[PATCH v5 6/8] ima: suspend measurements during buffer copy at kexec execute
Mimi Zohar
zohar at linux.ibm.com
Thu Feb 22 08:38:23 PST 2024
> > @@ -176,6 +195,19 @@ int ima_add_template_entry(struct ima_template_entry
> > *entry, int violation,
> > }
> > }
> >
> > + /*
> > + * suspend_ima_measurements will be set if the system is
> > + * undergoing kexec soft boot to a new kernel.
> > + * suspending measurements in this short window ensures the
> > + * consistency of the IMA measurement list during copying
> > + * of the kexec buffer.
> > + */
>
> Either remove the 2nd sentence "suspending measurements in this short window
> ..." or explain what is meant by "short window".
>
>
> > + if (atomic_read(&suspend_ima_measurements)) {
> > + audit_cause = "measurements_suspended";
> > + audit_info = 0;
> > + goto out;
After the suggested changes, understanding how many measurements are not being
added to the measurement list and not being extended into the TPM would be
really interesting.
Mimi
> > + }
> > +
> > result = ima_add_digest_entry(entry,
> > !IS_ENABLED(CONFIG_IMA_DISABLE_HTABLE));
> > if (result < 0) {
>
>
More information about the kexec
mailing list