[PATCH v5] x86/kexec: Carry forward IMA measurement log on kexec

Mimi Zohar zohar at linux.ibm.com
Mon Jun 13 21:01:50 UTC 2022


On Mon, 2022-06-13 at 10:30 +0000, Jonathan McDowell wrote:
> On kexec file load Integrity Measurement Architecture (IMA) subsystem
> may verify the IMA signature of the kernel and initramfs, and measure
> it. The command line parameters passed to the kernel in the kexec call
> may also be measured by IMA. A remote attestation service can verify
> a TPM quote based on the TPM event log, the IMA measurement list, and
> the TPM PCR data. This can be achieved only if the IMA measurement log
> is carried over from the current kernel to the next kernel across
> the kexec call.
> 
> powerpc and ARM64 both achieve this using device tree with a
> "linux,ima-kexec-buffer" node. x86 platforms generally don't make use of
> device tree, so use the setup_data mechanism to pass the IMA buffer to
> the new kernel.
> 
> (Mimi, Baoquan, I haven't included your reviewed-bys because this has
>  changed the compile guards around the ima_(free|get)_kexec_buffer
>  functions in order to fix the warning the kernel test robot found. I
>  think this is the right thing to do and avoids us compiling them on
>  platforms where they won't be used. The alternative would be to drop
>  the guards in ima.h that Mimi requested for v4.)hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
> 
> Signed-off-by: Jonathan McDowell <noodles at fb.com>
> ---
> v5:
>  - Guard ima_(free|get)_kexec_buffer functions with
>    CONFIG_HAVE_IMA_KEXEC (kernel test robot)
>  - Use setup_data_offset in setup_boot_parameters and update rather than
>    calculating in call to setup_ima_state.
> v4:
>  - Guard ima.h function prototypes with CONFIG_HAVE_IMA_KEXEC

> diff --git a/drivers/of/kexec.c b/drivers/of/kexec.c
> index 8d374cc552be..42a6c5721a43 100644
> --- a/drivers/of/kexec.c
> +++ b/drivers/of/kexec.c
> @@ -9,6 +9,7 @@
>   *  Copyright (C) 2016  IBM Corporation
>   */
>  
> +#include <linux/ima.h>
>  #include <linux/kernel.h>
>  #include <linux/kexec.h>
>  #include <linux/memblock.h>
> @@ -115,6 +116,7 @@ static int do_get_kexec_buffer(const void *prop, int len, unsigned long *addr,
>  	return 0;
>  }
>  
> +#ifdef CONFIG_HAVE_IMA_KEXEC
>  /**
>   * ima_get_kexec_buffer - get IMA buffer from the previous kernel
>   * @addr:	On successful return, set to point to the buffer contents.
> @@ -173,6 +175,7 @@ int ima_free_kexec_buffer(void)
>  
>  	return memblock_phys_free(addr, size);
>  }
> +#endif

Inside ima_{get,free}_kexec_buffer(), there's no need now to test
whether CONFIG_HAVE_IMA_KEXEC is enabled.

        if (!IS_ENABLED(CONFIG_HAVE_IMA_KEXEC))
                return -ENOTSUPP;

Otherwise,

Reviewed-by: Mimi Zohar <zohar at linux.ibm.com>  # IMA function
definitions

>  
>  /**
>   * remove_ima_buffer - remove the IMA buffer property and reservation from @fdt
> diff --git a/include/linux/ima.h b/include/linux/ima.h



More information about the Linux-security-module-archive mailing list