[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [RFC v1] kexec: Prototype for signature verification within Xen



On Tue, Jan 15, 2019 at 03:15:28PM +0100, Simon Horman wrote:
> On Mon, Jan 14, 2019 at 01:52:07PM -0600, Eric DeVolder wrote:
> > These changes work in conjunction with the signature
> > verification support for Xen I published recently.
> >
> > Prior to this change, kexec supported the following
> > three modes of operation:
> >
> > kexec_load:
> > - unverified loading of kernel into Linux (original mode)
> > - unverified loading of kernel into Xen
> > kexec_file_load (the -s option to kexec):
> > - verified loading of kernel into Linux
> >
> > With the verified loading of a kernel into Linux, the scope
> > of kexec changed drastically as the kernel performs most of
> > the work that kexec previously did; the kernel does so so as
> > to reduce the risk of compromise.
> >
> > For example, the unverified loading of a kernel into Linux
> > involves locating memory within the system to load the
> > various pieces of data (kernel, initramdisk, command line)
> > as well as reserving additional memory such as the first 1MB
> > on x86 for legacy reasons as well as something known as
> > 'purgatory', a trampoline that checks the integrity of the
> > contents of loaded pieces of data, before invoking that
> > loaded kernel. The management of purgatory involves
> > manipulating an embedded ELF purgatory object file to insert
> > a memory hash value, and rewrite a few run-time switches
> > based on kexec command line parameters.
> >
> > By contrast, the verified loading essentially just passes
> > file handles for the kernel, initramdisk, and command line
> > pointer, and the kernel takes care of the rest, by
> > performing all the work that the unverified kexec load would
> > do, but inside the kernel using trusted kernel code.
> >
> > This changeset adds a fourth mode to kexec:
> >
> > - verified loading of kernel into Xen
> >
> > In general, Xen performs the signature verification on the
> > loaded kernel, much as Linux does, but that is where the
> > similarities end.  In the current Xen implementation, no
> > infrastructure is present to support reading from [Linux
> > dom0] file handles, or for manipulating ELF objects. As
> > such, without Xen support for these actions, Xen relies upon
> > kexec to provide these services, which is what this mode
> > does.
> >
> > To achieve this, this mode of operation essentially vectors
> > the verified load for Xen through the non-verified path,
> > which performs all the needed actions for kexec to work, but
> > then makes an adjustment to pass the entire kernel file, not
> > just the loadable portion of the kernel file, to Xen in
> > order to provide the proper image for signature
> > verification.
> >
> > The loading of kexec images for signature verification for
> > Xen is indicated with the -s switch, just like for Linux.
> >
> > Changes to configure.ac are for detecting whether or not the
> > Xen version supports this kexec_file_load hypercall op.
> >
> > Changes to kexec-bzImage64.c are for recording what the
> > change to the kernel image entry needs to be (the entire
> > kernel file, not just the loadable portion), as well as
> > vectoring kexec_file_load through kexec_load for Xen.
> >
> > Changes to kexec-xen.c are to invoke the new Xen
> > kexec_file_load hypercall op, from kexec_load.
> >
> > Changes to kexec.c are to vector kexec_file_load for Xen
> > throgh kexec_load for Xen, as well as make the correction
> > for passing the complete kernel file to Xen.
> >
> > Signed-off-by: Eric DeVolder <eric.devolder@xxxxxxxxxx>
>
> Thanks Eric,
>
> this looks good to me, aside from one nit below.

Please do not apply this patch. This is an RFC.

Eric, thank you for doing this work.

Daniel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.