need help: patches to capture events between kexec load and execute

Tushar Sugandhi tusharsu at linux.microsoft.com
Fri Jun 3 23:16:04 PDT 2022 

Hello all,
We believe we have found one gap in the IMA/kexec interaction.
And we need your inputs as Linux Kernel maintainers/experts to fix that
gap.

-------------
Problem:
-------------
The current Kernel behavior is IMA measurements are snapshotted at
'kexec load' and not at 'kexec execute'.  And IMA log is then carried
over to the new Kernel after 'kexec execute'.

Some systems can be configured to call 'kexec load' first, and followed
by 'kexec execute' after some time.  (as opposed to calling 'load' and
'execute' in one single kexec command).  In this scenario, if new IMA
measurements are added between 'kexec load' and 'kexec execute' - the
TPM PCRs are extended with the IMA events between load and execute, but
those IMA events are not carried over to the new kernel after kexec soft
reboot.  This results in mismatch between TPM PCR quotes and the actual
IMA measurements log post kexec.

===========================================================================
-------------
Scenario
-------------
Here is the order of operations I followed to confirm the issue.

(a) Call 'kexec load'

     #kexec -s -l /etc/ima/Image.kexec --reuse-cmdline


(b) Touch one of the files that would be measured by IMA

     #cat /run/systemd/journal/streams/8:16351


(c) Verify that this measurement event is part of the IMA log.

     #cat /sys/kernel/security/ima/ascii_runtime_measurements | grep 16351

     <returns the file entry in IMA log>

(d) Call 'kexec execute'

     #kexec -s -e


(e) After kexec soft reboot, the file measurement event is not present
     in the IMA log anymore.  Because this measurement in the previous
     kernel had happened after the IMA log was snapshotted in the
     previous kernel.

     #cat /sys/kernel/security/ima/ascii_runtime_measurements | grep 16351

     <does not return the file entry in IMA log>

===========================================================================
-------------
Solution
-------------
Tyler pointed me to the past work in this area.
(Please see references section below)

I used it to create the patches for capturing IMA events in between
"kexec load" and "kexec execute". (please find attached)

- 0001-kexec_file-Add-mechanism-to-update-kexec-segments.patch
- 0002-ima-update-kexec-buffer-before-executing-soft-reboot.patch
- 0003-ima-on-soft-reboot-save-the-measurement-list.patch

My patches are based on [1] and [2] in the References section below.
I also looked at [3].  It has a few kexec_*_handover_buffer().
I was not sure if they were needed.  As per my limited understanding in
kexec space [1] and [2] together seemed sufficient for the solution.
===========================================================================
------------------------------------------
Problems in the solution above
------------------------------------------
Earlier my solution patches were crashing the Kernel. After a few fixes,
the patches are not crashing the Kernel anymore, but they don't seem to 
be working to capture the events between 'kexec load' and 'kexec 
execute' either.

When I was debugging it using printks and gdb, I found one potential
location where it was failing.

test_0001-move-ima_add_kexec_buffer-from-kexec-load-to-execute.patch
has that location.


I would really appreciate if someone of you could help me provide
further guidance to make progress on this work.

==================================================================
----------------
References
----------------

[1] [PATHC v2 5/9] ima: on soft reboot, save the measurement list
https://lore.kernel.org/lkml/1472596811-9596-6-git-send-email-zohar@linux.vnet.ibm.com/

[2] PATCH v2 4/6] kexec_file: Add mechanism to update kexec segments.
https://lkml.org/lkml/2016/8/16/577

[3] [PATCH 1/6] kexec_file: Add buffer hand-over support
https://lore.kernel.org/linuxppc-dev/1466473476-10104-6-git-send-email-bauerman@linux.vnet.ibm.com/T/

~Tushar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test_0001-move-ima_add_kexec_buffer-from-kexec-load-to-execute.patch
Type: text/x-patch
Size: 2278 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220603/1546c721/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-ima-on-soft-reboot-save-the-measurement-list.patch
Type: text/x-patch
Size: 2721 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220603/1546c721/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-ima-update-kexec-buffer-before-executing-soft-reboot.patch
Type: text/x-patch
Size: 2429 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220603/1546c721/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-kexec_file-Add-mechanism-to-update-kexec-segments.patch
Type: text/x-patch
Size: 4492 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/kexec/attachments/20220603/1546c721/attachment-0007.bin>

More information about the kexec mailing list