[PATCH v12 0/9] ima: kexec: measure events between kexec load and execute
Stefan Berger
stefanb at linux.ibm.com
Thu Apr 17 01:09:24 UTC 2025
On 4/15/25 10:10 PM, steven chen wrote:
> From: Steven Chen <chenste at linux.microsoft.com>
>
> The current kernel behavior is IMA measurements snapshot is taken at
> kexec 'load' and not at kexec 'execute'. IMA log is then carried
> over to the new kernel after kexec 'execute'.
>
> Currently, the kernel behavior during kexec load is to fetch the IMA
> measurements log from TPM PCRs and store it in a buffer. When a kexec
> reboot is triggered, this stored log buffer is carried over to the second
> kernel. However, the time gap between kexec load and kexec reboot can be
> very long. During this time window, new events extended into TPM PCRs miss
> the chance to be carried over to the second kernel. This results in
> mismatch between TPM PCR quotes and the actual IMA measurements list after
> kexec soft reboot, which in turn results in remote attestation failure.
Tested-by: Stefan Berger <stefanb at linux.ibm.com> # ppc64/kvm
More information about the Linux-security-module-archive
mailing list