Signed-off-by: Prakhar Srivastava
---
arch/arm64/kernel/machine_kexec_file.c | 19 ++-
arch/powerpc/kexec/ima.c | 8 +---
2 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/arch/arm64/kernel/machine_kexec_file.c
b/arch/arm64/kernel
Signed-off-by: Prakhar Srivastava
---
arch/arm64/Kconfig | 1 +
arch/arm64/kernel/machine_kexec_file.c | 11 +++
2 files changed, 12 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 66dc41fd49f2..ece34b8ca648 100644
--- a/arch/arm64/Kconfig
Signed-off-by: Prakhar Srivastava
---
security/integrity/ima/ima_kexec.c | 20 +---
1 file changed, 5 insertions(+), 15 deletions(-)
diff --git a/security/integrity/ima/ima_kexec.c
b/security/integrity/ima/ima_kexec.c
index 2fe2d3bf7bda..e47982e9bb67 100644
--- a/security
Signed-off-by: Prakhar Srivastava
---
arch/powerpc/kexec/ima.c | 63
1 file changed, 25 insertions(+), 38 deletions(-)
diff --git a/arch/powerpc/kexec/ima.c b/arch/powerpc/kexec/ima.c
index 563313703756..a9e4e9f04273 100644
--- a/arch/powerpc/kexec/ima.c
Store the phyical address and size of the IMA measurement logs that get picked
up
by the setup_dtb during kexec.
Signed-off-by: Prakhar Srivastava
---
arch/arm64/include/asm/ima.h | 17 +
arch/arm64/include/asm/kexec.h | 3 +++
arch/arm64/kernel
the arch sepcific code path in kexec file load to store the
ima buffer in the reserved memory. The same reserved memory is read
on kexec or cold boot.
Prakhar Srivastava (6):
Refactoring powerpc code to be made available to other architectures
Update remove_ima_buffer code to use
Existing code in arch/powerpc can be used for carrying forward the IMA
measurement
logs by other architectures.
Moving non architecture specific code to security/intergrity, to be made
available
to other architectures
Signed-off-by: Prakhar Srivastava
---
arch/powerpc/include/asm/ima.h
On 6/19/20 5:41 PM, Thiago Jung Bauermann wrote:
Prakhar Srivastava writes:
Integrity measurement architecture(IMA) validates if files
have been accidentally or maliciously altered, both remotely and
locally, appraise a file's measurement against a "good" value stored
as a
On 6/19/20 5:19 PM, Thiago Jung Bauermann wrote:
Prakhar Srivastava writes:
Powerpc has support to carry over the IMA measurement logs. Refatoring the
non-architecture specific code out of arch/powerpc and into security/ima.
The code adds support for reserving and freeing up of memory
or cold boot.
Prakhar Srivastava (3):
Refactoring powerpc code for carrying over IMA measurement logs, to
move non architecture specific code to security/ima.
dt-bindings: chosen: Document ima-kexec-buffer carrying over IMA
measuremnt logs over kexec.
Add support for arm64 to carry over IMA
Integrity measurement architecture(IMA) validates if files
have been accidentally or maliciously altered, both remotely and
locally, appraise a file's measurement against a "good" value stored
as an extended attribute, and enforce local file integrity.
IMA also measures singatures of kernel and
Add support for arm64 to carry over IMA measurement logs.
Update arm64 code to call into functions made available in patch 1/3.
---
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/ima.h | 17 ++
arch/arm64/include/asm/kexec.h | 3 ++
Powerpc has support to carry over the IMA measurement logs. Refatoring the
non-architecture specific code out of arch/powerpc and into security/ima.
The code adds support for reserving and freeing up of memory for IMA measurement
logs.
---
arch/powerpc/include/asm/ima.h | 10 ---
IMA during kexec(kexec file load) verifies the kernel signature and measures
the signature of the kernel. The signature in the logs can be used to verfiy
the
authenticity of the kernel. The logs don not get carried over kexec and thus
remote attesation cannot verify the signature of the running
Add Documentation regarding the ima-kexec-buffer node in
the chosen node documentation
Signed-off-by: Prakhar Srivastava
---
Documentation/devicetree/bindings/chosen.txt | 17 +
1 file changed, 17 insertions(+)
diff --git a/Documentation/devicetree/bindings/chosen.txt
b
This patch moves the non-architecture specific code out of powerpc and
adds to security/ima.
