Hi Jan, All in all the code looks fine to me. Nevertheless I don't think UKI support should be added at the moment. This is because IMHO you basically reinterpret the kexec_file systemcall and thus add a new uapi to the kernel. Once introduced it is extremely hard to remove or change an uapi again. The problem I see is that the spec you based your work on is in such a poor shape that I don't feel comfortable to add any new uapi based on it. For example there are two definitions for the UKI which contradict each other. The dedicated one [1] you have cited earlier and the one in the BLS for type #2 entries [2]. In [1] the .linux and .initrd sections are mandatory and the .osrel and .cmdline sections are optional while in [2] it is the other way round. Which definition should the kernel follow? Furthermore, I absolutely don't understand how the spec should be read. All the spec does is defining some file formats. There is no word about which component in the boot chain is supposed to handle them and what exactly this component is supposed to do with it. But that is crucial if we want to add UKI support for kexec as the kexec systemcall will replace the stub. So we need to know what tasks the stub is supposed to perform. Currently this is only some implementation detail of the systemd-stub [3] that can change any moment and I strongly oppose to base any uapi on it. In the end the only benefit this series brings is to extend the signature checking on the whole UKI except of just the kernel image. Everything else can also be done in user space. Compared to the problems described above this is a very small gain for me. Until the spec got fixed I don't see a chance to add UKI support for kexec. Thanks Philipp [1] https://uapi-group.org/specifications/specs/unified_kernel_image/ [2] https://uapi-group.org/specifications/specs/boot_loader_specification/#type-2-efi-unified-kernel-images [3] https://www.freedesktop.org/software/systemd/man/systemd-stub.html On Mon, 11 Sep 2023 07:25:33 +0200 Jan Hendrik Farr <kernel@xxxxxxxx> wrote: > Hello, > > this patch (v2) implements UKI support for kexec_file_load. It will require > support in the kexec-tools userspace utility. For testing purposes the > following can be used: https://github.com/Cydox/kexec-test/ > > Creating UKIs for testing can be done with ukify (included in systemd), > sbctl, and mkinitcpio, etc. > > There has been discussion on this topic in an issue on GitHub that is linked > below for reference. > > Changes for v2: > - .cmdline section is now optional > - moving pefile_parse_binary is now in a separate commit for clarity > - parse_pefile.c is now in /lib instead of arch/x86/kernel (not sure if > this is the best location, but it definetly shouldn't have been in an > architecture specific location) > - parse_pefile.h is now in include/kernel instead of architecture > specific location > - if initrd or cmdline is manually supplied EPERM is returned instead of > being silently ignored > - formatting tweaks > > > Some links: > - Related discussion: https://github.com/systemd/systemd/issues/28538 > - Documentation of UKIs: https://uapi-group.org/specifications/specs/unified_kernel_image/ > > Jan Hendrik Farr (2): > move pefile_parse_binary to its own file > x86/kexec: UKI support > > arch/x86/include/asm/kexec-uki.h | 7 ++ > arch/x86/kernel/Makefile | 1 + > arch/x86/kernel/kexec-uki.c | 126 +++++++++++++++++++++++++ > arch/x86/kernel/machine_kexec_64.c | 2 + > crypto/asymmetric_keys/mscode_parser.c | 2 +- > crypto/asymmetric_keys/verify_pefile.c | 110 +++------------------ > crypto/asymmetric_keys/verify_pefile.h | 16 ---- > include/linux/parse_pefile.h | 32 +++++++ > lib/Makefile | 3 + > lib/parse_pefile.c | 109 +++++++++++++++++++++ > 10 files changed, 292 insertions(+), 116 deletions(-) > create mode 100644 arch/x86/include/asm/kexec-uki.h > create mode 100644 arch/x86/kernel/kexec-uki.c > create mode 100644 include/linux/parse_pefile.h > create mode 100644 lib/parse_pefile.c > _______________________________________________ kexec mailing list kexec@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/kexec
