MOK variable config table: Kernel Panic in SEV-enabled VMs
Hyunwook (Wooky) Baek
baekhw at google.com
Mon Dec 14 20:52:55 UTC 2020
Hello,
We found SEV-enabled VMs crash with the latest CentOS and Rhel images in Google
Cloud (centos-8-v20201112 and rhel-8-v20201112), because the MOK var table patch
(https://lkml.org/lkml/2020/8/25/1344) is making a #GP with SEV-enabled VMs,
but the patch is backported to those images. It looks like the patch
is also included in
the v5.10 release candidate.
The SEV-enabled VMs work fine with the previous Rhel-8 and Centos-8 images
(centos-8-v20201014 and rhel-8-v20201014).
The following is the kernel log messages that show the VM crashes while
running efi_mokvar_sysfs_init() with the rhel image (the centos kernel log is
almost identical):
[ 1.720049] EFI Variables Facility v0.08 2004-May-17
[ 1.943612] input: AT Translated Set 2 keyboard as
/devices/platform/i8042/serio0/input/input2
[ 2.480607] general protection fault: 0000 [#1] SMP NOPTI
[ 2.481549] CPU: 1 PID: 1 Comm: swapper/0 Not tainted
4.18.0-193.28.1.el8_2.x86_64 #1
[ 2.481549] Hardware name: Google Google Compute Engine/Google
Compute Engine, BIOS Google 01/01/2011
[ 2.481549] RIP: 0010:efi_mokvar_sysfs_init+0xa9/0x19d
[ 2.481549] Code: 4b 00 48 85 c0 0f 85 be 00 00 00 48 c7 c7 d8 a8
12 9b bd f4 ff ff ff e8 a4 ba 73 fe e9 f0 00 00 00 48 85 d2 0f 85 b1
00 00 00 <41> 80 3c 24 00 0f 84 bf 00 00 00 4d 85 e4 0f 84 b6 00 00 00
48 8b
[ 2.481549] RSP: 0018:ffffa6d7c0c67df8 EFLAGS: 00010282
[ 2.481549] RAX: 0df68117d0b79f0b RBX: ffff96fe32837720 RCX: 0000000000000000
[ 2.481549] RDX: ffffa6d7c0c81000 RSI: ffffffff9b3934c0 RDI: ffff96fe32837758
[ 2.481549] RBP: ffffffff9b3934c0 R08: ffffffff9b3934c0 R09: 0000000000000228
[ 2.481549] R10: 0000000000000007 R11: 0000000000000008 R12: 0df627ef917fb013
[ 2.481549] R13: ffffffff9b3934c0 R14: ffffffff9a6b3da0 R15: ffff96fe32837758
[ 2.481549] FS: 0000000000000000(0000) GS:ffff96fe37b00000(0000)
knlGS:0000000000000000
[ 2.481549] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2.481549] CR2: 00007f0508d7c000 CR3: 0000800232ff8000 CR4: 0000000000340ee0
[ 2.481549] Call Trace:
[ 2.481549] ? efi_rci2_sysfs_init+0x26d/0x26d
[ 2.481549] ? do_early_param+0x91/0x91
[ 2.481549] do_one_initcall+0x46/0x1c3
[ 2.481549] ? do_early_param+0x91/0x91
[ 2.481549] kernel_init_freeable+0x1af/0x258
[ 2.481549] ? rest_init+0xaa/0xaa
[ 2.481549] kernel_init+0xa/0xff
[ 2.481549] ret_from_fork+0x22/0x40
[ 2.481549] Modules linked in:
[ 2.511520] ---[ end trace 24709f23c20e9cd9 ]---
[ 2.512376] RIP: 0010:efi_mokvar_sysfs_init+0xa9/0x19d
[ 2.513249] Code: 4b 00 48 85 c0 0f 85 be 00 00 00 48 c7 c7 d8 a8
12 9b bd f4 ff ff ff e8 a4 ba 73 fe e9 f0 00 00 00 48 85 d2 0f 85 b1
00 00 00 <41> 80 3c 24 00 0f 84 bf 00 00 00 4d 85 e4 0f 84 b6 00 00 00
48 8b
[ 2.516876] RSP: 0018:ffffa6d7c0c67df8 EFLAGS: 00010282
[ 2.517844] RAX: 0df68117d0b79f0b RBX: ffff96fe32837720 RCX: 0000000000000000
[ 2.519128] RDX: ffffa6d7c0c81000 RSI: ffffffff9b3934c0 RDI: ffff96fe32837758
[ 2.520328] RBP: ffffffff9b3934c0 R08: ffffffff9b3934c0 R09: 0000000000000228
[ 2.521771] R10: 0000000000000007 R11: 0000000000000008 R12: 0df627ef917fb013
[ 2.523025] R13: ffffffff9b3934c0 R14: ffffffff9a6b3da0 R15: ffff96fe32837758
[ 2.524218] FS: 0000000000000000(0000) GS:ffff96fe37b00000(0000)
knlGS:0000000000000000
[ 2.525591] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2.528401] CR2: 00007f0508d7c000 CR3: 0000800232ff8000 CR4: 0000000000340ee0
[ 2.530155] Kernel panic - not syncing: Fatal exception
[ 2.531145] Kernel Offset: 0x19000000 from 0xffffffff81000000
(relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 2.531145] ---[ end Kernel panic - not syncing: Fatal exception ]---
Regards,
Wooky
More information about the Linux-security-module-archive
mailing list