Update the arm64 and powerpc kexec file load paths to carry the IMA measurement
logs.
Signed-off-by: Prakhar Srivastava
---
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/ima.h
On 5/22/20 9:08 PM, Thiago Jung Bauermann wrote:
Hello Prakhar,
Prakhar Srivastava writes:
On 5/12/20 4:05 PM, Rob Herring wrote:
On Wed, May 06, 2020 at 10:50:04PM -0700, Prakhar Srivastava wrote:
Hi Mark,
Please don't top post.
This patch set currently only address the Pure DT
On 5/12/20 4:09 PM, Rob Herring wrote:
On Mon, May 04, 2020 at 01:38:28PM -0700, Prakhar Srivastava wrote:
Introduce a device tree layer for to read and store ima buffer
from the reserved memory section of a device tree.
But why do I need 'a layer of abstraction'? I don't like them
On 5/12/20 4:05 PM, Rob Herring wrote:
On Wed, May 06, 2020 at 10:50:04PM -0700, Prakhar Srivastava wrote:
Hi Mark,
Please don't top post.
This patch set currently only address the Pure DT implementation.
EFI and ACPI implementations will be posted in subsequent patchsets.
The logs
changes the node information but memory still is
reserved via reserved-memory section.
On 5/5/20 2:59 AM, Mark Rutland wrote:
Hi Prakhar,
On Mon, May 04, 2020 at 01:38:27PM -0700, Prakhar Srivastava wrote:
IMA during kexec(kexec file load) verifies the kernel signature and measures
the signature
Introduce a device tree layer for to read and store ima buffer
from the reserved memory section of a device tree.
Signed-off-by: Prakhar Srivastava
---
drivers/of/Kconfig | 6 ++
drivers/of/Makefile | 1 +
drivers/of/of_ima.c | 165
include
on:
arm64 with Uboot
Prakhar Srivastava (2):
Add a layer of abstraction to use the memory reserved by device tree
for ima buffer pass.
Add support for ima buffer pass using reserved memory for arm64 kexec.
Update the arch sepcific code path in kexec file load to store the
ima buffer
Add support for ima buffer pass using reserved memory for
arm64 kexec. Update the arch sepcific code path in kexec file load to store
the ima buffer in the reserved memory. The same reserved memory is read on
kexec or cold boot.
Signed-off-by: Prakhar Srivastava
---
arch/arm64/Kconfig
Introduce a device tree layer for to read and store ima buffer
from the reserved memory section of a device tree.
Signed-off-by: Prakhar Srivastava
---
drivers/of/Kconfig | 6 ++
drivers/of/Makefile | 1 +
drivers/of/of_ima.c | 165
include
Add support for ima buffer pass using reserved memory for
arm64 kexec. Update the arch sepcific code path in kexec file load to store
the ima buffer in the reserved memory. The same reserved memory is read on
kexec or cold boot.
Signed-off-by: Prakhar Srivastava
---
arch/arm64/Kconfig
on:
arm64 with Uboot
Prakhar Srivastava (2):
Add a layer of abstraction to use the memory reserved by device tree
for ima buffer pass.
Add support for ima buffer pass using reserved memory for arm64 kexec.
Update the arch sepcific code path in kexec file load to store the
ima buffer
update powerpc ima buffer pass implementationt to call into
of_ima* for a cross architecture support.
Signed-off-by: Prakhar Srivastava
---
arch/powerpc/include/asm/ima.h | 6 --
arch/powerpc/kernel/Makefile| 8 +-
arch/powerpc/kernel/ima_kexec.c | 170
and end for ima measurement
log.
- use fdt_* functions to add/remove fdt properties and memory
allocations.
- remove additional check for endian-ness as they are checked
in fdt_* functions.
v0:
- Add support to carry ima measurement log in arm64,
uses same code as powerpc.
