On Fri, 2026-05-29 at 16:59 +0200, Roberto Sassu wrote: > On Tue, 2026-05-26 at 10:02 -0400, Mimi Zohar wrote: > > On Wed, 2026-04-29 at 18:03 +0200, Roberto Sassu wrote: > > > From: Roberto Sassu <[email protected]> > > > > > > Refuse to delete staged or active list measurements, if a kexec racing > > > with > > > the deletion already copied those measurements in the kexec buffer. In > > > this > > > way, user space becomes aware that those measurements are going to appear > > > in the secondary kernel, and thus they don't have to be saved twice. > > > > There are two reboot notifiers: one to prevent additional measurements > > extending > > the TPM, while the other copies the measurements for kexec. This patch > > prevents > > deleting the staged measurements after the latter notifier. > > > > Instead of introducing a specific method for detecting whether the > > measurement > > list has been copied, rely on one of the two existing reboot notifiers. The > > simplest method would test "ima_measurements_suspended", which would prevent > > deleting the staged measurements a bit earlier. > > Testing that the reboot notifier fired (with the > ima_measurements_suspended variable) is not enough to know whether the > measurements dump took place or not. > > We need a flag (one is enough) protected by ima_extend_list_mutex, so > that we know reliably which event occurred first, or the dump or the > staging/delete (which are also protected by ima_extend_list_mutex).
I'm suggesting not allowing the staged measurements, if there are any, to be deleted once the reboot notifier has started. They'll be copied at the late reboot notifier. Mimi
