[PATCH v5 12/13] ima: Return error on deleting measurements already copied during kexec
Mimi Zohar
zohar at linux.ibm.com
Tue May 26 14:02:36 UTC 2026
On Wed, 2026-04-29 at 18:03 +0200, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu at huawei.com>
>
> Refuse to delete staged or active list measurements, if a kexec racing with
> the deletion already copied those measurements in the kexec buffer. In this
> way, user space becomes aware that those measurements are going to appear
> in the secondary kernel, and thus they don't have to be saved twice.
There are two reboot notifiers: one to prevent additional measurements extending
the TPM, while the other copies the measurements for kexec. This patch prevents
deleting the staged measurements after the latter notifier.
Instead of introducing a specific method for detecting whether the measurement
list has been copied, rely on one of the two existing reboot notifiers. The
simplest method would test "ima_measurements_suspended", which would prevent
deleting the staged measurements a bit earlier.
Mimi
More information about the Linux-security-module-archive
mailing list