Re: [RFC 0/3] extend kexec_file_load system call

From: Stewart Smith
Date: Wed Jul 13 2016 - 01:00:19 EST

Next message: Manfred Spraul: "[PATCH 1/2] ipc/sem.c: Fix complex_count vs. simple op race"
Previous message: Quick Loans: "Loan Offer"
In reply to: Russell King - ARM Linux: "Re: [RFC 0/3] extend kexec_file_load system call"
Next in thread: Russell King - ARM Linux: "Re: [RFC 0/3] extend kexec_file_load system call"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Russell King - ARM Linux <linux@xxxxxxxxxxxxxxx> writes:
> On Tue, Jul 12, 2016 at 10:58:05PM +0200, Petr Tesarik wrote:
>> I'm not an expert on DTB, so I can't provide an example of code
>> execution, but you have already mentioned the /chosen/linux,stdout-path
>> property. If an attacker redirects the bootloader to an insecure
>> console, they may get access to the system that would otherwise be
>> impossible.
>
> I fail to see how kexec connects with the boot loader - the DTB image
> that's being talked about is one which is passed from the currently
> running kernel to the to-be-kexec'd kernel. For ARM (and I suspect
> also ARM64) that's a direct call chain which doesn't involve any
> boot loader or firmware, and certainly none that would involve the
> passed DTB image.

For OpenPOWER machines, kexec is the bootloader. Our bootloader is a
linux kernel and initramfs with a UI (petitboot) - this means we never
have to write a device driver twice: write a kernel one and you're done
(for booting from the device and using it in your OS).

--
Stewart Smith
OPAL Architect, IBM.

Next message: Manfred Spraul: "[PATCH 1/2] ipc/sem.c: Fix complex_count vs. simple op race"
Previous message: Quick Loans: "Loan Offer"
In reply to: Russell King - ARM Linux: "Re: [RFC 0/3] extend kexec_file_load system call"
Next in thread: Russell King - ARM Linux: "Re: [RFC 0/3] extend kexec_file_load system call"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]