Xen project Mailing List

Re: [PATCH v2 4/6] xen/livepatch: do Xen build-id check earlier

To: Roger Pau Monne <roger.pau@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Wed, 25 Sep 2024 11:21:01 +0100

Autocrypt: addr=andrew.cooper3@xxxxxxxxxx; keydata= xsFNBFLhNn8BEADVhE+Hb8i0GV6mihnnr/uiQQdPF8kUoFzCOPXkf7jQ5sLYeJa0cQi6Penp VtiFYznTairnVsN5J+ujSTIb+OlMSJUWV4opS7WVNnxHbFTPYZVQ3erv7NKc2iVizCRZ2Kxn srM1oPXWRic8BIAdYOKOloF2300SL/bIpeD+x7h3w9B/qez7nOin5NzkxgFoaUeIal12pXSR Q354FKFoy6Vh96gc4VRqte3jw8mPuJQpfws+Pb+swvSf/i1q1+1I4jsRQQh2m6OTADHIqg2E ofTYAEh7R5HfPx0EXoEDMdRjOeKn8+vvkAwhviWXTHlG3R1QkbE5M/oywnZ83udJmi+lxjJ5 YhQ5IzomvJ16H0Bq+TLyVLO/VRksp1VR9HxCzItLNCS8PdpYYz5TC204ViycobYU65WMpzWe LFAGn8jSS25XIpqv0Y9k87dLbctKKA14Ifw2kq5OIVu2FuX+3i446JOa2vpCI9GcjCzi3oHV e00bzYiHMIl0FICrNJU0Kjho8pdo0m2uxkn6SYEpogAy9pnatUlO+erL4LqFUO7GXSdBRbw5 gNt25XTLdSFuZtMxkY3tq8MFss5QnjhehCVPEpE6y9ZjI4XB8ad1G4oBHVGK5LMsvg22PfMJ ISWFSHoF/B5+lHkCKWkFxZ0gZn33ju5n6/FOdEx4B8cMJt+cWwARAQABzSlBbmRyZXcgQ29v cGVyIDxhbmRyZXcuY29vcGVyM0BjaXRyaXguY29tPsLBegQTAQgAJAIbAwULCQgHAwUVCgkI CwUWAgMBAAIeAQIXgAUCWKD95wIZAQAKCRBlw/kGpdefoHbdD/9AIoR3k6fKl+RFiFpyAhvO 59ttDFI7nIAnlYngev2XUR3acFElJATHSDO0ju+hqWqAb8kVijXLops0gOfqt3VPZq9cuHlh IMDquatGLzAadfFx2eQYIYT+FYuMoPZy/aTUazmJIDVxP7L383grjIkn+7tAv+qeDfE+txL4 SAm1UHNvmdfgL2/lcmL3xRh7sub3nJilM93RWX1Pe5LBSDXO45uzCGEdst6uSlzYR/MEr+5Z JQQ32JV64zwvf/aKaagSQSQMYNX9JFgfZ3TKWC1KJQbX5ssoX/5hNLqxMcZV3TN7kU8I3kjK mPec9+1nECOjjJSO/h4P0sBZyIUGfguwzhEeGf4sMCuSEM4xjCnwiBwftR17sr0spYcOpqET ZGcAmyYcNjy6CYadNCnfR40vhhWuCfNCBzWnUW0lFoo12wb0YnzoOLjvfD6OL3JjIUJNOmJy RCsJ5IA/Iz33RhSVRmROu+TztwuThClw63g7+hoyewv7BemKyuU6FTVhjjW+XUWmS/FzknSi