Prakhar
During kexec_file_load, carrying forward the ima measurement log allows
a verifying party to get the entire runtime event log since the last
full reboot since that is when PCRs were last reset.
Signed-off-by: Prakhar Srivastava
---
arch/arm64/Kconfig | 7 +
arch/arm64
During kexec_file_load, carrying forward the ima measurement log allows
a verifying party to get the entire runtime event log since the last
full reboot since that is when PCRs were last reset.
Signed-off-by: Prakhar Srivastava
---
arch/arm64/Kconfig | 7 +
arch/arm64
. This lead to loss of information.
Carrying forward the ima measurement log to the next kexec'ed session.
This allows a verifying party to get the entire runtime event log since
the last full reboot since that is when PCRs were last reset.
Prakhar Srivastava (1):
Add support for arm64 to carry
is in most part same as powerpc, i want to get feedback as to
how/correct way to refactor the code so that cross architecture
partial helpers can be put in a common place.
Prakhar Srivastava (1):
Carry ima measurement log for arm64 via kexec_file_load
arch/arm64/Kconfig | 7
-by: Prakhar Srivastava
---
arch/arm64/Kconfig | 7 +
arch/arm64/include/asm/ima.h | 31
arch/arm64/include/asm/kexec.h | 4 +
arch/arm64/kernel/Makefile | 1 +
arch/arm64/kernel/ima_kexec.c | 219 +
arch
easure the boot command line
arguments"
- Add a new template policy name ima-buf to represent
'd-ng|n-ng|buf'
Signed-off-by: Prakhar Srivastava
Reviewed-by: Roberto Sassu
Reviewed-by: James Morris
---
Documentation/security/IMA-templates.rst | 7 ---
security/integrity/ima/ima
uggestd by Mimi Zohar]
- use the IMA_XATTR to add buffer instead of sig template
v1:
-Add kconfigs to control the ima_buffer_check
-measure the cmdline args suffixed with the kernel file name
-add the buffer to the template sig field.
Prakhar Srivastava (3):
Add a new ima hook ima_kexec_cmdline to me
been measured.
Signed-off-by: Prakhar Srivastava
Reviewed-by: James Morris
Acked-by: Dave Young
---
kernel/kexec_file.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 072b6ee55e3f..b0c724e5d86c 100644
--- a/kernel
process_buffer_measurement is defined to measure
the buffer hash into the IMA measurement list.
- A new func policy KEXEC_CMDLINE is defined to control the
measurement.[Suggested by Mimi]
Signed-off-by: Prakhar Srivastava
---
Documentation/ABI/testing/ima_policy | 1 +
include/linux/ima.h
> > if (iint->measured_pcrs & (0x1 << pcr))
> > diff --git a/security/integrity/ima/ima_init.c
> > b/security/integrity/ima/ima_init.c
> > index 993d0f1915ff..c8591406c0e2 100644
> > --- a/security/integrity/ima/ima_init.c
> > +++ b/security/integrity/ima/ima_init.c
> > @@ -50,7 +50,7 @@
On Mon, Jun 17, 2019 at 11:37 AM Prakhar Srivastava wrote:
>
> Currently during soft reboot(kexec_file_load) boot command line
> arguments are not measured. Define hooks needed to measure kexec
> command line arguments during soft reboot(kexec_file_load).
>
> - A new ima hook
process_buffer_measurement is defined to measure
the buffer hash into the IMA measurement list.
- A new func policy KEXEC_CMDLINE is defined to control the
measurement.[Suggested by Mimi]
Signed-off-by: Prakhar Srivastava
---
Documentation/ABI/testing/ima_policy | 1 +
include/linux/ima.h
been measured.
Signed-off-by: Prakhar Srivastava
Reviewed-by: James Morris
Acked-by: Dave Young
---
kernel/kexec_file.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 072b6ee55e3f..b0c724e5d86c 100644
--- a/kernel
template
v1:
-Add kconfigs to control the ima_buffer_check
-measure the cmdline args suffixed with the kernel file name
-add the buffer to the template sig field.
