mbox series

[RFC,0/4] efi/zboot: Encapsulate ELF image for arm64

Message ID 20241218150316.1583806-6-ardb+git@google.com
Headers show
Series efi/zboot: Encapsulate ELF image for arm64 | expand

Message

Ard Biesheuvel Dec. 18, 2024, 3:03 p.m. UTC 
From: Ard Biesheuvel <ardb@kernel.org>

The EFI zboot image format was introduced to provide a way to distribute
an EFI bootable image for architectures such as arm64, RISC-V and
Loongarch supporting both compression and EFI secure boot signing.

To make this format easy to digest for other consumers than EFI firmware
(e.g., qemu or kexec), the file header describes the compression type
and the offset and size of the compressed image inside the file.
Additional metadata of the payload is currently injected using ELF
symbols (currently, the size of the executable image's code region on
arm64), but this information is not accessible to other consumers unless
it is exposed either via the header, or via the payload itself.

It would be better to have a structured format inside the container, so
that any annotation can be added without the need to tweak the EFI zboot
header layout. On x86, the legacy decompressor encapsulates an ELF
image, so that ELF notes can be used for arbitrary metadata, and this
is heavily used by Xen.

Let's implement something similar for the generic EFI zboot format. This
removes the need for per-arch hacks to inject symbols, and makes a
future alignment of EFI zboot with x86 more feasible as well.

So switch to the ELF format for the EFI zboot payload, but implement it
in such a way that decompressing the entire ELF image is unnecessary.
Instead, decompress the ELF file header and program headers first, and
discard any file data that is not covered by a PT_LOAD program header
(and therefore not part of the executable's memory image).

The latter approach permits EFI zboot to be used with unstripped ELF
binaries, making EFI zboot suitable for future use as a hybrid bootable
image and debug symbol library for the running kernel.

Cc: Jeremy Linton <jeremy.linton@arm.com>
Cc: Gerd Hoffmann <kraxel@redhat.com>
Cc: Pingfan Liu <piliu@redhat.com>
Cc: Dave Young <dyoung@redhat.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Kees Cook <kees@kernel.org>

Ard Biesheuvel (4):
  efi/libstub: Avoid legacy decompressor zlib/zstd wrappers
  efi/zboot: Add support for ELF payloads
  arm64/boot: Populate vmlinux ELF program headers
  efi/arm64: Use ELF payload for EFI zboot

 arch/arm64/boot/Makefile                             |   4 -
 arch/arm64/include/asm/efi.h                         |   2 +-
 arch/arm64/kernel/image-vars.h                       |   4 -
 arch/arm64/kernel/vmlinux.lds.S                      |  33 ++--
 drivers/firmware/efi/libstub/Makefile                |   9 +-
 drivers/firmware/efi/libstub/Makefile.zboot          |   6 +
 drivers/firmware/efi/libstub/arm64-stub.c            |   2 +-
 drivers/firmware/efi/libstub/arm64.c                 |  20 +--
 drivers/firmware/efi/libstub/efistub.h               |   9 ++
 drivers/firmware/efi/libstub/zboot-decompress-gzip.c |  77 ++++++++++
 drivers/firmware/efi/libstub/zboot-decompress-zstd.c |  91 +++++++++++
 drivers/firmware/efi/libstub/zboot-decompress.c      | 161 ++++++++++++++++++++
 drivers/firmware/efi/libstub/zboot.c                 |  58 ++-----
 drivers/firmware/efi/libstub/zboot.lds               |   7 +-
 14 files changed, 391 insertions(+), 92 deletions(-)
 create mode 100644 drivers/firmware/efi/libstub/zboot-decompress-gzip.c
 create mode 100644 drivers/firmware/efi/libstub/zboot-decompress-zstd.c
 create mode 100644 drivers/firmware/efi/libstub/zboot-decompress.c


base-commit: 78d4f34e2115b517bcbfe7ec0d018bbbb6f9b0b8