dAG+insr0746cTPpSkGl3KAXeWDGJzve7/SBBfyznWCMGaf8E2P1oOdIZRxHgWj0zNr1+ooF /PzgLPiCI4OMUttTlEKChgbUTQ+5o0P080JojqfXwbPAyumbaYcQNiH1/xYbJdOFSiBv9rpt TQTBLzDKXok86M7BTQRS4TZ/ARAAkgqudHsp+hd82UVkvgnlqZjzz2vyrYfz7bkPtXaGb9H4 Rfo7mQsEQavEBdWWjbga6eMnDqtu+FC+qeTGYebToxEyp2lKDSoAsvt8w82tIlP/EbmRbDVn 7bhjBlfRcFjVYw8uVDPptT0TV47vpoCVkTwcyb6OltJrvg/QzV9f07DJswuda1JH3/qvYu0p vjPnYvCq4NsqY2XSdAJ02HrdYPFtNyPEntu1n1KK+gJrstjtw7KsZ4ygXYrsm/oCBiVW/OgU g/XIlGErkrxe4vQvJyVwg6YH653YTX5hLLUEL1NS4TCo47RP+wi6y+TnuAL36UtK/uFyEuPy wwrDVcC4cIFhYSfsO0BumEI65yu7a8aHbGfq2lW251UcoU48Z27ZUUZd2Dr6O/n8poQHbaTd 6bJJSjzGGHZVbRP9UQ3lkmkmc0+XCHmj5WhwNNYjgbbmML7y0fsJT5RgvefAIFfHBg7fTY/i kBEimoUsTEQz+N4hbKwo1hULfVxDJStE4sbPhjbsPCrlXf6W9CxSyQ0qmZ2bXsLQYRj2xqd1 bpA+1o1j2N4/au1R/uSiUFjewJdT/LX1EklKDcQwpk06Af/N7VZtSfEJeRV04unbsKVXWZAk uAJyDDKN99ziC0Wz5kcPyVD1HNf8bgaqGDzrv3TfYjwqayRFcMf7xJaL9xXedMcAEQEAAcLB XwQYAQgACQUCUuE2fwIbDAAKCRBlw/kGpdefoG4XEACD1Qf/er8EA7g23HMxYWd3FXHThrVQ HgiGdk5Yh632vjOm9L4sd/GCEACVQKjsu98e8o3ysitFlznEns5EAAXEbITrgKWXDDUWGYxd pnjj2u+GkVdsOAGk0kxczX6s+VRBhpbBI2PWnOsRJgU2n10PZ3mZD4Xu9kU2IXYmuW+e5KCA vTArRUdCrAtIa1k01sPipPPw6dfxx2e5asy21YOytzxuWFfJTGnVxZZSCyLUO83sh6OZhJkk b9rxL9wPmpN/t2IPaEKoAc0FTQZS36wAMOXkBh24PQ9gaLJvfPKpNzGD8XWR5HHF0NLIJhgg 4ZlEXQ2fVp3XrtocHqhu4UZR4koCijgB8sB7Tb0GCpwK+C4UePdFLfhKyRdSXuvY3AHJd4CP 4JzW0Bzq/WXY3XMOzUTYApGQpnUpdOmuQSfpV9MQO+/jo7r6yPbxT7CwRS5dcQPzUiuHLK9i nvjREdh84qycnx0/6dDroYhp0DFv4udxuAvt1h4wGwTPRQZerSm4xaYegEFusyhbZrI0U9tJ B8WrhBLXDiYlyJT6zOV2yZFuW47VrLsjYnHwn27hmxTC/7tvG3euCklmkn9Sl9IAKFu29RSo d5bD8kMSCYsTqtTfT6W4A3qHGvIDta3ptLYpIAOD2sY3GYq2nf3Bbzx81wZK14JdDDHUX2Rs 6+ahAA==

