Hi Dave, On Fri Nov 22, 2024 at 1:03 PM UTC, Dave Young wrote: > On Wed, 13 Nov 2024 at 02:53, Nicolas Saenz Julienne <nsaenz@xxxxxxxxxx> wrote: >> >> Kexec bypasses EFI's switch to virtual mode. In exchange, it has its own >> routine, kexec_enter_virtual_mode(), which replays the mappings made by >> the original kernel. Unfortunately, that function fails to reinstate >> EFI's memory attributes, which would've otherwise been set after >> entering virtual mode. Remediate this by calling >> efi_runtime_update_mappings() within kexec's routine. > > In the function __map_region(), there are playing with the flags > similar to the efi_runtime_update_mappings though it looks a little > different. Is this extra callback really necessary? EFI Memory attributes aren't tracked through `/sys/firmware/efi/runtime-map`, and as such, whatever happens in `__map_region()` after kexec will not honor them. > Have you seen a real bug happened? If lowered security posture after kexec counts as a bug, yes. The system remains stable otherwise. Nicolas
