The TPM PCRs are only reset on a hard reboot. In order to validate a TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list of the running kernel must be saved and then restored on the subsequent boot.
The existing securityfs binary_runtime_measurements file conveniently provides a serialized format of the IMA measurement list. This patch set serializes the measurement list in this format and restores it. This patch set pre-req's Thiago Bauermann's "kexec_file: Add buffer hand-over for the next kernel" patch set* for actually carrying the serialized measurement list across the kexec. Mimi *https://lists.infradead.org/pipermail/kexec/2016-June/016157.html Mimi Zohar (6): ima: on soft reboot, restore the measurement list ima: permit duplicate measurement list entries ima: maintain memory size needed for serializing the measurement list ima: serialize the binary_runtime_measurements ima: store the builtin/custom template definitions in a list ima: support restoring multiple template formats Thiago Jung Bauermann (1): ima: on soft reboot, save the measurement list include/linux/ima.h | 15 ++ kernel/kexec_file.c | 3 + security/integrity/ima/Kconfig | 12 ++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 14 ++ security/integrity/ima/ima_fs.c | 2 +- security/integrity/ima/ima_init.c | 2 + security/integrity/ima/ima_kexec.c | 189 ++++++++++++++++++++++++ security/integrity/ima/ima_main.c | 1 + security/integrity/ima/ima_queue.c | 72 +++++++++- security/integrity/ima/ima_template.c | 262 ++++++++++++++++++++++++++++++++-- 11 files changed, 556 insertions(+), 17 deletions(-) create mode 100644 security/integrity/ima/ima_kexec.c -- 2.1.0 _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
