Xen project Mailing List

Re: [PATCH 5/7] x86/kexec: Implement new EFI load types

To: Kevin Lampis <kevin.lampis@xxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>

Date: Tue, 16 Jun 2026 11:06:11 +0100

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0Vr8TvJcFUITctmFn45gBfgr/LiA73o0VUe/EL6hNrI=; b=BOk9fuIZv7THtPo5uogUEKAZraK0BgBfq2iH/v6bJnOGjWGkhDkZsv515ydBAaXiZnWH5Hs3GchsogC+4/U3XedIga+4+aqCCoKmBHCq/utK4DhfH2yL8rupYZlbT6ODDqDZgYcpOp3afQ8cR401UIJD4HACgR0UtKfztTslnkLJdI0eMxhrRiM4ED8FLhKwmxw22mE3MKru7jdGRYccij8wlwByMm4GFSwhs3ApJ+uA1jW38Cys0gxtloM/gIZjOgAeu/t816P1UZf8Os/kFp9l2wDufual0bhQ+Pe20evv9c24sZc2tb3unSYwhpoEM4JVzmorRbnTGI/hEr06PQ==

Arc-seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=p/THpH4PE77z+/mq7LBXaN+e2BzpvA2gfB4y8O3j2iHKbbemZrrcI+KmPOYXcCueQvfHRUUlvbOChJEJiG5qbm5v7mp5b/8wRKdV6Wsvv+Utef/X9tAGnZkuypwIGA2cKNInVCOzXcODNtsb5HPF/p5JeX87zFh8D4IEifk7eZto+fxwnxYfPTfW4hHCcO2K1CEoV6e3G22cMUfHGkitWz5sx60Ci5gnqRagFBvyIf5FMKP/8ZMZUI6KmQjJ4zJGeH3yHVN0dIbzzm/WQi7Rvl9uzMR2SRn5tnqwXMdC+n+8HHxffb/tuCD2DYx3fbRKXypXmDL+LuK4wFbWYoNdTg==

Authentication-results: eu.smtp.expurgate.cloud; dkim=pass header.s=selector1 header.d=citrix.com header.i="@citrix.com" header.h="From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck"

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=citrix.com;

Cc: "jbeulich@xxxxxxxx" <jbeulich@xxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, Gerald Elder-Vass <gerald.elder-vass@xxxxxxxxx>

Delivery-date: Tue, 16 Jun 2026 10:06:23 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 6/15/26 8:34 PM, Kevin Lampis wrote:

 >Ok, so here is startup_64, hidden as a magic constant.
 >... you're applying the alignment to the pointer and picking
 >startup_64 out of thin air.

I'm going to be cheeky and play the Linux-does-it-too card.
https://github.com/torvalds/linux/blob/master/arch/x86/kernel/kexec-bzimage64.c#L660

 >Either it was loaded correctly (and the alignment is correct), or it was
 >loaded incorrectly and this is unsafe to do, is it not?

This is what the kernel kexec segment looks like in memory

                                           .- dest_maddr + alignment
    .-dest_maddr                           |
    v                                      v
    +--------------------------------------+--------------------...
    | padding            | real-mode setup | kernel
    +--------------------------------------+--------------------...
0x000000                               0x200000

In the old non-EFI kexec the 16-bit real-mode setup portion is
chopped off by the userspace tools and the segment buffer that Xen
receives is just the "kernel" part. But we need to pass both the
real-mode setup + kernel to kexec_load to pass Secure Boot
verification. And add padding so it straddles a 2M boundary like this.

What the 0x200000 "alignment" variable is doing is skipping over the
real-mode setup and padding.

It won't necessarily be 0x200000 though which is why we need to read
the value from Linux's setup_header->kernel_alignment.

If you're hinting that perhaps userspace should take care of all this
and just tell Xen where startup_64 is then perhaps. That would be a
bigger change we need to get input from Ross on though.

It was done in Xen because there was a concern that letting userspace pass in an arbitrary start address would potentially allow a Secure Boot bypass even if it restricted within the bounds of the kernel image. The patch should probably make it clear that this load type _only_ works for Linux bzImages using the x86 64-bit boot protocol documented at linux/Documentation/arch/x86/boot.rst. I think it needs sanity checks as well to ensure that it has actually been given an x86 bzImage and that the boot protocol version number is as expected. Since it is x86 specific, maybe it wants to move out of common code? Ross

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.