Hello Prakhar,

Prakhar Srivastava [off-list ref] writes:

On 5/12/20 4:05 PM, Rob Herring wrote:

quoted

On Wed, May 06, 2020 at 10:50:04PM -0700, Prakhar Srivastava wrote:

quoted

Hi Mark,

Please don't top post.

quoted

This patch set currently only address the Pure DT implementation.
EFI and ACPI implementations will be posted in subsequent patchsets.

The logs are intended to be carried over the kexec and once read the
logs are no longer needed and in prior conversation with James(
https://lore.kernel.org/linux-arm-kernel/0053eb68-0905-4679-c97a-00c5cb6f1abb@arm.com/ (local))
the apporach of using a chosen node doesn't
support the case.

The DT entries make the reservation permanent and thus doesnt need kernel
segments to be used for this, however using a chosen-node with
reserved memory only changes the node information but memory still is
reserved via reserved-memory section.

I think Mark's point was whether it needs to be permanent. We don't
hardcode the initrd address for example.

Thankyou for clarifying my misunderstanding, i am modelling this keeping to the
TPM log implementation that uses a reserved memory. I will rev up the version
with chosen-node support.
That will make the memory reservation free after use.

Nice. Do you intend to use the same property that powerpc uses
(linux,ima-kexec-buffer)?

quoted

quoted

On 5/5/20 2:59 AM, Mark Rutland wrote:

quoted

Hi Prakhar,

On Mon, May 04, 2020 at 01:38:27PM -0700, Prakhar Srivastava wrote:

quoted

IMA during kexec(kexec file load) verifies the kernel signature and measures

What's IMAIMA is a LSM attempting to detect if files have been accidentally or

maliciously altered, both remotely and locally, it can also be used
to appraise a file's measurement against a "good" value stored as an extended
attribute, and enforce local file integrity.

IMA also validates and measures the signers of the kernel and initrd
during kexec. The measurements are extended to PCR 10(configurable) and the logs
stored in memory, however once kexec'd the logs are lost. Kexec is used as
secondary boot loader in may use cases and loosing the signer
creates a security hole.

This patch is an implementation to carry over the logs and making it
possible to remotely validate the signers of the kernel and initrd. Such a
support exits only in powerpc.
This patch makes the carry over of logs architecture independent and puts the
complexity in a driver.

If I'm not mistaken, the code at arch/powerpc/kexec/ima.c isn't actually
powerpc-specific. It could be moved to an arch-independent directory and
used by any other architecture which supports device trees.

I think that's the simplest way forward. And to be honest I'm still
trying to understand why you didn't take that approach. Did you try it
and hit some obstacle or noticed a disadvantage for your use case?

--
Thiago Jung Bauermann
IBM Linux Technology Center