[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] x86/loader: only patch linux kernels
|
From: |
Michael S. Tsirkin |
|
Subject: |
Re: [PATCH] x86/loader: only patch linux kernels |
|
Date: |
Wed, 10 Apr 2024 03:26:29 -0400 |
On Wed, Apr 10, 2024 at 09:21:26AM +0200, Gerd Hoffmann wrote:
> If the binary loaded via -kernel is *not* a linux kernel (in which
> case protocol == 0), do not patch the linux kernel header fields.
>
> It's (a) pointless and (b) might break binaries by random patching
> and (c) changes the binary hash which in turn breaks secure boot
> verification.
>
> Background: OVMF happily loads and runs not only linux kernels but
> any efi binary via direct kernel boot.
>
> Note: Breaking the secure boot verification is a problem for linux
> kernels too, but fixed that is left for another day ...
Um we kind of care about Linux ;)
What's the plan? I suspect we should just add a command line flag
to skip patching? And once we do that, it seems safer to just
always rely on the flag?
> Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
> ---
> hw/i386/x86.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/hw/i386/x86.c b/hw/i386/x86.c
> index ffbda48917fd..765899eebe43 100644
> --- a/hw/i386/x86.c
> +++ b/hw/i386/x86.c
> @@ -1108,7 +1108,7 @@ void x86_load_linux(X86MachineState *x86ms,
> * kernel on the other side of the fw_cfg interface matches the hash of
> the
> * file the user passed in.
> */
> - if (!sev_enabled()) {
> + if (!sev_enabled() && protocol > 0) {
> memcpy(setup, header, MIN(sizeof(header), setup_size));
> }
>
> --
> 2.44.0