Fwd: [PATCH 2/4] kexec: add CONFING_KEXEC_PURGATORY_SKIP_SIG
From: 黄杰
Date: Mon Jul 25 2022 - 08:56:37 EST
---------- Forwarded message ---------
发件人: Albert Huang <huangjie.albert@xxxxxxxxxxxxx>
Date: 2022年7月25日周一 16:40
Subject: [PATCH 2/4] kexec: add CONFING_KEXEC_PURGATORY_SKIP_SIG
To:
Cc: huangjie.albert <huangjie.albert@xxxxxxxxxxxxx>, Thomas Gleixner
<tglx@xxxxxxxxxxxxx>, Ingo Molnar <mingo@xxxxxxxxxx>, Borislav Petkov
<bp@xxxxxxxxx>, Dave Hansen <dave.hansen@xxxxxxxxxxxxxxx>,
<x86@xxxxxxxxxx>, H. Peter Anvin <hpa@xxxxxxxxx>, Eric Biederman
<ebiederm@xxxxxxxxxxxx>, Masahiro Yamada <masahiroy@xxxxxxxxxx>,
Michal Marek <michal.lkml@xxxxxxxxxxx>, Nick Desaulniers
<ndesaulniers@xxxxxxxxxx>, Kirill A. Shutemov
<kirill.shutemov@xxxxxxxxxxxxxxx>, Brijesh Singh
<brijesh.singh@xxxxxxx>, Michael Roth <michael.roth@xxxxxxx>, Nathan
Chancellor <nathan@xxxxxxxxxx>, Kuppuswamy Sathyanarayanan
<sathyanarayanan.kuppuswamy@xxxxxxxxxxxxxxx>, Ard Biesheuvel
<ardb@xxxxxxxxxx>, Peter Zijlstra <peterz@xxxxxxxxxxxxx>, Sean
Christopherson <seanjc@xxxxxxxxxx>, Joerg Roedel <jroedel@xxxxxxx>,
Mark Rutland <mark.rutland@xxxxxxx>, Kees Cook
<keescook@xxxxxxxxxxxx>, <linux-kernel@xxxxxxxxxxxxxxx>,
<kexec@xxxxxxxxxxxxxxxxxxx>, <linux-kbuild@xxxxxxxxxxxxxxx>
From: "huangjie.albert" <huangjie.albert@xxxxxxxxxxxxx>
the verify_sha256_digest may cost 300+ ms in my test environment:
bzImage: 53M initramfs:28M
We can add a macro to control whether to enable this check. If we
can confirm that the data in this will not change, we can turn off
the check and get a faster startup.
Signed-off-by: huangjie.albert <huangjie.albert@xxxxxxxxxxxxx>
---
arch/x86/Kconfig | 9 +++++++++
arch/x86/purgatory/purgatory.c | 7 +++++++
2 files changed, 16 insertions(+)
diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
index 52a7f91527fe..adbd3a2bd60f 100644
--- a/arch/x86/Kconfig
+++ b/arch/x86/Kconfig
@@ -2052,6 +2052,15 @@ config KEXEC_BZIMAGE_VERIFY_SIG
help
Enable bzImage signature verification support.
+config KEXEC_PURGATORY_SKIP_SIG
+ bool "skip kexec purgatory signature verification"
+ depends on ARCH_HAS_KEXEC_PURGATORY
+ help
+ this options makes the kexec purgatory do not signature verification
+ which would get hundreds of milliseconds saved during kexec
boot. If we can
+ confirm that the data of each segment loaded by kexec will
not change we may
+ enable this option
+
config CRASH_DUMP
bool "kernel crash dumps"
depends on X86_64 || (X86_32 && HIGHMEM)
diff --git a/arch/x86/purgatory/purgatory.c b/arch/x86/purgatory/purgatory.c
index 7558139920f8..b3f15774d86d 100644
--- a/arch/x86/purgatory/purgatory.c
+++ b/arch/x86/purgatory/purgatory.c
@@ -20,6 +20,12 @@ u8 purgatory_sha256_digest[SHA256_DIGEST_SIZE]
__section(".kexec-purgatory");
struct kexec_sha_region purgatory_sha_regions[KEXEC_SEGMENT_MAX]
__section(".kexec-purgatory");
+#ifdef CONFIG_KEXEC_PURGATORY_SKIP_SIG
+static int verify_sha256_digest(void)
+{
+ return 0;
+}
+#else
static int verify_sha256_digest(void)
{
struct kexec_sha_region *ptr, *end;
@@ -39,6 +45,7 @@ static int verify_sha256_digest(void)
return 0;
}
+#endif
void purgatory(void)
{
--
2.31.1