[PATCH v9 1/7] ima: copy only complete measurement records across kexec
Mimi Zohar
zohar at linux.ibm.com
Wed Mar 5 12:27:40 UTC 2025
On Wed, 2025-03-05 at 20:08 +0800, Baoquan He wrote:
> On 03/04/25 at 11:03am, steven chen wrote:
> > Carrying the IMA measurement list across kexec requires allocating a
> > buffer and copying the measurement records. Separate allocating the
> > buffer and copying the measurement records into separate functions in
> > order to allocate the buffer at kexec 'load' and copy the measurements
> > at kexec 'execute'.
> >
> > This patch includes the following changes:
>
> I don't know why one patch need include so many changes. From below log,
> it should be split into separate patches. It may not need to make one
> patch to reflect one change, we should at least split and wrap several
> kind of changes to ease patch understanding and reviewing. My personal
> opinion.
Agreed, well explained.
Mimi
>
> > - Refactor ima_dump_measurement_list() to move the memory allocation
> > to a separate function ima_alloc_kexec_file_buf() which allocates
> > buffer of size 'kexec_segment_size' at kexec 'load'.
> > - Make the local variable ima_kexec_file in ima_dump_measurement_list()
> > a local static to the file, so that it can be accessed from
> > ima_alloc_kexec_file_buf(). Compare actual memory required to ensure
> > there is enough memory for the entire measurement record.
> > - Copy only complete measurement records.
> > - Make necessary changes to the function ima_add_kexec_buffer() to call
> > the above two functions.
> > - Compared the memory size allocated with memory size of the entire
> > measurement record. Copy only complete measurement records if there
> > is enough memory. If there is not enough memory, it will not copy
> > any IMA measurement records, and this situation will result in a
> > failure of remote attestation.
> >
> > Suggested-by: Mimi Zohar <zohar at linux.ibm.com>
> > Signed-off-by: Tushar Sugandhi <tusharsu at linux.microsoft.com>
> > Signed-off-by: steven chen <chenste at linux.microsoft.com>
More information about the Linux-security-module-archive
mailing list