On 8/29/24 05:40, Baoquan He wrote: > Recently, it's reported that kdump kernel is broken during bootup on > SME system when CONFIG_IMA_KEXEC=y. When debugging, I noticed this > can be traced back to commit ("b69a2afd5afc x86/kexec: Carry forward > IMA measurement log on kexec"). Just nobody ever tested it on SME > system when enabling CONFIG_IMA_KEXEC. > > -------------------------------------------------- > ima: No TPM chip found, activating TPM-bypass! > Loading compiled-in module X.509 certificates > Loaded X.509 cert 'Build time autogenerated kernel key: 18ae0bc7e79b64700122bb1d6a904b070fef2656' > ima: Allocated hash algorithm: sha256 > Oops: general protection fault, probably for non-canonical address 0xcfacfdfe6660003e: 0000 [#1] PREEMPT SMP NOPTI > CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.11.0-rc2+ #14 > Hardware name: Dell Inc. PowerEdge R7425/02MJ3T, BIOS 1.20.0 05/03/2023 > RIP: 0010:ima_restore_measurement_list+0xdc/0x420 > Code: ff 48 c7 85 10 ff ff ff 00 00 00 00 48 c7 85 18 ff ff ff 00 00 00 00 48 85 f6 0f 84 09 03 00 00 48 83 fa 17 0f 86 ff 02 00 00 <66> 83 3e 01 49 89 f4 0f 85 90 94 7d 00 48 83 7e 10 ff 0f 84 74 94 > RSP: 0018:ffffc90000053c80 EFLAGS: 00010286 > RAX: 0000000000000000 RBX: ffffc90000053d03 RCX: 0000000000000000 > RDX: e48066052d5df359 RSI: cfacfdfe6660003e RDI: cfacfdfe66600056 > RBP: ffffc90000053d80 R08: 0000000000000000 R09: ffffffff82de1a88 > R10: ffffc90000053da0 R11: 0000000000000003 R12: 00000000000001a4 > R13: ffffc90000053df0 R14: 0000000000000000 R15: 0000000000000000 > FS: 0000000000000000(0000) GS:ffff888040200000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007f2c744050e8 CR3: 000080004110e000 CR4: 00000000003506b0 > Call Trace: > <TASK> > ? show_trace_log_lvl+0x1b0/0x2f0 > ? show_trace_log_lvl+0x1b0/0x2f0 > ? ima_load_kexec_buffer+0x6e/0xf0 > ? __die_body.cold+0x8/0x12 > ? die_addr+0x3c/0x60 > ? exc_general_protection+0x178/0x410 > ? asm_exc_general_protection+0x26/0x30 > ? ima_restore_measurement_list+0xdc/0x420 > ? vprintk_emit+0x1f0/0x270 > ? ima_load_kexec_buffer+0x6e/0xf0 > ima_load_kexec_buffer+0x6e/0xf0 > ima_init+0x52/0xb0 > ? __pfx_init_ima+0x10/0x10 > init_ima+0x26/0xc0 > ? __pfx_init_ima+0x10/0x10 > do_one_initcall+0x5b/0x300 > do_initcalls+0xdf/0x100 > ? __pfx_kernel_init+0x10/0x10 > kernel_init_freeable+0x147/0x1a0 > kernel_init+0x1a/0x140 > ret_from_fork+0x34/0x50 > ? __pfx_kernel_init+0x10/0x10 > ret_from_fork_asm+0x1a/0x30 > </TASK> > Modules linked in: > ---[ end trace 0000000000000000 ]--- > RIP: 0010:ima_restore_measurement_list+0xdc/0x420 > Code: ff 48 c7 85 10 ff ff ff 00 00 00 00 48 c7 85 18 ff ff ff 00 00 00 00 48 85 f6 0f 84 09 03 00 00 48 83 fa 17 0f 86 ff 02 00 00 <66> 83 3e 01 49 89 f4 0f 85 90 94 7d 00 48 83 7e 10 ff 0f 84 74 94 > RSP: 0018:ffffc90000053c80 EFLAGS: 00010286 > RAX: 0000000000000000 RBX: ffffc90000053d03 RCX: 0000000000000000 > RDX: e48066052d5df359 RSI: cfacfdfe6660003e RDI: cfacfdfe66600056 > RBP: ffffc90000053d80 R08: 0000000000000000 R09: ffffffff82de1a88 > R10: ffffc90000053da0 R11: 0000000000000003 R12: 00000000000001a4 > R13: ffffc90000053df0 R14: 0000000000000000 R15: 0000000000000000 > FS: 0000000000000000(0000) GS:ffff888040200000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 00007f2c744050e8 CR3: 000080004110e000 CR4: 00000000003506b0 > Kernel panic - not syncing: Fatal exception > Kernel Offset: disabled > Rebooting in 10 seconds.. > > From debugging printing, the stored addr and size of ima_kexec buffer > are not decrypted correctly like: > ------ > ima: ima_load_kexec_buffer, buffer:0xcfacfdfe6660003e, size:0xe48066052d5df359 > ------ > > There are three pieces of setup_data info passed to kexec/kdump kernel: > SETUP_EFI, SETUP_IMA and SETUP_RNG_SEED. However, among them, only > ima_kexec buffer suffered from the incorrect decryption. After > debugging, it's because of the code bug in early_memremap_is_setup_data() > where checking the embedded content inside setup_data takes wrong range > calculation. > > The length of efi data, rng_seed and ima_kexec are 0x70, 0x20, 0x10, > and the length of setup_data is 0x10. When checking if data is inside > the embedded conent of setup_data, the starting address of efi data and > rng_seed happened to land in the wrong calculated range. While the > ima_kexec's starting address unluckily doesn't pass the checking, then > error occurred. > > Here fix the code bug to make kexec/kdump kernel boot up successfully. > > And also fix the similar buggy code in memremap_is_setup_data() which > are found out during code reviewing. I think you should add something along the lines that the "len" variable in struct setup_data is the length of the "data" field and does not include the size of the struct, which is the reason for the miscalculation. Otherwise: Reviewed-by: Tom Lendacky <thomas.lendacky@xxxxxxx> > > Fixes: b3c72fc9a78e ("x86/boot: Introduce setup_indirect") > Signed-off-by: Baoquan He <bhe@xxxxxxxxxx> > --- > arch/x86/mm/ioremap.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c > index f1ee8822ddf1..4cadc7ef1cb4 100644 > --- a/arch/x86/mm/ioremap.c > +++ b/arch/x86/mm/ioremap.c > @@ -657,7 +657,7 @@ static bool memremap_is_setup_data(resource_size_t phys_addr, > paddr_next = data->next; > len = data->len; > > - if ((phys_addr > paddr) && (phys_addr < (paddr + len))) { > + if ((phys_addr > paddr) && (phys_addr < (paddr + sd_size + len))) { > memunmap(data); > return true; > } > @@ -721,7 +721,7 @@ static bool __init early_memremap_is_setup_data(resource_size_t phys_addr, > paddr_next = data->next; > len = data->len; > > - if ((phys_addr > paddr) && (phys_addr < (paddr + len))) { > + if ((phys_addr > paddr) && (phys_addr < (paddr + sd_size + len))) { > early_memunmap(data, sizeof(*data)); > return true; > } _______________________________________________ kexec mailing list kexec@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/kexec