On Wed, 2016-11-30 at 15:52 +1100, Michael Ellerman wrote: > Andrew Morton <a...@linux-foundation.org> writes: > > > On Tue, 29 Nov 2016 23:45:46 +1100 Michael Ellerman <m...@ellerman.id.au> > > wrote: > > > >> This is v11 of the kexec_file_load() for powerpc series. > >> > >> I've stripped this down to the minimum we need, so we can get this in for > >> 4.10. > >> Any additions can come later incrementally. > > > > This made a bit of a mess of Mimi's series "ima: carry the > > measurement list across kexec v10". > > Urk, sorry about that. I didn't realise there was a big dependency > between them, but I guess I should have tried to do the rebase. > > > powerpc-ima-get-the-kexec-buffer-passed-by-the-previous-kernel.patch > > ima-on-soft-reboot-restore-the-measurement-list.patch > > ima-permit-duplicate-measurement-list-entries.patch > > ima-maintain-memory-size-needed-for-serializing-the-measurement-list.patch > > powerpc-ima-send-the-kexec-buffer-to-the-next-kernel.patch > > ima-on-soft-reboot-save-the-measurement-list.patch > > ima-store-the-builtin-custom-template-definitions-in-a-list.patch > > ima-support-restoring-multiple-template-formats.patch > > ima-define-a-canonical-binary_runtime_measurements-list-format.patch > > ima-platform-independent-hash-value.patch > > > > I made the syntactic fixes but I won't be testing it.
Dmitry Kasatkin's acked-by needs to be included for the IMA patches. > Thanks. > > TBH I don't know how to test the IMA part, I'm relying on Thiago and > Mimi to do that. It should be straight forward. Enable CONFIG_IMA_KEXEC to carry the measurements from one kernel to the next. Use a kexec_file_load version of kexec to boot the next kernel. On the boot command line add "ima_tcb" or "ima_policy=ima_tcb". If the measurements were carried across kexec, the IMA measurement list <securityfs>/ima/ascii_runtime_measurements should contain an initial "boot_aggregate", as the first record, and a "boot_aggregate", as a delimiter, for each subsequent kexec. > >> If no one objects I'll merge this via the powerpc tree. The three kexec > >> patches > >> have been acked by Dave Young (since forever), and have been in linux-next > >> (via > >> akpm's tree) also for a long time. > > > > OK, I'll wait for these to appear in -next and I will await advice on > > Thanks. I'll let them stew for a few more hours and then put them in my > next for tomorrows linux-next. Thaigo tested the patches yesterday. Everything seemed fine. After cherry picking the kexec_file_load() patches and rebasing the restore_kexec patches on top of it in my tree, there were some problems. Perhaps there is some dependencies that I'm missing. Mimi