Prakhar Srivastava (3):
Add a new ima hook ima_kexec_cmdline to measure cmdline args
add a new ima template field buf
cal
easure the boot command line
arguments"
- Add a new template policy name ima-buf to represent
'd-ng|n-ng|buf'
Signed-off-by: Prakhar Srivastava
Reviewed-by: Roberto Sassu
Reviewed-by: James Morris
---
Documentation/security/IMA-templates.rst | 7 ---
security/integrity/ima/ima
easure the boot command line
arguments"
- Add a new template policy name ima-buf to represent
'd-ng|n-ng|buf'
Signed-off-by: Prakhar Srivastava
Reviewed-by: Roberto Sassu
Reviewed-by: James Morris
---
Documentation/security/IMA-templates.rst | 7 ---
security/integrity/ima/ima
process_buffer_measurement is defined to measure
the buffer hash into the IMA measurement list.
- A new func policy KEXEC_CMDLINE is defined to control the
measurement.[Suggested by Mimi]
Signed-off-by: Prakhar Srivastava
---
Documentation/ABI/testing/ima_policy | 1 +
include/linux/ima.h
template
v1:
-Add kconfigs to control the ima_buffer_check
-measure the cmdline args suffixed with the kernel file name
-add the buffer to the template sig field.
Prakhar Srivastava (3):
Add a new ima hook ima_kexec_cmdline to measure cmdline args
add a new ima template field buf
cal
been measured.
Signed-off-by: Prakhar Srivastava
Reviewed-by: James Morris
Acked-by: Dave Young
---
kernel/kexec_file.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 072b6ee55e3f..b0c724e5d86c 100644
--- a/kernel
gt; My mistake. I should have picked up Thaigo's "ima: Use designated
> > initializers for struct ima_event_data". Please drop these changes
> > instead.
>
> Sorry for the confusion. I just pushed out Thiago's patch.
>
Just to clarify:
- no split up of patch is needed.
- only formatting needs to cleaned up.
Apologies for the formatting issues, my editor switches back to
tab as 4 chars.
Thanks,
Prakhar Srivastava
> thanks,
>
> Mimi
>
On Thu, Jun 13, 2019 at 12:22 PM Mimi Zohar wrote:
>
> Hi Prakhar,
>
> Patches titles in the subject line need to be prefixed with the
> subsystem, in this case "ima: ".
>
> On Wed, 2019-06-12 at 15:15 -0700, Prakhar Srivastava wrote:
> > This patch adds su
On Thu, Jun 13, 2019 at 1:48 PM Mimi Zohar wrote:
>
> On Wed, 2019-06-12 at 15:15 -0700, Prakhar Srivastava wrote:
>
> > The kexec cmdline hash is stored in the "d-ng" field of the template data.
> > and can be verified using
> > sudo c
. process_buffer_measurement added in
"Define a new IMA hook to measure the boot command line
arguments"
- Add a new template policy name ima-buf to represent
'd-ng|n-ng|buf'
Signed-off-by: Prakhar Srivastava
Reviewed-by: Roberto Sassu
---
Documentation/security/IMA-templates.rst | 7 ---
security/int
KEXEC_CMDLINE is defined to control the
measurement.[Suggested by Mimi]
Signed-off-by: Prakhar Srivastava
---
Documentation/ABI/testing/ima_policy | 1 +
include/linux/ima.h | 2 +
security/integrity/ima/ima.h | 1 +
security/integrity/ima/ima_api.c | 1
o control the ima_buffer_check
-measure the cmdline args suffixed with the kernel file name
-add the buffer to the template sig field.
Prakhar Srivastava (3):
Add a new ima hook ima_kexec_cmdline to measure cmdline args
add a new ima template field buf
call ima_kexec_cmdline to measure the cm
e the boot cmdline args into the ima log.
- call ima_kexec_cmdline from kexec_file_load.
- move the call ima_add_kexec_buffer after the cmdline
args have been measured.
Signed-off-by: Prakhar Srivastava
---
kernel/kexec_file.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
nd line".
> Similarly, the first patch in this patch set could be named "Define a
> new IMA hook to measure the boot command line arguments".
