Re: [PATCHv7 11/14] x86: Disable kexec if system has unaccepted memory

From: Kirill A. Shutemov
Date: Thu Jun 23 2022 - 22:00:19 EST


On Thu, Jun 23, 2022 at 04:48:59PM -0500, Eric W. Biederman wrote:
> Dave Hansen <dave.hansen@xxxxxxxxx> writes:
>
> > ... adding kexec folks
> >
> > On 6/14/22 05:02, Kirill A. Shutemov wrote:
> >> On kexec, the target kernel has to know what memory has been accepted.
> >> Information in EFI map is out of date and cannot be used.
> >>
> >> boot_params.unaccepted_memory can be used to pass the bitmap between two
> >> kernels on kexec, but the use-case is not yet implemented.
> >>
> >> Disable kexec on machines with unaccepted memory for now.
> > ...
> >> +static int __init unaccepted_init(void)
> >> +{
> >> + if (!boot_params.unaccepted_memory)
> >> + return 0;
> >> +
> >> +#ifdef CONFIG_KEXEC_CORE
> >> + /*
> >> + * TODO: Information on memory acceptance status has to be communicated
> >> + * between kernel.
> >> + */
> >> + pr_warn("Disable kexec: not yet supported on systems with unaccepted memory\n");
> >> + kexec_load_disabled = 1;
> >> +#endif
> >
> > This looks to be the *only* in-kernel user tweaking kexec_load_disabled.
> > It doesn't feel great to just be disabling kexec like this. Why not
> > just fix it properly?

Unfortunately, problems with kexec are not limited to the unaccepted
memory. Isaku pointed out that MADT CPU wake is also problematic for
kexec. It doesn't allow CPU offline so secondary kernel will not be able
to wake it up. So additional limitation (as of now) for kexec is !SMP on
TDX guest.

I guess we can implement CPU offlining by going to a loop that checks
mailbox and responds to the command. That loops has to be somehow
protected from being overwritten on kexec.

Other issues may come up as we actually try to implement it.

That's all doable, but feels like a scope creep for unaccepted memory
enabling patchset :/

Is it a must for merge consideration?

> > What do the kexec folks think?
>
> I didn't realized someone had implemented kexec_load_disabled. I am not
> particularly happy about that. It looks like an over-broad stick that
> we will have to support forever.
>
> This change looks like it just builds on that bad decision.
>
> If people don't want to deal with this situation right now, then I
> recommend they make this new code and KEXEC conflict at the Kconfig
> level. That would give serious incentive to adding the missing
> implementation.

I tried to limit KEXEC on Kconfig level before[1]. Naive approach does not work[2]:

WARNING: unmet direct dependencies detected for UNACCEPTED_MEMORY
Depends on [n]: EFI [=y] && EFI_STUB [=y] && !KEXEC_CORE [=y]
Selected by [y]:
- INTEL_TDX_GUEST [=y] && HYPERVISOR_GUEST [=y] && X86_64 [=y] && CPU_SUP_INTEL [=y] && X86_X2APIC [=y]

Maybe my Kconfig-fu is not strong enough, I donno.

[1] https://lore.kernel.org/all/20220425033934.68551-6-kirill.shutemov@xxxxxxxxxxxxxxx
[2] https://lore.kernel.org/all/YnOjJB8h3ZUR9sLX@xxxxxxx

> If there is some deep and fundamental why this can not be supported
> then it probably makes sense to put some code in the arch_kexec_load
> hook that verifies that deep and fundamental reason is present.

Sounds straight-forward. I can do this.

> With the kexec code all we have to verify it works is a little testing
> and careful code review. Something like this makes code review much
> harder because the entire kernel has to be checked to see if some random
> driver without locking changed a variable. Rather than having it
> apparent that this special case exists when reading through the kexec
> code.
>
> Eric
>

--
Kirill A. Shutemov