[Linux-ima-devel] [PATCH v2 4/7] ima: measure and appraise kexec image and initramfs
Dave Young
dyoung at redhat.com
Tue Dec 29 00:21:22 PST 2015
Hi, Mimi
On 12/28/15 at 07:51am, Mimi Zohar wrote:
> On Mon, 2015-12-28 at 10:08 +0800, Dave Young wrote:
> > On 12/25/15 at 09:45am, Mimi Zohar wrote:
> > > IMA calculates the file hash, in this case, based on the buffer
> > > contents. The hash is calculated once and used for both measurement
> > > and appraisal. If the file integrity appraisal fails (eg. hash
> > > comparison or signature failure), IMA prevents the kexec files from
> > > being used.
> > >
> >
> > Ok, thanks for the explanatioin. But I have another question, why do we
> > need a special hook for KEXEC? Shouldn't all files use same way to do the
> > measurement and appraisal?
>
> "By all files" are you referring to all files read by the kernel or all
> files opened, executed or mmapped by the system?
Hmm, I means any kind of files read by the kernel.
>
> Currently IMA allocates a page sized buffer, reads a file a page chunk
> at a time calculating the file hash as it does so, and then frees the
> buffer before returning to the caller. This method of calculating the
> file hash is used for measuring and appraising files opened
> (FILE_CHECK), executed (BPRM_CHECK) or mmapped (MMAP_CHECK) by the
> system.
>
> This patch set addresses files being read by kernel. A single new
> generic hook named ima_hash_and_process_file() is defined to not only
> measure and appraise the kexec image and initramfs, but firmware and the
> IMA policy. As we identify other places that the kernel is reading
> files, this hook would be called in those places as well.
What I can not understand is why IMA need know the caller information and
why cann't introduce a generic interface. kexec and firmware and other
caller all read files, so a common file based interface should be better?
Thanks
Dave
More information about the kexec
mailing list