Re: [PATCH v4] x86/kexec: Carry forward IMA measurement log on kexec
From: Jonathan McDowell <hidden>
Date: 2022-06-10 09:52:12
Also in:
kexec, linux-security-module, lkml
On Mon, Jun 06, 2022 at 12:06:51PM +0800, Baoquan He wrote:
On 05/12/22 at 04:25pm, Jonathan McDowell wrote:quoted
On kexec file load Integrity Measurement Architecture (IMA) subsystem may verify the IMA signature of the kernel and initramfs, and measure it. The command line parameters passed to the kernel in the kexec call may also be measured by IMA. A remote attestation service can verify a TPM quote based on the TPM event log, the IMA measurement list, and the TPM PCR data. This can be achieved only if the IMA measurement log is carried over from the current kernel to the next kernel across the kexec call. powerpc and ARM64 both achieve this using device tree with a "linux,ima-kexec-buffer" node. x86 platforms generally don't make use of device tree, so use the setup_data mechanism to pass the IMA buffer to the new kernel.The entire looks good to me, other than a minor concern, please see the inline comment. Reviewed-by: Baoquan He <bhe@redhat.com>
Thanks. Still waiting to see if Eric has any comments before deciding whether to spin a v5 or not.
Hi Coiby, You can check this patch, see if you can take the same way to solve the LUKS-encrypted disk issue by passing the key via setup_data.quoted
Signed-off-by: Jonathan McDowell <redacted> ---......snip...quoted
diff --git a/arch/x86/kernel/kexec-bzimage64.c b/arch/x86/kernel/kexec-bzimage64.c index 170d0fd68b1f..54bd4ce5f908 100644 --- a/arch/x86/kernel/kexec-bzimage64.c +++ b/arch/x86/kernel/kexec-bzimage64.c@@ -186,6 +186,33 @@ setup_efi_state(struct boot_params *params, unsigned long params_load_addr, } #endif /* CONFIG_EFI */ +static void +setup_ima_state(const struct kimage *image, struct boot_params *params, + unsigned long params_load_addr, + unsigned int ima_setup_data_offset) +{ +#ifdef CONFIG_IMA_KEXEC + struct setup_data *sd = (void *)params + ima_setup_data_offset; + unsigned long setup_data_phys; + struct ima_setup_data *ima; + + if (!image->ima_buffer_size) + return; + + sd->type = SETUP_IMA; + sd->len = sizeof(*ima); + + ima = (void *)sd + sizeof(struct setup_data); + ima->addr = image->ima_buffer_addr; + ima->size = image->ima_buffer_size; + + /* Add setup data */ + setup_data_phys = params_load_addr + ima_setup_data_offset; + sd->next = params->hdr.setup_data; + params->hdr.setup_data = setup_data_phys; +#endif /* CONFIG_IMA_KEXEC */ +} + static int setup_boot_parameters(struct kimage *image, struct boot_params *params, unsigned long params_load_addr,@@ -247,6 +274,13 @@ setup_boot_parameters(struct kimage *image, struct boot_params *params, setup_efi_state(params, params_load_addr, efi_map_offset, efi_map_sz, efi_setup_data_offset); #endif + + /* Setup IMA log buffer state */ + setup_ima_state(image, params, params_load_addr, + efi_setup_data_offset + + sizeof(struct setup_data) + + sizeof(struct efi_setup_data));Is it a little better to update efi_setup_data_offset beforehand, or define a local variable? efi_setup_data_offset += sizeof(struct setup_data) + sizeof(struct efi_setup_data)); setup_ima_state(image, params, params_load_addr, efi_setup_data_offset)); No strong opinion. If nobody has concern about it.quoted
+ /* Setup EDD info */ memcpy(params->eddbuf, boot_params.eddbuf, EDDMAXNR * sizeof(struct edd_info));