On 3/2/21 7:06 AM, Rob Herring wrote:
On Sun, Feb 21, 2021 at 11:49 AM Lakshmi Ramasubramanian <[email protected]> wrote:On kexec file load Integrity Measurement Architecture (IMA) subsystem may verify the IMA signature of the kernel and initramfs, and measure it. The command line parameters passed to the kernel in the kexec call may also be measured by IMA. A remote attestation service can verify a TPM quote based on the TPM event log, the IMA measurement list, and the TPM PCR data. This can be achieved only if the IMA measurement log is carried over from the current kernel to the next kernel across the kexec call. powerpc already supports carrying forward the IMA measurement log on kexec. This patch set adds support for carrying forward the IMA measurement log on kexec on ARM64. This patch set moves the platform independent code defined for powerpc such that it can be reused for other platforms as well. A chosen node "linux,ima-kexec-buffer" is added to the DTB for ARM64 to hold the address and the size of the memory reserved to carry the IMA measurement log. This patch set has been tested for ARM64 platform using QEMU. I would like help from the community for testing this change on powerpc. Thanks. This patch set is based on commit f31e3386a4e9 ("ima: Free IMA measurement buffer after kexec syscall") in https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git "ima-kexec-fixes" branch.
[...]
Lakshmi Ramasubramanian (10): kexec: Move ELF fields to struct kimage arm64: Use ELF fields defined in 'struct kimage' powerpc: Use ELF fields defined in 'struct kimage' x86: Use ELF fields defined in 'struct kimage' powerpc: Move ima buffer fields to struct kimage powerpc: Enable passing IMA log to next kernel on kexec powerpc: Move arch independent ima kexec functions to drivers/of/kexec.c kexec: Use fdt_appendprop_addrrange() to add ima buffer to FDT powerpc: Delete unused function delete_fdt_mem_rsv() arm64: Enable passing IMA log to next kernel on kexec Rob Herring (3): of: Add a common kexec FDT setup function arm64: Use common of_kexec_alloc_and_setup_fdt() powerpc: Use common of_kexec_alloc_and_setup_fdt() arch/arm64/Kconfig | 1 + arch/arm64/include/asm/kexec.h | 4 - arch/arm64/kernel/machine_kexec_file.c | 194 +---------- arch/powerpc/Kconfig | 2 +- arch/powerpc/include/asm/ima.h | 30 -- arch/powerpc/include/asm/kexec.h | 14 +- arch/powerpc/kexec/Makefile | 7 - arch/powerpc/kexec/elf_64.c | 30 +- arch/powerpc/kexec/file_load.c | 183 +--------- arch/powerpc/kexec/file_load_64.c | 21 +- arch/powerpc/kexec/ima.c | 219 ------------ arch/x86/include/asm/kexec.h | 5 - arch/x86/kernel/crash.c | 14 +- arch/x86/kernel/kexec-bzimage64.c | 2 +- arch/x86/kernel/machine_kexec_64.c | 4 +- drivers/of/Makefile | 6 + drivers/of/kexec.c | 458 +++++++++++++++++++++++++ include/linux/kexec.h | 8 + include/linux/of.h | 7 + security/integrity/ima/ima.h | 4 - security/integrity/ima/ima_kexec.c | 9 +- 21 files changed, 539 insertions(+), 683 deletions(-) delete mode 100644 arch/powerpc/include/asm/ima.h delete mode 100644 arch/powerpc/kexec/ima.c create mode 100644 drivers/of/kexec.cI fixed up the Fixes tags and applied for 5.13.
Thanks a lot Rob. -lakshmi
