Re: [PATCH v4 06/26] x86/boot: Setup memory protection for bzImage code
From: Evgeniy Baskov
Date: Wed Mar 08 2023 - 11:15:27 EST
On 2023-03-08 13:47, Ard Biesheuvel wrote:
On Thu, 15 Dec 2022 at 13:38, Evgeniy Baskov <baskov@xxxxxxxxx> wrote:
Use previously added code to use 4KB pages for mapping. Map compressed
and uncompressed kernel with appropriate memory protection attributes.
For compressed kernel set them up manually. For uncompressed kernel
used flags specified in ELF header.
Tested-by: Mario Limonciello <mario.limonciello@xxxxxxx>
Tested-by: Peter Jones <pjones@xxxxxxxxxx>
Signed-off-by: Evgeniy Baskov <baskov@xxxxxxxxx>
This patch breaks the 'nokaslr' command line option (at least with
SeaBIOS) unless I apply the hunk below:
Oh, I didn't think of that option.. Thanks!
I will also add the check to the identity mapping,
so the warning won't be emitted with 'nokaslr'.
--- a/arch/x86/boot/compressed/misc.c
+++ b/arch/x86/boot/compressed/misc.c
@@ -329,7 +329,8 @@ static size_t parse_elf(void *output, unsigned
long output_len,
handle_relocations(output, output_len, virt_addr);
- if (!IS_ENABLED(CONFIG_RANDOMIZE_BASE))
+ if (!IS_ENABLED(CONFIG_RANDOMIZE_BASE) ||
+ cmdline_find_option_bool("nokaslr"))
goto skip_protect;
for (i = 0; i < ehdr.e_phnum; i++) {
@@ -481,8 +482,10 @@ asmlinkage __visible void *extract_kernel(void
*rmode, memptr heap,
* If KASLR is disabled input and output regions may overlap.
* In this case we need to map region excutable as well.
*/
- unsigned long map_flags = MAP_ALLOC | MAP_WRITE |
- (IS_ENABLED(CONFIG_RANDOMIZE_BASE) ? 0 :
MAP_EXEC);
+ unsigned long map_flags = MAP_ALLOC | MAP_WRITE;
+ if (!IS_ENABLED(CONFIG_RANDOMIZE_BASE) ||
+ cmdline_find_option_bool("nokaslr"))
+ map_flags |= MAP_EXEC;
phys_addr = kernel_add_identity_map(phys_addr,
phys_addr + needed_size,
map_flags);