On 4/16/2025 6:09 PM, Stefan Berger wrote:

On 4/15/25 10:10 PM, steven chen wrote:

quoted

From: Steven Chen <redacted>

The current kernel behavior is IMA measurements snapshot is taken at
kexec 'load' and not at kexec 'execute'.  IMA log is then carried
over to the new kernel after kexec 'execute'.

Currently, the kernel behavior during kexec load is to fetch the IMA
measurements log from TPM PCRs and store it in a buffer. When a kexec
reboot is triggered, this stored log buffer is carried over to the 
second
kernel. However, the time gap between kexec load and kexec reboot can be
very long. During this time window, new events extended into TPM PCRs 
miss
the chance to be carried over to the second kernel. This results in
mismatch between TPM PCR quotes and the actual IMA measurements list 
after
kexec soft reboot, which in turn results in remote attestation failure.

Tested-by: Stefan Berger <stefanb@linux.ibm.com> # ppc64/kvm

Hi Stefan,

Thank you very much!

Steven