Hi Dave,
On Fri Nov 22, 2024 at 1:03 PM UTC, Dave Young wrote:
On Wed, 13 Nov 2024 at 02:53, Nicolas Saenz Julienne nsaenz@amazon.com wrote:
Kexec bypasses EFI's switch to virtual mode. In exchange, it has its own routine, kexec_enter_virtual_mode(), which replays the mappings made by the original kernel. Unfortunately, that function fails to reinstate EFI's memory attributes, which would've otherwise been set after entering virtual mode. Remediate this by calling efi_runtime_update_mappings() within kexec's routine.
In the function __map_region(), there are playing with the flags similar to the efi_runtime_update_mappings though it looks a little different. Is this extra callback really necessary?
EFI Memory attributes aren't tracked through `/sys/firmware/efi/runtime-map`, and as such, whatever happens in `__map_region()` after kexec will not honor them.
Have you seen a real bug happened?
If lowered security posture after kexec counts as a bug, yes. The system remains stable otherwise.
Nicolas