On 1/28/2025 7:18 AM, Stefan Berger wrote:

On 1/24/25 5:55 PM, steven chen wrote:

quoted

The extra memory allocated for carrying the IMA measurement list across
kexec is hard-coded as half a PAGE.  Make it configurable.

Define a Kconfig option, IMA_KEXEC_EXTRA_MEMORY_KB, to configure the
extra memory (in kb) to be allocated for IMA measurements added during
kexec soft reboot.  Ensure the default value of the option is set such
that extra half a page of memory for additional measurements is 
allocated
for the additional measurements.

Update ima_add_kexec_buffer() function to allocate memory based on the
Kconfig option value, rather than the currently hard-coded one.

From: Tushar Sugandhi <redacted>
Author: Tushar Sugandhi [off-list ref]
Suggested-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Tushar Sugandhi <redacted>
Signed-off-by: steven chen <redacted>
---
  security/integrity/ima/Kconfig     | 10 ++++++++++
  security/integrity/ima/ima_kexec.c | 16 ++++++++++------
  2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/security/integrity/ima/Kconfig 

b/security/integrity/ima/Kconfig
index 475c32615006..7dd2ed8b2cdc 100644

--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig

@@ -321,4 +321,14 @@ config IMA_DISABLE_HTABLE

      help
         This option disables htable to allow measurement of 
duplicate records.
  +config IMA_KEXEC_EXTRA_MEMORY_KB
+    int

int "Extra memory for IMA measurements added during kexec soft reboot"

Without the description I wasn't able to modify the value.

quoted

+    depends on IMA_KEXEC
+    default 0
+    help
+      IMA_KEXEC_EXTRA_MEMORY_KB determines the extra memory to be
+      allocated (in kb) for IMA measurements added during kexec soft 
reboot.
+      If set to the default value, an extra half a page of memory 
for those
+      additional measurements will be allocated.
+
  endif

diff --git a/security/integrity/ima/ima_kexec.c 

b/security/integrity/ima/ima_kexec.c
index d5f004cfeaec..c9c916f69ca7 100644

--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c

@@ -128,22 +128,26 @@ void ima_add_kexec_buffer(struct kimage *image)

                    .buf_min = 0, .buf_max = ULONG_MAX,
                    .top_down = true };
      unsigned long binary_runtime_size;
-
+    unsigned long extra_size;
      /* use more understandable variable names than defined in kbuf */
      void *kexec_buffer = NULL;
      size_t kexec_buffer_size = 0;
      int ret;
        /*
-     * Reserve an extra half page of memory for additional measurements
-     * added during the kexec load.
+     * Reserve extra memory for measurements added during kexec.
       */
-    binary_runtime_size = ima_get_binary_runtime_size();
+    if (CONFIG_IMA_KEXEC_EXTRA_MEMORY_KB <= 0)
+        extra_size = PAGE_SIZE / 2;
+    else
+        extra_size = CONFIG_IMA_KEXEC_EXTRA_MEMORY_KB * 1024;
+    binary_runtime_size = ima_get_binary_runtime_size() + extra_size;
+
      if (binary_runtime_size >= ULONG_MAX - PAGE_SIZE)
          kexec_segment_size = ULONG_MAX;
      else
-        kexec_segment_size = ALIGN(ima_get_binary_runtime_size() +
-                       PAGE_SIZE / 2, PAGE_SIZE);
+        kexec_segment_size = ALIGN(binary_runtime_size, PAGE_SIZE);
+
      if ((kexec_segment_size == ULONG_MAX) ||
          ((kexec_segment_size >> PAGE_SHIFT) > totalram_pages() / 2)) {
          pr_err("Binary measurement list too large.\n");

With the changes to Kconfig:


Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

Thanks, will update in the next release