>
> On Thu, 2019-06-06 at 17:23 -0700, Prakhar Srivastava wrote:
> > The motive behind the patch series is to measure t
the buffer to the template sig field.
Prakhar Srivastava (3):
Add a new ima hook ima_kexec_cmdline to measure cmdline args
add a new ima template field buf
call ima_kexec_cmdline to measure the cmdline args
Documentation/ABI/testing/ima_policy | 1 +
Documentation/security/IMA
. process_buffer_measurement added in
"Add a new ima hook ima_kexec_cmdline to measure cmdline args"
Signed-off-by: Prakhar Srivastava
Reviewed-by: Roberto Sassu
---
Documentation/security/IMA-templates.rst | 4 ++--
security/integrity/ima/ima.h | 2 ++
security/integrity/ima/ima_api.c
KEXEC_CMDLINE is defined to control the
measurement.[Suggested by Mimi]
Hash computation can be tested using
sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements |
grep kexec-cmdline | cut -d' ' -f 6 | xxd -r -p | sha256sum
Signed-off-by: Prakhar Srivastava
---
Documentation
e the boot cmdline args into the ima log.
- call ima_kexec_cmdline from kexec_file_load.
- move the call ima_add_kexec_buffer after the cmdline
args have been measured.
Signed-off-by: Prakhar Srivastava
---
kernel/kexec_file.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --gi
3d3120
696d615f706f6c6963793d74636220696d615f61707072616973653d666
97820696d615f74656d706c6174655f666d743d6e2d6e677c642d6e677c
7369677c62756620696d615f686173683d736861323536
echo -n -e $VAL | xxd -r -p | sha256sum
0d0b891bb730120d9593799cba1a7b3febf68f2bb81fb1304b0c963f95f6bc58 -
I will run it through the code as well, but the shell command should work.
Thanks,
Prakhar Srivastava
e the boot cmdline args into the ima log.
- call ima_kexec_cmdline from kexec_file_load.
- move the call ima_add_kexec_buffer after the cmdline
args have been measured.
Signed-off-by: Prakhar Srivastava
---
kernel/kexec_file.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --gi
ima_kexec_cmdline is defined to be called by the
kexec code.
- A new function process_buffer_measurement is defined to measure
the buffer hash into the ima log.
- A new func policy KEXEC_CMDLINE is defined to control the measurement.
Signed-off-by: Prakhar Srivastava
---
Documentation/ABI/testing
the buffer data.
- Added two new fields to ima_event_data to hold the buf and
buf_len [Suggested by Roberto]
-Updated process_buffer_meaurement to add the buffer to
ima_event_data
Signed-off-by: Prakhar Srivastava
---
Documentation/security/IMA-templates.rst | 2 +-
security/integrity
-measure the cmdline args suffixed with the kernel file name
-add the buffer to the template sig field.
Prakhar Srivastava (3):
Add a new ima hook ima_kexec_cmdline to measure cmdline args
add a new ima template field buf
call ima_kexec_cmdline to measure the cmdline args
Documentation/A
On Tue, May 14, 2019 at 6:22 AM Roberto Sassu wrote:
>
> On 5/14/2019 7:07 AM, prakhar srivastava wrote:
> > On Mon, May 13, 2019 at 6:48 AM Roberto Sassu
> > wrote:
> >>
> >> On 5/11/2019 12:37 AM, Prakhar Srivastava wrote:
> >>> From: Prakhar
On Mon, May 13, 2019 at 6:48 AM Roberto Sassu wrote:
>
> On 5/11/2019 12:37 AM, Prakhar Srivastava wrote:
> > From: Prakhar Srivastava
> >
> > The buffer(cmdline args) added to the ima log cannot be attested
> > without having the actual buffer. Thus to make the
On Mon, May 13, 2019 at 9:56 AM Mimi Zohar wrote:
>
> On Fri, 2019-05-10 at 15:37 -0700, Prakhar Srivastava wrote:
>
> > +/*
> > + * process_buffer_measurement - Measure the buffer passed to ima log.
>
> "passed to ima log" is unnecessary.
>
> > + *
From: Prakhar Srivastava
The motive behind the patch series is to measure the cmdline args
used for soft reboot/kexec case.
