Re: [PATCH v2] Carry forward IMA measurement log on kexec on x86_64
From: Jonathan McDowell <hidden>
Date: 2022-05-03 12:02:19
Also in:
linux-integrity, lkml
On Fri, Apr 29, 2022 at 05:30:10PM -0400, Mimi Zohar wrote:
quoted
diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c index 13753136f03f..419c50cfe6b9 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c@@ -10,6 +10,7 @@ #include <linux/seq_file.h> #include <linux/vmalloc.h> #include <linux/kexec.h> +#include <linux/memblock.h> #include <linux/of.h> #include <linux/ima.h> #include "ima.h"@@ -134,10 +135,66 @@ void ima_add_kexec_buffer(struct kimage *image) } #endif /* IMA_KEXEC */ +#ifndef CONFIG_OF +static phys_addr_t ima_early_kexec_buffer_phys; +static size_t ima_early_kexec_buffer_size; + +void __init ima_set_kexec_buffer(phys_addr_t phys_addr, size_t size) +{ + if (size == 0) + return; + + ima_early_kexec_buffer_phys = phys_addr; + ima_early_kexec_buffer_size = size; +} + +int __init ima_free_kexec_buffer(void) +{ + int rc; + + if (!IS_ENABLED(CONFIG_HAVE_IMA_KEXEC)) + return -ENOTSUPP; + + if (ima_early_kexec_buffer_size == 0) + return -ENOENT; + + rc = memblock_phys_free(ima_early_kexec_buffer_phys, + ima_early_kexec_buffer_size); + if (rc) + return rc; + + ima_early_kexec_buffer_phys = 0; + ima_early_kexec_buffer_size = 0; + + return 0; +} + +int __init ima_get_kexec_buffer(void **addr, size_t *size) +{ + if (!IS_ENABLED(CONFIG_HAVE_IMA_KEXEC)) + return -ENOTSUPP; + + if (ima_early_kexec_buffer_size == 0) + return -ENOENT; + + *addr = __va(ima_early_kexec_buffer_phys); + *size = ima_early_kexec_buffer_size; + + return 0; +} +Originally both ima_get_kexec_buffer() and ima_free_kexec_buffer() were architecture specific. Refer to commit 467d27824920 ("powerpc: ima: get the kexec buffer passed by the previous kernel"). Is there any need for defining them here behind an "#ifndef CONFIG_OF"?
Commit fee3ff99bc67 (powerpc: Move arch independent ima kexec functions to drivers/of/kexec.c) moved those functions to drivers/of/kexec.c as a more generic implementation so that ARM64 could use them too. I think for platforms that use device tree that's the way to go, but the functions to generically set + get the IMA buffer for non device tree systems were useful enough to put in the IMA code rather than being x86 specific. If you disagree I can move them under arch/x86/ (assuming the x86 folk agree using setup_data is the right way to go, I haven't seen any of them comment on this approach yet).
quoted
+#else + +void __init ima_set_kexec_buffer(phys_addr_t phys_addr, size_t size) +{ + pr_warn("CONFIG_OF enabled, ignoring call to set buffer details.\n"); +} +#endif /* CONFIG_OF */ +Only when "HAVE_IMA_KEXEC" is defined is this file included. Why is this warning needed?
x86 *can* have device tree enabled, but the only platform I'm aware that did it was OLPC and I haven't seen any of the distros enable it. I put this in so there's a warning if we have CONFIG_OF enabled on x86 and tried to pass the IMA log via setup_data. Can remove (or fold into the x86 code if we go that way).
quoted
/* * Restore the measurement list from the previous kernel. */ -void ima_load_kexec_buffer(void) +void __init ima_load_kexec_buffer(void) { void *kexec_buffer = NULL; size_t kexec_buffer_size = 0;
J.