There are two patches: 1. fix a BUG of crypto in fips mode. 2. Add macro isolation memmap detection code
Gaosheng Cui (2): crypto: jitter - change module_init(jent_mod_init) to subsys_initcall(jent_mod_init) efi/libstub: arm64: Add macro isolation memmap detection code
arch/arm64/Kconfig | 7 +++++++ arch/arm64/configs/openeuler_defconfig | 1 + arch/arm64/kernel/image-vars.h | 2 ++ arch/arm64/lib/strchr.S | 8 ++++++++ crypto/jitterentropy-kcapi.c | 2 +- drivers/firmware/efi/libstub/arm64-stub.c | 2 ++ drivers/firmware/efi/libstub/efi-stub-helper.c | 2 ++ drivers/firmware/efi/libstub/efi-stub.c | 4 ++++ drivers/firmware/efi/libstub/efistub.h | 6 +----- drivers/firmware/efi/libstub/string.c | 2 ++ 10 files changed, 30 insertions(+), 6 deletions(-)
From: Gaosheng Cui cuigaosheng1@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I9K8D1
--------------------------------
The ecdh-nist-p256 algorithm will depend on jitterentropy_rng, and when they are build into kernel, the order of registration should be done such that the underlying algorithms are ready before the ones on top are registered.
We can enable fips=1 and ecdh, the calltrace like below:
alg: ecdh-nist-p256: test failed on vector 2, err=-14 Kernel panic - not syncing: alg: self-tests for ecdh-generic (ecdh) failed in fips mode! Call Trace: dump_stack+0x57/0x6e panic+0x109/0x2ca alg_test+0x414/0x420 ? __switch_to_asm+0x3a/0x60 ? __switch_to_asm+0x34/0x60 ? __schedule+0x263/0x640 ? crypto_acomp_scomp_free_ctx+0x30/0x30 cryptomgr_test+0x22/0x40 kthread+0xf9/0x130 ? kthread_park+0x90/0x90 ret_from_fork+0x22/0x30
The module_init(jent_mod_init) is later than subsys_initcall(ecdh_init), so changing module_init(jent_mod_init) to subsys_initcall(jent_mod_init) to fix it.
Fixes: c4741b230597 ("crypto: run initcalls for generic implementations earlier") Signed-off-by: Gaosheng Cui cuigaosheng1@huawei.com --- crypto/jitterentropy-kcapi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/jitterentropy-kcapi.c b/crypto/jitterentropy-kcapi.c index e8a4165a1874..b1d7b5a6e61c 100644 --- a/crypto/jitterentropy-kcapi.c +++ b/crypto/jitterentropy-kcapi.c @@ -214,7 +214,7 @@ static void __exit jent_mod_exit(void) crypto_unregister_rng(&jent_alg); }
-module_init(jent_mod_init); +subsys_initcall(jent_mod_init); module_exit(jent_mod_exit);
MODULE_LICENSE("Dual BSD/GPL");
From: Gaosheng Cui cuigaosheng1@huawei.com
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I9K8D1
--------------------------------
Kaslr will randomizes the physical address at which the kernel image is loaded, we will check and skip the memmap reserved memory, add config CONFIG_UEFI_KASLR_SKIP_MEMMAP to isolation memmap detection code.
Signed-off-by: Gaosheng Cui cuigaosheng1@huawei.com --- arch/arm64/Kconfig | 7 +++++++ arch/arm64/configs/openeuler_defconfig | 1 + arch/arm64/kernel/image-vars.h | 2 ++ arch/arm64/lib/strchr.S | 8 ++++++++ drivers/firmware/efi/libstub/arm64-stub.c | 2 ++ drivers/firmware/efi/libstub/efi-stub-helper.c | 2 ++ drivers/firmware/efi/libstub/efi-stub.c | 4 ++++ drivers/firmware/efi/libstub/efistub.h | 6 +----- drivers/firmware/efi/libstub/string.c | 2 ++ 9 files changed, 29 insertions(+), 5 deletions(-)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 273a58b74470..2f8954ef86c6 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -2111,6 +2111,13 @@ config RANDOMIZE_MODULE_REGION_FULL a limited range that contains the [_stext, _etext] interval of the core kernel, so branch relocations are always in range.
