[PATCH 06/10] ima: update buffer at kexec execute with ima measurements

Tushar Sugandhi tusharsu at linux.microsoft.com
Tue Jul 11 12:05:40 PDT 2023 

Adding Eric to cc.

On 7/7/23 08:01, Mimi Zohar wrote:
> Hi Tushar,
>
> On Mon, 2023-07-03 at 14:57 -0700, Tushar Sugandhi wrote:
>
>> +/*
>> + * Called during kexec execute so that IMA can update the measurement list.
>> + */
>> +static int ima_update_kexec_buffer(struct notifier_block *self,
>> +				   unsigned long action, void *data)
>> +{
>> +	void *new_buffer = NULL;
>> +	size_t new_buffer_size, cur_buffer_size;
>> +	bool resume = false;
>> +
>> +	if (!kexec_in_progress) {
>> +		pr_info("%s: No kexec in progress.\n", __func__);
>> +		return NOTIFY_OK;
>> +	}
>> +
>> +	if (!ima_kexec_buffer) {
>> +		pr_err("%s: Kexec buffer not set.\n", __func__);
>> +		return NOTIFY_OK;
>> +	}
>> +
>> +	ima_measurements_suspend();
>> +
>> +	cur_buffer_size = kexec_segment_size - sizeof(struct ima_kexec_hdr);
>> +	new_buffer_size = ima_get_binary_runtime_size();
>> +	if (new_buffer_size > cur_buffer_size) {
>> +		pr_err("%s: Measurement list grew too large.\n", __func__);
>> +		resume = true;
>> +		goto out;
>> +	}
> This changes the current behavior of carrying as many measurements
> across kexec as possible.  True the measurement list won't verify
> against the TPM PCRs, but not copying the measurements leaves the
> impression there weren't any previous measurements.
>
> This also explains the reason for allocating an IMA buffer (patch 1/10)
> and not writing the measurements directly into the kexec buffer.
Thanks.

I will update this logic depending if we decide to use
ima_dump_measurement_list() at kexec ‘execute’, or combination of
ima_allocate_buf_at_kexec_load() and ima_populate_buf_at_kexec_execute()
at kexec ‘load’ and kexec ‘execute’ respectively.

~Tushar

>> +	ima_populate_buf_at_kexec_execute(&new_buffer_size, &new_buffer);
>> +
>> +	if (!new_buffer) {
>> +		pr_err("%s: Dump measurements failed.\n", __func__);
>> +		resume = true;
>> +		goto out;
>> +	}
>> +	memcpy(ima_kexec_buffer, new_buffer, new_buffer_size);
>> +out:
>> +	kimage_unmap_segment(ima_kexec_buffer);
>> +	ima_kexec_buffer = NULL;
>> +
>> +	if (resume)
>> +		ima_measurements_resume();
>> +
>> +	return NOTIFY_OK;
>> +}
>> +
>>   #endif /* IMA_KEXEC */
>>   
>>   /*

More information about the kexec mailing list