Re: [RFC PATCH] ima: add a knob to make IMA be able to be disabled

On 04/07/25 at 07:46am, Mimi Zohar wrote: > On Mon, 2025-04-07 at 09:34 +0800, Baoquan He wrote: > > On 04/03/25 at 04:03pm, Mimi Zohar wrote: > > > On Wed, 2025-04-02 at 19:49 +0800, Baoquan He wrote: > > > > On 04/02/25 at 04:43pm, Coiby Xu wrote: > > > > > On Tue, Apr 01, 2025 at 11:30:09PM -040

Re: [PATCH v13 19/19] x86/efi: EFI stub DRTM launch support for Secure Launch

..snip.. > > > @@ -925,6 +1014,11 @@ void __noreturn efi_stub_entry(efi_handle_t handle, > > > goto fail; > > > } > > > > > > +#if (IS_ENABLED(CONFIG_SECURE_LAUNCH)) > > > + /* If a Secure Launch is in progress, this never returns */ > > > + efi_secure_launch(boot_params); > > > +#endi

Re: [PATCH v11 9/9] ima: measure kexec load and exec events as critical data

On Wed, 2025-04-02 at 05:47 -0700, steven chen wrote: > The amount of memory allocated at kexec load, even with the extra memory > allocated, might not be large enough for the entire measurement list. The > indeterminate interval between kexec 'load' and 'execute' could exacerbate > this problem.

Re: [PATCH v11 6/9] ima: kexec: move IMA log copy from kexec load to execute

On Wed, 2025-04-02 at 05:47 -0700, steven chen wrote: > ima_dump_measurement_list() is called during kexec 'load', which may > result in loss of IMA measurements during kexec soft reboot. Due to > missed measurements that only occurred after kexec 'load', this function > needs to be called during

Re: [PATCH v11 2/9] ima: define and call ima_alloc_kexec_file_buf()

On 04/08/25 at 08:23am, Mimi Zohar wrote: > On Tue, 2025-04-08 at 16:18 +0800, Baoquan He wrote: > > On 04/08/25 at 01:03am, Mimi Zohar wrote: > > > On Tue, 2025-04-08 at 12:39 +0800, Baoquan He wrote: > > > > On 04/08/25 at 12:07am, Mimi Zohar wrote: > > > > > On Wed, 2025-04-02 at 05:47 -0700, st

Re: [PATCH v11 5/9] ima: kexec: define functions to copy IMA log at soft boot

On Wed, 2025-04-02 at 05:47 -0700, steven chen wrote: > The IMA log is currently copied to the new kernel during kexec 'load' > using ima_dump_measurement_list(). However, the log copied at kexec > 'load' may result in loss of IMA measurements that only occurred after > kexec "load'. Ok > There

Re: [PATCH v11 7/9] ima: verify if the segment size has changed

On Wed, 2025-04-02 at 05:47 -0700, steven chen wrote: > kexec 'load' may be called multiple times. Free and realloc the buffer > only if the segment_size is changed from the previous kexec 'load' call. > > Signed-off-by: steven chen Thanks, Steven. Reviewed-by: Mimi Zohar

Re: [PATCH v11 2/9] ima: define and call ima_alloc_kexec_file_buf()

On Tue, 2025-04-08 at 16:18 +0800, Baoquan He wrote: > On 04/08/25 at 01:03am, Mimi Zohar wrote: > > On Tue, 2025-04-08 at 12:39 +0800, Baoquan He wrote: > > > On 04/08/25 at 12:07am, Mimi Zohar wrote: > > > > On Wed, 2025-04-02 at 05:47 -0700, steven chen wrote: > > > > > In the current implementa

Re: [PATCH v11 2/9] ima: define and call ima_alloc_kexec_file_buf()

On 04/08/25 at 01:03am, Mimi Zohar wrote: > On Tue, 2025-04-08 at 12:39 +0800, Baoquan He wrote: > > On 04/08/25 at 12:07am, Mimi Zohar wrote: > > > On Wed, 2025-04-02 at 05:47 -0700, steven chen wrote: > > > > In the current implementation, the ima_dump_measurement_list() API is > > > > called du