For secure boot attestation, it is necessary to measure the kernel
command line and the kernel version. For cold boot, the boot loader
can be enhanced to measure
From: Prakhar Srivastava
The buffer(cmdline args) added to the ima log cannot be attested
without having the actual buffer. Thus to make the measured buffer
available to stroe/read a new ima temaplate (buf) is added.
The cmdline args used for soft reboot can then be read and attested
later
From: Prakhar Srivastava
To measure the cmldine args used in case of soft reboot. Call the
ima hook defined in [PATCH 1/3 v5]:"add a new ima hook and policy to measure
the cmdline"
Signed-off-by: Prakhar Srivastava
---
kernel/kexec_file.c | 2 ++
1 file changed, 2 insertions(+)
From: Prakhar Srivastava
For secure boot attestation, it is necessary to measure the kernel
command line and the kernel version. For cold boot, the boot loader
can be enhanced to measure these parameters. However, for attestation
across soft reboot boundary, these values also need to be measured
From: Prakhar Srivastava
For this reason, this patch adds support for measuring these
parameters during kexec. To achive this, a new ima policy and
hook id, defined KEXEC_CMDLINE and ima_kexec_cmdline respectively,
are added.
Signed-off-by: Prakhar Srivastava
---
Documentation/ABI/testing
From: Prakhar Srivastava
The buffer(cmdline args) added to the ima log cannot be attested
without having the actual buffer. Thus to make the measured buffer
available to stroe/read a new ima temaplate (buf) is added.
The cmdline args used for soft reboot can then be read and attested
later
From: Prakhar Srivastava
For secure boot attestation, it is necessary to measure the kernel
command line and the kernel version. For cold boot, the boot loader
can be enhanced to measure these parameters.
(https://mjg59.dreamwidth.org/48897.html)
However, for attestation across soft reboot
From: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
---
kernel/kexec_file.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index f1d0e00a3971..e779bcf674a0 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -241,6 +241,8
From: Prakhar Srivastava
This change adds a new ima policy func buffer_check, and ima hook to
measure the buffer hash into ima log.
Signed-off-by: Prakhar Srivastava
---
Documentation/ABI/testing/ima_policy | 1 +
include/linux/ima.h | 5 ++
security/integrity/ima/ima.h
From: Prakhar Srivastava
Per suggestions from the community, removed the LSM hook.
and renamed the buffer_check func and policy to kexec_cmdline
[suggested by: Mimi Zohar]
Signed-off-by: Prakhar Srivastava
---
Documentation/ABI/testing/ima_policy | 2 +-
include/linux/ima.h
From: Prakhar Srivastava
prepend the kernel file name to the cmdline args
to avoid conflicrts in case of multiple kexec.
Pass the new generated buffer to ima for measurmenet.
Signed-off-by: Prakhar Srivastava
---
kernel/kexec_core.c | 57 +
kernel
From: Prakhar Srivastava
For Kexec scenario(kexec_file_load) cmdline args are passed to the
next kerenel. These cmldine args used to load the next kernel can
have undesired/unwanted configs. To guard against any unwanted cmdline
args being passed to the next kernel. The current kernel should
From: Prakhar Srivastava
add a LAM hook for kexec_cmldine args to be made available to
other LSMs.
Signed-off-by: Prakhar Srivastava
---
include/linux/lsm_hooks.h | 3 +++
include/linux/security.h | 3 +++
kernel/kexec_internal.h | 4 +++-
security/security.c | 6 ++
4 files
From: Prakhar Srivastava
This change adds the buffer passed in to the xattr used for
template entries.
Signed-off-by: Prakhar Srivastava
---
security/integrity/ima/ima_main.c | 37 ---
security/integrity/ima/ima_template_lib.c | 3 +-
security/integrity
From: Prakhar Srivastava
added a new ima policy func buffer_check, and ima hook to
measure the buffer hash into ima logs.
