[PATCH v5] x86/kexec: Carry forward IMA measurement log on kexec
Mimi Zohar
zohar at linux.ibm.com
Mon Jun 13 21:01:50 UTC 2022
On Mon, 2022-06-13 at 10:30 +0000, Jonathan McDowell wrote:
> On kexec file load Integrity Measurement Architecture (IMA) subsystem
> may verify the IMA signature of the kernel and initramfs, and measure
> it. The command line parameters passed to the kernel in the kexec call
> may also be measured by IMA. A remote attestation service can verify
> a TPM quote based on the TPM event log, the IMA measurement list, and
> the TPM PCR data. This can be achieved only if the IMA measurement log
> is carried over from the current kernel to the next kernel across
> the kexec call.
>
> powerpc and ARM64 both achieve this using device tree with a
> "linux,ima-kexec-buffer" node. x86 platforms generally don't make use of
> device tree, so use the setup_data mechanism to pass the IMA buffer to
> the new kernel.
>
> (Mimi, Baoquan, I haven't included your reviewed-bys because this has
> changed the compile guards around the ima_(free|get)_kexec_buffer
> functions in order to fix the warning the kernel test robot found. I
> think this is the right thing to do and avoids us compiling them on
> platforms where they won't be used. The alternative would be to drop
> the guards in ima.h that Mimi requested for v4.)hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
>
> Signed-off-by: Jonathan McDowell <noodles at fb.com>
> ---
> v5:
> - Guard ima_(free|get)_kexec_buffer functions with
> CONFIG_HAVE_IMA_KEXEC (kernel test robot)
> - Use setup_data_offset in setup_boot_parameters and update rather than
> calculating in call to setup_ima_state.
> v4:
> - Guard ima.h function prototypes with CONFIG_HAVE_IMA_KEXEC
> diff --git a/drivers/of/kexec.c b/drivers/of/kexec.c
> index 8d374cc552be..42a6c5721a43 100644
> --- a/drivers/of/kexec.c
> +++ b/drivers/of/kexec.c
> @@ -9,6 +9,7 @@
> * Copyright (C) 2016 IBM Corporation
> */
>
> +#include <linux/ima.h>
> #include <linux/kernel.h>
> #include <linux/kexec.h>
> #include <linux/memblock.h>
> @@ -115,6 +116,7 @@ static int do_get_kexec_buffer(const void *prop, int len, unsigned long *addr,
> return 0;
> }
>
> +#ifdef CONFIG_HAVE_IMA_KEXEC
> /**
> * ima_get_kexec_buffer - get IMA buffer from the previous kernel
> * @addr: On successful return, set to point to the buffer contents.
> @@ -173,6 +175,7 @@ int ima_free_kexec_buffer(void)
>
> return memblock_phys_free(addr, size);
> }
> +#endif
Inside ima_{get,free}_kexec_buffer(), there's no need now to test
whether CONFIG_HAVE_IMA_KEXEC is enabled.
if (!IS_ENABLED(CONFIG_HAVE_IMA_KEXEC))
return -ENOTSUPP;
Otherwise,
Reviewed-by: Mimi Zohar <zohar at linux.ibm.com> # IMA function
definitions
>
> /**
> * remove_ima_buffer - remove the IMA buffer property and reservation from @fdt
> diff --git a/include/linux/ima.h b/include/linux/ima.h
More information about the Linux-security-module-archive
mailing list