On Wed, 2 Aug 2023 at 17:52, Borislav Petkov <bp@xxxxxxxxx> wrote: > > On Wed, Aug 02, 2023 at 04:55:27PM +0200, Ard Biesheuvel wrote: > > ... because now, entering via startup_32 is broken, given that it only > > maps the kernel image itself and relies on the #PF handling for > > everything else it accesses, including firmware tables. > > > > AFAICT this also means that entering via startup_32 is broken entirely > > for any configuration that enables the cc blob config table check, > > regardless of the platform. > > Lemme brain-dump what Tom and I just talked on IRC. > > That startup_32 entry path for SNP guests was used with old grubs which > used to enter through there and not anymore, reportedly. Which means, > that must've worked at some point but Joerg would know. CCed. > Sadly, not only 'old' grubs - GRUB mainline only recently added support for booting Linux/x86 via the EFI stub (because I wrote the code for them), but it will still fall back to the previous mode for kernels that are built without EFI stub support, or which are older than ~v5.8 (because their EFI stub does not implement the generic EFI initrd loading mechanism) This fallback still appears to enter via startup_32, even when GRUB itself runs in long mode in the context of EFI. > Newer grubs enter through the 64-bit entry point and thus are fine > - otherwise we would be seeing explosions left and right. > Yeah. what seems to be saving our ass here is that startup_32 maps the first 1G of physical address space 4 times, and x86_64 EFI usually puts firmware tables below 4G. This means the cc blob check doesn't fault, but it may dereference bogus memory traversing the config table array looking for the cc blob GUID. However, the system table field holding the size of the array may also appear as bogus so this may still break in weird ways. > So dependent on what we wanna do, if we kill the 32-bit path, we can > kill the 32-bit C-bit verif code. But that's for later and an item on my > TODO list. > I don't think we can kill it yet, but it would be nice if we could avoid the need to support SNP boot when entering that way. _______________________________________________ kexec mailing list kexec@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/kexec