Cc: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>

Delivery-date: Wed, 25 Sep 2024 10:21:14 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 25/09/2024 9:42 am, Roger Pau Monne wrote: > The check against the expected Xen build ID should be done ahead of attempting > to apply the alternatives contained in the livepatch. > > If the CPUID in the alternatives patching data is out of the scope of the > running Xen featureset the BUG() in _apply_alternatives() will trigger thus > bringing the system down. Note the layout of struct alt_instr could also > change between versions. It's also possible for struct exception_table_entry > to have changed format, hence leading to other kind of errors if parsing of > the > payload is done ahead of checking if the Xen build-id matches. > > Move the Xen build ID check as early as possible. To do so introduce a new > check_xen_buildid() function that parses and checks the Xen build-id before > moving the payload. Since the expected Xen build-id is used early to > detect whether the livepatch payload could be loaded, there's no reason to > store it in the payload struct, as a non-matching Xen build-id won't get the > payload populated in the first place. > > Note parse_buildid() has to be slightly adjusted to allow fetching the section > data from the 'data' field instead of the 'load_addr' one: with the Xen build > ID moved ahead of move_payload() 'load_addr' is not yet set when the Xen build > ID check is performed. Also printing the expected Xen build ID has part of > dumping the payload is no longer done, as all loaded payloads would have Xen > build IDs matching the running Xen, otherwise they would have failed to load. > > Fixes: 879615f5db1d ('livepatch: Always check hypervisor build ID upon > livepatch upload') > Signed-off-by: Roger Pau Monné <roger.pau@xxxxxxxxxx> Much nicer. A couple of suggestions. > --- > Changes since v1: > - Do the Xen build-id check even earlier. > --- > xen/common/livepatch.c | 66 +++++++++++++++++++---------- > xen/include/xen/livepatch_payload.h | 1 - > 2 files changed, 44 insertions(+), 23 deletions(-) > > diff --git a/xen/common/livepatch.c b/xen/common/livepatch.c > index 8e61083f23a7..895c425cd5ea 100644 > --- a/xen/common/livepatch.c > +++ b/xen/common/livepatch.c > @@ -448,24 +448,21 @@ static bool section_ok(const struct livepatch_elf *elf, > return true; > } > > -static int xen_build_id_dep(const struct payload *payload) > +static int xen_build_id_dep(const struct livepatch_build_id *expected) > { > const void *id = NULL; > unsigned int len = 0; > int rc; > > - ASSERT(payload->xen_dep.len); > - ASSERT(payload->xen_dep.p); > + ASSERT(expected->len); > + ASSERT(expected->p); > > rc = xen_build_id(&id, &len); > if ( rc ) > return rc; > > - if ( payload->xen_dep.len != len || memcmp(id, payload->xen_dep.p, len) > ) { > - printk(XENLOG_ERR LIVEPATCH "%s: check against hypervisor build-id > failed\n", > - payload->name); > + if ( expected->len != len || memcmp(id, expected->p, len) ) > return -EINVAL; > - } I'd suggest merging this into check_xen_buildid(), which is the single caller and serves the same singular purpose. It removes the ASSERT() (expected is now a local variable), and it helps with some diagnostic improvements. > > return 0; > } > @@ -495,11 +493,44 @@ static int parse_buildid(const struct livepatch_elf_sec > *sec, > return 0; > } > > +static int check_xen_buildid(const struct livepatch_elf *elf) > +{ > + struct livepatch_build_id id; > + const struct livepatch_elf_sec *sec = > + livepatch_elf_sec_by_name(elf, ELF_LIVEPATCH_XEN_DEPENDS); > + int rc; > + > + if ( !sec ) > + { > + printk(XENLOG_ERR LIVEPATCH "%s: %s is missing\n", "%s: Section: '%s' missing\n". (Maybe no single quotes around the section as we know it's non-empty.) > + elf->name, ELF_LIVEPATCH_XEN_DEPENDS); > + return -EINVAL; > + } > + > + rc = parse_buildid(sec, &id); > + if ( rc ) > + { > + printk(XENLOG_ERR LIVEPATCH "%s: failed to parse build-id at %s: > %d\n", "%s: Failed to parse section '%s' as build id: %d\n". > + elf->name, ELF_LIVEPATCH_XEN_DEPENDS, rc); > + return -EINVAL; > + } > + > + rc = xen_build_id_dep(&id); > + if ( rc ) > + { > + printk(XENLOG_ERR LIVEPATCH > + "%s: check against hypervisor build-id failed: %d\n", "%s: build-id mismatch:\n" " livepatch: %*phN\n" " xen: %*phN\n" This needs xen_build_id_dep() inlining in order to have the xen build-id string, but the end result is much more informative. I think I'm happy doing all of this on commit, but it might be a better idea not to. ~Andrew

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.