Signed-off-by: Prakhar Srivastava
---
Documentation/ABI/testing/ima_policy | 1 +
include/linux/ima.h | 5 ++
security/integrity/ima/ima.h | 1
From: Prakhar Srivastava
add the buffer to the xattr for a buffer case
Signed-off-by: Prakhar Srivastava
---
security/integrity/ima/ima_main.c | 37 ---
security/integrity/ima/ima_template_lib.c | 3 +-
security/integrity/integrity.h| 1 +
3 files
From: Prakhar Srivastava
added LSM hook to call ima_buffer_check
Signed-off-by: Prakhar Srivastava
---
include/linux/lsm_hooks.h | 3 +++
include/linux/security.h | 3 +++
kernel/kexec_internal.h | 4 +++-
security/security.c | 6 ++
4 files changed, 15 insertions(+), 1 deletion
From: Prakhar Srivastava
For Kexec scenario(kexec_file_load) cmdline args are passed to the
next kerenel. These cmldine args used to load the next kernel can
have undesired/unwanted configs. To guard against any unwanted cmdline
args being passed to the next kernel. The current kernel should
From: Prakhar Srivastava
prepend the kernel file name to kexec_cmdline
before measuring the buffer.
Signed-off-by: Prakhar Srivastava
---
kernel/kexec_core.c | 57 +
kernel/kexec_file.c | 14 +++
2 files changed, 71 insertions(+)
diff
From: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
---
Currently for soft reboot(kexec_file_load) the kernel file and
signature is measured by IMA. The cmdline args used to load the kernel
is not measured.
The boot aggregate that gets calculated will have no change since the
EFI loader
From: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
---
Currently for soft reboot(kexec_file_load) the kernel file and
signature is measured by IMA. The cmdline args used to load the kernel
is not measured.
The boot aggregate that gets calculated will have no change since the
EFI loader
From: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
---
Currently for soft reboot(kexec_file_load) the kernel file and
signature is measured by IMA. The cmdline args used to load the kernel
is not measured.
The boot aggregate that gets calculated will have no change since the
EFI loader
From: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
---
Currently for soft reboot(kexec_file_load) the kernel file and
signature is measured by IMA. The cmdline args used to load the kernel
is not measured.
The boot aggregate that gets calculated will have no change since the
EFI loader
From: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
---
Currently for soft reboot(kexec_file_load) the kernel file and
signature is measured by IMA. The cmdline args used to load the kernel
is not measured.
The boot aggregate that gets calculated will have no change since the
EFI loader
are doing both the command line and kernel version measurement in IMA.
Can you please elaborate on how this can be used outside of the scenario?
That will help me come back with a better design and code. I am
neutral about this.
I greatly appreciate the time and your feedback.
-Prakhar Srivastava
From: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
---
Currently for soft reboot(kexec_file_load) the kernel file and
signature is measured by IMA. The cmdline args used to load the kernel
is not measured.
The boot aggregate that gets calculated will have no change since the
EFI loader
From: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
---
Currently for soft reboot(kexec_file_load) the kernel file and
signature is measured by IMA. The cmdline args used to load the kernel
is not measured.
The boot aggregate that gets calculated will have no change since the
EFI loader
From: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
---
Currently for soft reboot(kexec_file_load) the kernel file and
signature is measured by IMA. The cmdline args used to load the kernel
is not measured.
The boot aggregate that gets calculated will have no change since the
EFI loader
From: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
---
remove enaums to control type of buffers entries, instead pass the event name
to be used.
include/linux/ima.h | 10 ++
kernel/kexec_file.c | 3 +++
security/integrity/ima/ima.h | 2
From: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
---
This adds a new ima hook ima_buffer_check and a policy entry BUFFER_CHECK.
This enables buffer has measurements into ima log
Documentation/ABI/testing/ima_policy | 1 +
include/linux/ima.h | 13 +++-
security
From: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
---
since cmdline args can be same for multiple kexec, log entry
hash will collide. Prepend the kernel file name to the cmdline args to
distinguish between cmdline args passed to subsequent kexec calls
kernel/kexec_core.c | 57
.
To account for the cmdline passed, we are looking at using IMA to measure and
pass the buffer so that it can be attested.
Do you have any alternate solutions/concerns with this approach?
Thanks,
Prakhar Srivastava
99 matches
Mail list logo