[PATCH 4/7] ima: serialize the binary_runtime_measurements

Thu, 04 Aug 2016 05:27:07 -0700 

The TPM PCRs are only reset on a hard reboot.  In order to validate a
TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list
of the running kernel must be saved and restored on boot.  This patch
serializes the IMA measurement list in the binary_runtime_measurements
format.

Signed-off-by: Mimi Zohar <zo...@linux.vnet.ibm.com>
---
 security/integrity/ima/ima.h       |  1 +
 security/integrity/ima/ima_fs.c    |  2 +-
 security/integrity/ima/ima_kexec.c | 51 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
index 222668f..f972296 100644
--- a/security/integrity/ima/ima.h
+++ b/security/integrity/ima/ima.h
@@ -132,6 +132,7 @@ struct ima_template_desc *ima_template_desc_current(void);
 void ima_load_kexec_buffer(void);
 int ima_restore_measurement_entry(struct ima_template_entry *entry);
 int ima_restore_measurement_list(loff_t bufsize, void *buf);
+int ima_measurements_show(struct seq_file *m, void *v);
 unsigned long ima_get_binary_runtime_size(void);
 int ima_init_template(void);
 
diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_fs.c
index c07a384..66e5dd5 100644
--- a/security/integrity/ima/ima_fs.c
+++ b/security/integrity/ima/ima_fs.c
@@ -116,7 +116,7 @@ void ima_putc(struct seq_file *m, void *data, int datalen)
  *       [eventdata length]
  *       eventdata[n]=template specific data
  */
-static int ima_measurements_show(struct seq_file *m, void *v)
+int ima_measurements_show(struct seq_file *m, void *v)
 {
        /* the list never shrinks, so we don't need a lock here */
        struct ima_queue_entry *qe = v;
diff --git a/security/integrity/ima/ima_kexec.c 
b/security/integrity/ima/ima_kexec.c
index 6a046ad..e77ca9d 100644
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -23,6 +23,57 @@
 
 #include "ima.h"
 
+static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer,
+                                    unsigned long segment_size)
+{
+       struct ima_queue_entry *qe;
+       struct seq_file file;
+       struct ima_kexec_hdr khdr = {
+               .version = 1, .buffer_size = 0, .count = 0};
+       int ret = 0;
+
+       /* segment size can't change between kexec load and execute */
+       file.buf = vmalloc(segment_size);
+       if (!file.buf) {
+               ret = -ENOMEM;
+               goto out;
+       }
+
+       file.size = segment_size;
+       file.read_pos = 0;
+       file.count = sizeof(khdr);      /* reserved space */
+
+       list_for_each_entry_rcu(qe, &ima_measurements, later) {
+               if (file.count < file.size) {
+                       khdr.count++;
+                       ima_measurements_show(&file, qe);
+               } else {
+                       ret = -EINVAL;
+                       break;
+               }
+       }
+
+       if (ret < 0)
+               goto out;
+
+       /*
+        * fill in reserved space with some buffer details
+        * (eg. version, buffer size, number of measurements)
+        */
+       khdr.buffer_size = file.count;
+       memcpy(file.buf, &khdr, sizeof(khdr));
+       print_hex_dump(KERN_DEBUG, "ima dump: ", DUMP_PREFIX_NONE,
+                       16, 1, file.buf,
+                       file.count < 100 ? file.count : 100, true);
+
+       *buffer_size = file.count;
+       *buffer = file.buf;
+out:
+       if (ret == -EINVAL)
+               vfree(file.buf);
+       return ret;
+}
+
 /*
  * Restore the measurement list from the previous kernel.
  */
-- 
2.1.0


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

Reply via email to