MOK variable config table: Kernel Panic in SEV-enabled VMs

Hyunwook (Wooky) Baek baekhw at google.com
Mon Dec 14 20:52:55 UTC 2020


Hello,

We found SEV-enabled VMs crash with the latest CentOS and Rhel images in Google
Cloud (centos-8-v20201112 and rhel-8-v20201112), because the MOK var table patch
(https://lkml.org/lkml/2020/8/25/1344) is making a #GP with SEV-enabled VMs,
but the patch is backported to those images. It looks like the patch
is also included in
the v5.10 release candidate.

The SEV-enabled VMs work fine with the previous Rhel-8 and Centos-8 images
(centos-8-v20201014 and rhel-8-v20201014).

The following is the kernel log messages that show the VM crashes while
running efi_mokvar_sysfs_init() with the rhel image (the centos kernel log is
almost identical):

[    1.720049] EFI Variables Facility v0.08 2004-May-17
[    1.943612] input: AT Translated Set 2 keyboard as
/devices/platform/i8042/serio0/input/input2
[    2.480607] general protection fault: 0000 [#1] SMP NOPTI
[    2.481549] CPU: 1 PID: 1 Comm: swapper/0 Not tainted
4.18.0-193.28.1.el8_2.x86_64 #1
[    2.481549] Hardware name: Google Google Compute Engine/Google
Compute Engine, BIOS Google 01/01/2011
[    2.481549] RIP: 0010:efi_mokvar_sysfs_init+0xa9/0x19d
[    2.481549] Code: 4b 00 48 85 c0 0f 85 be 00 00 00 48 c7 c7 d8 a8
12 9b bd f4 ff ff ff e8 a4 ba 73 fe e9 f0 00 00 00 48 85 d2 0f 85 b1
00 00 00 <41> 80 3c 24 00 0f 84 bf 00 00 00 4d 85 e4 0f 84 b6 00 00 00
48 8b
[    2.481549] RSP: 0018:ffffa6d7c0c67df8 EFLAGS: 00010282
[    2.481549] RAX: 0df68117d0b79f0b RBX: ffff96fe32837720 RCX: 0000000000000000
[    2.481549] RDX: ffffa6d7c0c81000 RSI: ffffffff9b3934c0 RDI: ffff96fe32837758
[    2.481549] RBP: ffffffff9b3934c0 R08: ffffffff9b3934c0 R09: 0000000000000228
[    2.481549] R10: 0000000000000007 R11: 0000000000000008 R12: 0df627ef917fb013
[    2.481549] R13: ffffffff9b3934c0 R14: ffffffff9a6b3da0 R15: ffff96fe32837758
[    2.481549] FS:  0000000000000000(0000) GS:ffff96fe37b00000(0000)
knlGS:0000000000000000
[    2.481549] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    2.481549] CR2: 00007f0508d7c000 CR3: 0000800232ff8000 CR4: 0000000000340ee0
[    2.481549] Call Trace:
[    2.481549]  ? efi_rci2_sysfs_init+0x26d/0x26d
[    2.481549]  ? do_early_param+0x91/0x91
[    2.481549]  do_one_initcall+0x46/0x1c3
[    2.481549]  ? do_early_param+0x91/0x91
[    2.481549]  kernel_init_freeable+0x1af/0x258
[    2.481549]  ? rest_init+0xaa/0xaa
[    2.481549]  kernel_init+0xa/0xff
[    2.481549]  ret_from_fork+0x22/0x40
[    2.481549] Modules linked in:
[    2.511520] ---[ end trace 24709f23c20e9cd9 ]---
[    2.512376] RIP: 0010:efi_mokvar_sysfs_init+0xa9/0x19d
[    2.513249] Code: 4b 00 48 85 c0 0f 85 be 00 00 00 48 c7 c7 d8 a8
12 9b bd f4 ff ff ff e8 a4 ba 73 fe e9 f0 00 00 00 48 85 d2 0f 85 b1
00 00 00 <41> 80 3c 24 00 0f 84 bf 00 00 00 4d 85 e4 0f 84 b6 00 00 00
48 8b
[    2.516876] RSP: 0018:ffffa6d7c0c67df8 EFLAGS: 00010282
[    2.517844] RAX: 0df68117d0b79f0b RBX: ffff96fe32837720 RCX: 0000000000000000
[    2.519128] RDX: ffffa6d7c0c81000 RSI: ffffffff9b3934c0 RDI: ffff96fe32837758
[    2.520328] RBP: ffffffff9b3934c0 R08: ffffffff9b3934c0 R09: 0000000000000228
[    2.521771] R10: 0000000000000007 R11: 0000000000000008 R12: 0df627ef917fb013
[    2.523025] R13: ffffffff9b3934c0 R14: ffffffff9a6b3da0 R15: ffff96fe32837758
[    2.524218] FS:  0000000000000000(0000) GS:ffff96fe37b00000(0000)
knlGS:0000000000000000
[    2.525591] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    2.528401] CR2: 00007f0508d7c000 CR3: 0000800232ff8000 CR4: 0000000000340ee0
[    2.530155] Kernel panic - not syncing: Fatal exception
[    2.531145] Kernel Offset: 0x19000000 from 0xffffffff81000000
(relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[    2.531145] ---[ end Kernel panic - not syncing: Fatal exception ]---

Regards,
Wooky



More information about the Linux-security-module-archive mailing list