HardenedVault writes “Under the x86/amd64 architecture, the Linux kernel is typically packaged into the bzImage format, which contains a partially padded data structure for boot parameters, and multiple 16-bit real mode, 32-bit protected mode, and 64-bit long mode. Stage entry point (if building for amd64), the last stage is a self-extracting flat binary , which will properly decompress and perform the gzip-compressed kernel image, also in flat binary format, stored in its data segment. Each Each stage will initialize the correct execution environment for the next stage, switch the CPU to a mode where the next stage can work, and then execute the next stage. Of course, the Linux kernel is capable of booting from 16-bit real mode, but it also allows the bootloader to be A later stage prepares the execution environment (such as 32-bit protected mode or 64-bit long mode) and executes the Linux kernel from the corresponding entry point. For example, if the bootloader itself works primarily in 32-bit protected mode, then from its 32-bit protected mode Mode entry point booting a Linux kernel would be the most efficient way, and a Linux kernel built for amd64 will choose the entry point for 64-bit long mode when using kexec to boot another Linux kernel built for amd64. Recently, a bug in QEMU caused Kernel crash after kexec because kexec-ed kernel will not be able to decompress compressed initrd. This bug only affects new Linux kernels that use compressed inlining in QEMU. kexec on physical machines, and booting with compressed initrd in QEMU Other methods of the Linux kernel are not affected.
Of course, in QEMU it is valid to use an uncompressed initrd to create a new Linux kernel , so if you want to use a kexec-based bootloader with QEMU, you may have to use an uncompressed initrd to boot the target system. Vault Labs of HardenedVault (Cyber Fortress) successfully completed remote attestation in a vTPM environment using such methods . “
This article is reprinted from: https://www.solidot.org/story?sid=72760
This site is for inclusion only, and the copyright belongs to the original author.