Hi Jonathan,

On Wed, 2022-05-11 at 09:59 +0000, Jonathan McDowell wrote:

On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs, and measure
it. The command line parameters passed to the kernel in the kexec call
may also be measured by IMA. A remote attestation service can verify
a TPM quote based on the TPM event log, the IMA measurement list, and
the TPM PCR data. This can be achieved only if the IMA measurement log
is carried over from the current kernel to the next kernel across
the kexec call.

powerpc and ARM64 both achieve this using device tree with a
"linux,ima-kexec-buffer" node. x86 platforms generally don't make use of
device tree, so use the setup_data mechanism to pass the IMA buffer to
the new kernel.

Signed-off-by: Jonathan McDowell <redacted>
---
v3:
 - Rebase on tip/master

This patch doesn't apply to Linus' master branch.  Which tip/master
branch?  In the future, please use the git format-patch "--base=auto"
option.

 - Pull ima_(free|get)_kexec_buffer into x86 code
 - Push ifdefs into functions where possible
 - Reverse fir tree variable declarations
 - Fix section annotation on ima_free_kexec_buffer (__meminit)
 - Only allocate ima_setup_data space when IMA_KEXEC is enabled

IMA_KEXEC only controls whether the current measurement list should be
carried across kexec, not restoring the previous measurement list.

v2:
 - Fix operation with EFI systems
---

Wouldn't moving these function definitions here imply they are
implemented on all architectures or are using the version in
drivers/of/kexec.c.

thanks,

Mimi