[PATCH v4] x86/kexec: Carry forward IMA measurement log on kexec
Mimi Zohar
zohar at linux.ibm.com
Wed May 18 14:43:32 UTC 2022
On Thu, 2022-05-12 at 16:25 +0000, Jonathan McDowell wrote:
> On kexec file load Integrity Measurement Architecture (IMA) subsystem
> may verify the IMA signature of the kernel and initramfs, and measure
> it. The command line parameters passed to the kernel in the kexec call
> may also be measured by IMA. A remote attestation service can verify
> a TPM quote based on the TPM event log, the IMA measurement list, and
> the TPM PCR data. This can be achieved only if the IMA measurement log
> is carried over from the current kernel to the next kernel across
> the kexec call.
>
> powerpc and ARM64 both achieve this using device tree with a
> "linux,ima-kexec-buffer" node. x86 platforms generally don't make use of
> device tree, so use the setup_data mechanism to pass the IMA buffer to
> the new kernel.
>
> Signed-off-by: Jonathan McDowell <noodles at fb.com>
Not from using "setup_data" perspective,
Reviewed-by: Mimi Zohar <zohar at linux.ibm.com> # IMA function
definitions
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list