[PATCH v14 0/6] Carry forward IMA measurement log on kexec on ARM64
Rob Herring
robh at kernel.org
Tue Jan 12 09:42:48 EST 2021
On Mon, Jan 04, 2021 at 11:25:56AM -0800, Lakshmi Ramasubramanian wrote:
> On kexec file load Integrity Measurement Architecture (IMA) subsystem
> may verify the IMA signature of the kernel and initramfs, and measure
> it. The command line parameters passed to the kernel in the kexec call
> may also be measured by IMA. A remote attestation service can verify
> a TPM quote based on the TPM event log, the IMA measurement list, and
> the TPM PCR data. This can be achieved only if the IMA measurement log
> is carried over from the current kernel to the next kernel across
> the kexec call.
>
> powerpc already supports carrying forward the IMA measurement log on
> kexec. This patch set adds support for carrying forward the IMA
> measurement log on kexec on ARM64.
>
> This patch set moves the platform independent code defined for powerpc
> such that it can be reused for other platforms as well. A chosen node
> "linux,ima-kexec-buffer" is added to the DTB for ARM64 to hold
> the address and the size of the memory reserved to carry
> the IMA measurement log.
>
> This patch set has been tested for ARM64 platform using QEMU.
> I would like help from the community for testing this change on powerpc.
> Thanks.
>
> This patch set is based on
> commit a29a64445089 ("powerpc: Use common of_kexec_setup_new_fdt()")
> in https://git.kernel.org/pub/scm/linux/kernel/git/robh/linux.git
> "dt/kexec" branch.
This all looks good to me. I'd suggest you send the above patches out as
part of this series because I don't plan to do so.
I would like to also resolve the vmalloc vs. kmalloc difference for
allocating the FDT. Then we can further consolidate the DT kexec code.
It all needs some acks from arm64 and powerpc maintainers. As far as
merging, I think via the integrity tree makes the most sense.
Rob
More information about the linux-arm-kernel
mailing list