[PATCH 01/10] ima: implement function to allocate buffer at kexec load

Mimi Zohar zohar at linux.ibm.com
Tue Jul 11 14:11:47 PDT 2023 

On Tue, 2023-07-11 at 10:59 -0700, Tushar Sugandhi wrote:
> Adding Eric to cc.
> 
> On 7/7/23 06:00, Mimi Zohar wrote:
> > Hi Tushar,
> >
> > On Mon, 2023-07-03 at 14:57 -0700, Tushar Sugandhi wrote:
> >> IMA does not provide a mechanism to allocate memory for IMA log storage
> >> during kexec operation.
> > The IMA measurement list is currently being carried across kexec, so
> > obviously a buffer is being allocated for it.  IMA not allocating
> > memory for the measurment list is not the problem statement.  Please
> > concisely provide the problem statement, explaining why IMA needs to
> > allocate the buffer.
> >
> I meant IMA does not provide separate functions to allocate buffer and
> populate measurements.  Both operations are wrapped in an atomic
> ima_dump_measurement_list().

Ok.

> As I mentioned in the comment in the cover letter, if there is no such
> technical limitation to allocate the buffer and copy the measurements at
> kexec ‘execute’ – I will make the necessary code changes and update the
> above line in the patch description accordingly.

The "normal" way of making this type of change would be to split the
existing ima_dump_measurement_list() function.  Copying the measurement
list would still be named ima_dump_measurement_list().  The other could
be named ima_alloc_kexec_buf().  Both functions initially would be
called.

Eric, besides updating the buffer at kexec execute, is there anything
else that needs to be done (e.g. updating digests)?

> >> The function should handle the scenario where
> >> the kexec load is called multiple times.
> > Currently the buffer is being freed with the kexec 'unload'.  With this
> > patch IMA is allocating a buffer for the measurement list, which needs
> > to be freed independently of the kexec 'unload'.

> If we end up allocating the buffer at kexec ‘execute’ (which results in
> soft boot to next Kernel) – is it technically possible that
> kexec ‘unload’ being called after calling kexec ‘execute’?

> If not, should I still free the buffer at kexec ‘unload’ in this
> scenario?

The question is how to access the buffer once kexec_add_buffer() is
called.

Mimi

More information about the kexec mailing list