+config UEFI_KASLR_SKIP_MEMMAP + bool "Skip the memmap address when randomize the kernel image" + depends on RANDOMIZE_BASE + default n + help + Skip the memmap reserved memory when randomize the kernel image. + config CC_HAVE_STACKPROTECTOR_SYSREG def_bool $(cc-option,-mstack-protector-guard=sysreg -mstack-protector-guard-reg=sp_el0 -mstack-protector-guard-offset=0)
diff --git a/arch/arm64/configs/openeuler_defconfig b/arch/arm64/configs/openeuler_defconfig index cb4f5e03dccd..14e520935ff1 100644 --- a/arch/arm64/configs/openeuler_defconfig +++ b/arch/arm64/configs/openeuler_defconfig @@ -543,6 +543,7 @@ CONFIG_ARM64_PSEUDO_NMI=y CONFIG_RELOCATABLE=y CONFIG_RANDOMIZE_BASE=y CONFIG_RANDOMIZE_MODULE_REGION_FULL=y +CONFIG_UEFI_KASLR_SKIP_MEMMAP=y CONFIG_CC_HAVE_STACKPROTECTOR_SYSREG=y CONFIG_STACKPROTECTOR_PER_TASK=y CONFIG_ASCEND_FEATURES=y diff --git a/arch/arm64/kernel/image-vars.h b/arch/arm64/kernel/image-vars.h index 3a68772a63fb..dd9d65840333 100644 --- a/arch/arm64/kernel/image-vars.h +++ b/arch/arm64/kernel/image-vars.h @@ -32,7 +32,9 @@ __efistub_strnlen = __pi_strnlen; __efistub_strcmp = __pi_strcmp; __efistub_strncmp = __pi_strncmp; __efistub_strrchr = __pi_strrchr; +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP __efistub_strchr = __pi_strchr; +#endif __efistub___clean_dcache_area_poc = __pi___clean_dcache_area_poc;
__efistub__text = _text; diff --git a/arch/arm64/lib/strchr.S b/arch/arm64/lib/strchr.S index 5893ad8d4484..8ef17a69dfe6 100644 --- a/arch/arm64/lib/strchr.S +++ b/arch/arm64/lib/strchr.S @@ -18,7 +18,11 @@ * Returns: * x0 - address of first occurrence of 'c' or 0 */ +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP SYM_FUNC_START_WEAK_PI(strchr) +#else +SYM_FUNC_START_WEAK(strchr) +#endif and w1, w1, #0xff 1: ldrb w2, [x0], #1 cmp w2, w1 @@ -28,5 +32,9 @@ SYM_FUNC_START_WEAK_PI(strchr) cmp w2, w1 csel x0, x0, xzr, eq ret +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP SYM_FUNC_END_PI(strchr) +#else +SYM_FUNC_END(strchr) +#endif EXPORT_SYMBOL_NOKASAN(strchr) diff --git a/drivers/firmware/efi/libstub/arm64-stub.c b/drivers/firmware/efi/libstub/arm64-stub.c index ae6790218339..8536b6694e36 100644 --- a/drivers/firmware/efi/libstub/arm64-stub.c +++ b/drivers/firmware/efi/libstub/arm64-stub.c @@ -15,6 +15,7 @@
#include "efistub.h"
+#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP #define MAX_MEMMAP_REGIONS 32
struct mem_vector { @@ -103,6 +104,7 @@ void free_avoid_memmap(void) efi_free(mem_avoid[i].size, mem_avoid[i].start); } } +#endif
efi_status_t check_platform_features(void) { diff --git a/drivers/firmware/efi/libstub/efi-stub-helper.c b/drivers/firmware/efi/libstub/efi-stub-helper.c index 8670654bf561..38582d1efbb4 100644 --- a/drivers/firmware/efi/libstub/efi-stub-helper.c +++ b/drivers/firmware/efi/libstub/efi-stub-helper.c @@ -233,8 +233,10 @@ efi_status_t efi_parse_options(char const *cmdline) } else if (!strcmp(param, "video") && val && strstarts(val, "efifb:")) { efi_parse_option_graphics(val + strlen("efifb:")); +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP } else if (!strcmp(param, "memmap") && val) { efi_parse_option_memmap(val); +#endif } else if (!strcmp(param, "pbha")) { efi_pbha = true; } diff --git a/drivers/firmware/efi/libstub/efi-stub.c b/drivers/firmware/efi/libstub/efi-stub.c index 96129f0fc60e..66f1f9b93b0d 100644 --- a/drivers/firmware/efi/libstub/efi-stub.c +++ b/drivers/firmware/efi/libstub/efi-stub.c @@ -204,7 +204,9 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle,
si = setup_graphics();
+#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP mem_avoid_memmap(); +#endif
status = handle_kernel_image(&image_addr, &image_size, &reserve_addr, @@ -323,7 +325,9 @@ efi_status_t __efiapi efi_pe_entry(efi_handle_t handle, efi_free(image_size, image_addr); efi_free(reserve_size, reserve_addr); fail_free_screeninfo: +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP free_avoid_memmap(); +#endif free_screen_info(si); fail_free_cmdline: efi_bs_call(free_pool, cmdline_ptr); diff --git a/drivers/firmware/efi/libstub/efistub.h b/drivers/firmware/efi/libstub/efistub.h index b823f76bb739..f8d87b210570 100644 --- a/drivers/firmware/efi/libstub/efistub.h +++ b/drivers/firmware/efi/libstub/efistub.h @@ -828,14 +828,10 @@ efi_status_t efi_parse_options(char const *cmdline);
void efi_parse_option_graphics(char *option);
-#ifdef CONFIG_ARM64 +#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP void efi_parse_option_memmap(const char *str); void mem_avoid_memmap(void); void free_avoid_memmap(void); -#else -static inline void efi_parse_option_memmap(const char *str) { } -static inline void mem_avoid_memmap(void) { } -static inline void free_avoid_memmap(void) { } #endif
efi_status_t efi_setup_gop(struct screen_info *si, efi_guid_t *proto, diff --git a/drivers/firmware/efi/libstub/string.c b/drivers/firmware/efi/libstub/string.c index 006c9f0a8e0c..43cb8ed9f300 100644 --- a/drivers/firmware/efi/libstub/string.c +++ b/drivers/firmware/efi/libstub/string.c @@ -114,6 +114,7 @@ long simple_strtol(const char *cp, char **endp, unsigned int base) return simple_strtoull(cp, endp, base); }
+#ifdef CONFIG_UEFI_KASLR_SKIP_MEMMAP #ifndef __HAVE_ARCH_STRCHR /** * strchr - Find the first occurrence of a character in a string @@ -131,3 +132,4 @@ char *strchr(const char *s, int c) return (char *)s; } #endif +#endif
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://gitee.com/openeuler/kernel/pulls/6738 邮件列表地址:https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/Y...
FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/6738 Mailing list address: https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/Y...