[v1] x86/loader: secure boot support for direct kernel load

[PATCH 2/5] x86/loader: only patch linux kernels

Posted by Gerd Hoffmann 1 year, 10 months ago

If the binary loaded via -kernel is *not* a linux kernel (in which
case protocol == 0), do not patch the linux kernel header fields.

It's (a) pointless and (b) might break binaries by random patching
and (c) changes the binary hash which in turn breaks secure boot
verification.

Background: OVMF happily loads and runs not only linux kernels but
any efi binary via direct kernel boot.

Note: Breaking the secure boot verification is a problem for linux
kernels too, but fixed that is left for another day ...

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
---
 hw/i386/x86.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hw/i386/x86.c b/hw/i386/x86.c
index ffbda48917fd..765899eebe43 100644
--- a/hw/i386/x86.c
+++ b/hw/i386/x86.c
@@ -1108,7 +1108,7 @@ void x86_load_linux(X86MachineState *x86ms,
      * kernel on the other side of the fw_cfg interface matches the hash of the
      * file the user passed in.
      */
-    if (!sev_enabled()) {
+    if (!sev_enabled() && protocol > 0) {
         memcpy(setup, header, MIN(sizeof(header), setup_size));
     }
 
-- 
2.44.0

Re: [PATCH 2/5] x86/loader: only patch linux kernels

Posted by Michael Tokarev 1 year, 1 month ago

11.04.2024 12:48, Gerd Hoffmann wrote:
> If the binary loaded via -kernel is *not* a linux kernel (in which
> case protocol == 0), do not patch the linux kernel header fields.
> 
> It's (a) pointless and (b) might break binaries by random patching
> and (c) changes the binary hash which in turn breaks secure boot
> verification.
> 
> Background: OVMF happily loads and runs not only linux kernels but
> any efi binary via direct kernel boot.
> 
> Note: Breaking the secure boot verification is a problem for linux
> kernels too, but fixed that is left for another day ...

Shouldn't this one be picked up for -stable?

Thanks,

/mjt

> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
>   hw/i386/x86.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/hw/i386/x86.c b/hw/i386/x86.c
> index ffbda48917fd..765899eebe43 100644
> --- a/hw/i386/x86.c
> +++ b/hw/i386/x86.c
> @@ -1108,7 +1108,7 @@ void x86_load_linux(X86MachineState *x86ms,
>        * kernel on the other side of the fw_cfg interface matches the hash of the
>        * file the user passed in.
>        */
> -    if (!sev_enabled()) {
> +    if (!sev_enabled() && protocol > 0) {
>           memcpy(setup, header, MIN(sizeof(header), setup_size));
>       }
>   


-- 
GPG Key transition (from rsa2048 to rsa4096) since 2024-04-24.
New key: rsa4096/61AD3D98ECDF2C8E  9D8B E14E 3F2A 9DD7 9199  28F1 61AD 3D98 ECDF 2C8E
Old key: rsa2048/457CE0A0804465C5  6EE1 95D1 886E 8FFB 810D  4324 457C E0A0 8044 65C5
Transition statement: http://www.corpit.ru/mjt/gpg-transition-2024.txt

Re: [PATCH 2/5] x86/loader: only patch linux kernels

Posted by Gerd Hoffmann 1 year, 1 month ago

On Tue, Dec 17, 2024 at 02:09:30PM +0300, Michael Tokarev wrote:
> 11.04.2024 12:48, Gerd Hoffmann wrote:
> > If the binary loaded via -kernel is *not* a linux kernel (in which
> > case protocol == 0), do not patch the linux kernel header fields.
> > 
> > It's (a) pointless and (b) might break binaries by random patching
> > and (c) changes the binary hash which in turn breaks secure boot
> > verification.
> > 
> > Background: OVMF happily loads and runs not only linux kernels but
> > any efi binary via direct kernel boot.
> > 
> > Note: Breaking the secure boot verification is a problem for linux
> > kernels too, but fixed that is left for another day ...
> 
> Shouldn't this one be picked up for -stable?

yes, please.

thanks,
  Gerd

[PATCH 1/5] vl: fix qemu_validate_options() indention
[PATCH 2/5] x86/loader: only patch linux kernels
[PATCH 3/5] x86/loader: read complete kernel
[PATCH 4/5] x86/loader: expose unpatched kernel
[PATCH 5/5] x86/loader: add -shim option