev parent reply other threads:[~2018-11-10 6:26 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-10 6:14 [PATCH v5 0/3] x86: make rsdp address accessible via boot params Juergen Gross
2018-10-10 6:14 ` [PATCH v5 1/3] x86/xen: fix boot loader version reported for pvh guests Juergen Gross
2018-10-10 6:14 ` [PATCH v5 2/3] x86/boot: add acpi rsdp address to setup_header Juergen Gross
2018-11-09 22:23 ` PLEASE REVERT URGENTLY: " H. Peter Anvin
2018-11-10 0:38 ` H. Peter Anvin
2018-11-10 6:26 ` Juergen Gross [this message]
2018-11-10 6:32 ` H. Peter Anvin
2018-11-10 7:02 ` Juergen Gross
2018-11-10 7:16 ` H. Peter Anvin
2018-11-10 9:03 ` Juergen Gross
2018-11-11 18:49 ` H. Peter Anvin
2018-11-19 16:48 ` Konrad Rzeszutek Wilk
2018-11-10 15:22 ` Juergen Gross
2018-11-11 23:58 ` hpa
2018-10-10 6:14 ` [PATCH v5 3/3] x86/acpi: take rsdp address for boot params if available Juergen Gross
2018-10-10 6:23 ` [PATCH v5 0/3] x86: make rsdp address accessible via boot params Ingo Molnar
2018-10-10 6:39 ` Juergen Gross
2018-10-10 7:19 ` Ingo Molnar
2018-10-10 7:28 ` Juergen Gross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bd2d17cd-072c-cad6-94ad-52373700a1c9@suse.com \
--to=jgross@suse.com \
--cc=boris.ostrovsky@oracle.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=hpa@zytor.com \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).