[PATCH 06/10] ima: update buffer at kexec execute with ima measurements
Mimi Zohar
zohar at linux.ibm.com
Wed Jul 12 08:45:08 PDT 2023
On Tue, 2023-07-11 at 12:08 -0700, Tushar Sugandhi wrote:
> Adding Eric to cc.
>
> On 7/7/23 12:49, Mimi Zohar wrote:
> > On Fri, 2023-07-07 at 11:01 -0400, Mimi Zohar wrote:
> >> Hi Tushar,
> >>
> >> On Mon, 2023-07-03 at 14:57 -0700, Tushar Sugandhi wrote:
> >>
> >>> +/*
> >>> + * Called during kexec execute so that IMA can update the measurement list.
> >>> + */
> >>> +static int ima_update_kexec_buffer(struct notifier_block *self,
> >>> + unsigned long action, void *data)
> >>> +{
> >>> + void *new_buffer = NULL;
> >>> + size_t new_buffer_size, cur_buffer_size;
> >>> + bool resume = false;
> >>> +
> >>> + if (!kexec_in_progress) {
> >>> + pr_info("%s: No kexec in progress.\n", __func__);
> >>> + return NOTIFY_OK;
> >>> + }
> >>> +
> >>> + if (!ima_kexec_buffer) {
> >>> + pr_err("%s: Kexec buffer not set.\n", __func__);
> >>> + return NOTIFY_OK;
> >>> + }
> >>> +
> >>> + ima_measurements_suspend();
> >>> +
> >>> + cur_buffer_size = kexec_segment_size - sizeof(struct ima_kexec_hdr);
> >>> + new_buffer_size = ima_get_binary_runtime_size();
> >>> + if (new_buffer_size > cur_buffer_size) {
> >>> + pr_err("%s: Measurement list grew too large.\n", __func__);
> >>> + resume = true;
> >>> + goto out;
> >>> + }
> >> This changes the current behavior of carrying as many measurements
> >> across kexec as possible. True the measurement list won't verify
> >> against the TPM PCRs, but not copying the measurements leaves the
> >> impression there weren't any previous measurements.
> >>
> >> This also explains the reason for allocating an IMA buffer (patch 1/10)
> >> and not writing the measurements directly into the kexec buffer.
> > If not carrying even a partial measurement list across kexec is
> > desired, then in addition to the "boot_aggregate" record, define a new
> > record containing the TPM pcrcounter. With this information,
> > attestation servers will at least be able to detect if the measurement
> > list was truncated.
> Sure. Recording TPM pcrcounter at boot aggregate and
> Kexec 'load' should provide the necessary information to the
> attestation servers. We can implement this if needed, based on how
> rest of the series evolves.
Recording the TPM pcrcounter should be done independently of this patch
set. This patch set would have a dependency on it.
--
thanks,
Mimi
More information about the kexec
mailing list