The current Kernel behavior is IMA measurements snapshot is taken at
kexec 'load' and not at kexec 'execute'. IMA log is then carried
over to the new Kernel after kexec 'execute'.
New events can be measured during/after the IMA log snapshot at kexec
'load' and before the system boots to the new Kernel. In this scenario,
the TPM PCRs are extended with these events, but they are not carried
over to the new Kernel after kexec soft reboot since the snapshot is
already taken. This results in mismatch between TPM PCR quotes and the
actual IMA measurements list after kexec soft reboot, which in turn
results in remote attestation failure.
To solve this problem -
- allocate the necessary buffer at kexec 'load' time,
- populate the buffer with the IMA measurements at kexec 'execute' time,
- and measure two new IMA events 'kexec_load' and 'kexec_execute' as
critical data to help detect missing events after kexec soft reboot.
The solution details include:
- refactoring the existing code to allocate a buffer to hold IMA
measurements at kexec 'load', and dump the measurements at kexec
'execute'
- IMA functionality to suspend and resume measurements as needed during
buffer copy at kexec 'execute',
- kexec functionality for mapping the segments from the current Kernel
to the subsequent one,
- necessary changes to the kexec_file_load syscall, enabling it to call
the ima functions,
- registering a reboot notifier which gets called during kexec
'execute',
- introducing a new Kconfig option to configure the extra memory to be
allocated for passing IMA log from the current Kernel to the next,
- introducing two new events to be measured by IMA during kexec, to
help diagnose if the IMA log was copied fully or partially, from the
current Kernel to the next,
- excluding IMA segment while calculating and storing digest in function
kexec_calculate_store_digests(), since IMA segment can be modified
after the digest is computed during kexec 'load'. This will ensure
that the segment is not added to the 'purgatory_sha_regions', and thus
not verified by verify_sha256_digest().
The changes proposed in this series ensure the integrity of the IMA
measurements is preserved across kexec soft reboots, thus significantly
improving the security of the Kernel post kexec soft reboots.
There were previous attempts to fix this issue [1], [2], [3]. But they
were not merged into the mainline Kernel.
We took inspiration from the past work [1] and [2] while working on this
patch series.
V4 of this series is available here[6] for reference.
References:
---
[1] [PATHC v2 5/9] ima: on soft reboot, save the measurement list
https://lore.kernel.org/lkml/1472596811-9596-6-git-send-email-zo...@linux.vnet.ibm.com/
[2] PATCH v2 4/6] kexec_file: Add mechanism to update kexec segments.
https://lkml.org/lkml/2016/8/16/577
[3] [PATCH 1/6] kexec_file: Add buffer hand-over support
https://lore.kernel.org/linuxppc-dev/1466473476-10104-6-git-send-email-bauer...@linux.vnet.ibm.com/T/
[4] [PATCH v2 0/7] ima: kexec: measure events between kexec load and execute
https://lore.kernel.org/all/20231005182602.634615-1-tusha...@linux.microsoft.com/
[5] [PATCH v3 0/7] ima: kexec: measure events between kexec load and execute
https://lore.kernel.org/all/20231216010729.2904751-1-tusha...@linux.microsoft.com/
[6] [PATCH v4 0/7] ima: kexec: measure events between kexec load and execute
https://lore.kernel.org/all/20240122183804.3293904-1-tusha...@linux.microsoft.com/
Change Log v5:
- Incorporated feedback from the community (Stefan Berger and
Mimi Zohar) on v4 of this series[6].
- Rebased the patch series to mainline 6.8.0-rc1.
- Verified all the patches are bisect-safe by booting into each
patch and verifying multiple kexec 'load' operations work,
and also verifying kexec soft reboot works, and IMA log gets
carried over for each patch.
- Divided the patch #4 in the v4 of the series[6] into two separate
patches. One (patch #4) to setup the infrastructure/stub functions
to prepare the IMA log copy from Kexec 'load' to 'execute', and
another one (patch #5) to actually copy the log.
- Updated the config description for IMA_KEXEC_EXTRA_MEMORY_KB
to remove unnecessary references related to backwards compatibility.
- Fixed a typo in log message/removed an extra line etc.
- Updated patch descriptions as per the feedback.
Change Log v4:
- Incorporated feedback from the community (Stefan Berger and
Mimi Zohar) on v3 of this series[5].
- Rearranged patches so that they remain bisect-safe i.e. the
system can go through kexec soft reboot, and IMA log is carried
over after each patch.
- Verified all the patches are bisect-safe by booting into each
patch and verifying kexec soft reboot works, and IMA log gets
carried over.
- Suspend-resume measurements is now a separate patch (patch #5)
and all the relevant code is part of the same patch.
-