On 1/13/21 6:49 PM, Mimi Zohar wrote:
Hi Mimi,
I remain concerned about the possibility of bypassing a measurement by
tampering with the time, but I appear to be the only one who is
worried about this so I'm not going to block this patch on those
grounds.
Acked-by: Paul Moore
Thanks, Paul.
On 1/14/21 8:50 AM, Mimi Zohar wrote:
On Thu, 2021-01-14 at 11:44 -0500, Mimi Zohar wrote:
[Cc'ing Sasha]
Hi Lakshmi,
On Thu, 2021-01-14 at 08:22 -0800, Lakshmi Ramasubramanian wrote:
On 1/13/21 6:49 PM, Mimi Zohar wrote:
Lakshmi is trying to address the situation where an event changes
and done on a system other than the measured system, typically
requiring "initialized=1; enabled=1;enforcing=1;checkreqprot=0;" for
a secure state and then whatever policy capabilities are actually set
in the expected policy (which can be extracted from the policy itself
via seinfo, for example
in "struct kimage" to store the virtual address
of the buffer allocated for the IMA measurement list.
Free the memory allocated for the IMA measurement list in
kimage_file_post_load_cleanup() function.
Signed-off-by: Lakshmi Ramasubramanian
Suggested-by: Tyler Hicks
Fixes: 7b8589cc29e7 (&qu
list in
the error code paths in ima_add_kexec_buffer() function.
Signed-off-by: Lakshmi Ramasubramanian
Suggested-by: Tyler Hicks
Fixes: 7b8589cc29e7 ("ima: on soft reboot, save the measurement list")
---
security/integrity/ima/ima_kexec.c | 2 ++
1 file changed, 2 insertions(+)
kernel on a pristine/known-safe
system and run the sha256sum /sys/kernel/selinux/policy there to get
the expected hash.
Signed-off-by: Lakshmi Ramasubramanian
Suggested-by: Stephen Smalley
Acked-by: Paul Moore
Reviewed-by: Tyler Hicks
---
Documentation/ABI/testing/ima_policy | 3 +-
secur
On 1/14/21 9:48 AM, Lakshmi Ramasubramanian wrote:
On 1/14/21 8:50 AM, Mimi Zohar wrote:
On Thu, 2021-01-14 at 11:44 -0500, Mimi Zohar wrote:
[Cc'ing Sasha]
Hi Lakshmi,
On Thu, 2021-01-14 at 08:22 -0800, Lakshmi Ramasubramanian wrote:
On 1/13/21 6:49 PM, Mimi Zohar wrote:
Lakshmi
On 1/14/21 11:58 AM, Tyler Hicks wrote:
On 2021-01-14 14:29:09, Paul Moore wrote:
On Thu, Jan 14, 2021 at 2:15 PM Lakshmi Ramasubramanian
wrote:
SELinux stores the active policy in memory, so the changes to this data
at runtime would have an impact on the security guarantees provided
On 1/12/21 3:28 PM, Mimi Zohar wrote:
Hi Lakshmi,
On Mon, 2021-01-04 at 11:26 -0800, Lakshmi Ramasubramanian wrote:
Address and size of the buffer containing the IMA measurement log need
to be passed from the current kernel to the next kernel on kexec.
Any existing "linux,ima-kexec-b
On 1/12/21 3:30 PM, Mimi Zohar wrote:
Hi Lakshmi,
On Mon, 2021-01-04 at 11:26 -0800, Lakshmi Ramasubramanian wrote:
diff --git a/arch/powerpc/kexec/file_load_64.c
b/arch/powerpc/kexec/file_load_64.c
index a05c19b3cc60..3cab318aa3b9 100644
--- a/arch/powerpc/kexec/file_load_64.c
+++ b/arch
and update the memory reservation for kexec for arm64.
Signed-off-by: Rob Herring
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Lakshmi Ramasubramanian
Acked-by: Will Deacon
---
arch/arm64/kernel/machine_kexec_file.c | 123 +
1 file changed, 3 insertions(+), 120 deletions(-)
and update the memory reservation for kexec for powerpc.
Signed-off-by: Rob Herring
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Lakshmi Ramasubramanian
---
arch/powerpc/kexec/file_load.c | 125 ++---
1 file changed, 6 insertions(+), 119 deletions(-)
diff --git a/arch/pow
he memory reserved by device tree
for ima buffer pass.
Add support for ima buffer pass using reserved memory for arm64 kexec.
Update the arch sepcific code path in kexec file load to store the
ima buffer in the reserved memory. The same reserved memory is read
on kexec or cold boot.
KEXEC_FILE to select CONFIG_HAVE_IMA_KEXEC, if CONFIG_IMA
is enabled, to indicate that the IMA measurement log information is
present in the device tree for ARM64.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
Reviewed-by: T
.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
---
arch/arm64/kernel/machine_kexec_file.c | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/arch/arm64/kernel/machine_kexec_file.c
b/arch/arm64/kernel
for
kexec system call.
Rename elfcorehdr_addr to elf_headers_mem to align with arm64 name so
common code can use it.
Signed-off-by: Rob Herring
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Lakshmi Ramasubramanian
---
arch/powerpc/include/asm/kexec.h | 2 +-
arch/powerpc/kexec/file_load.c
rpc.
Move arch_ima_add_kexec_buffer() to ima.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
Acked-by: Mimi Zohar
Reviewed-by: Thiago Jung Bauermann
---
arch/powerpc/include/asm/ima.h | 3 ---
arch/powerpc/kexec/ima.c
e next kernel across kexec system call.
Remove custom code that is used in setup_ima_buffer() to add
"linux,ima-kexec-buffer" property to the device tree.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
Reviewed-by: Thiag
pc and arm64, in
of_kexec_setup_new_fdt() and move it to "drivers/of/kexec.c".
Signed-off-by: Rob Herring
Reviewed-by: Thiago Jung Bauermann
Reviewed-by: Lakshmi Ramasubramanian
---
drivers/of/Makefile | 1 +
drivers/of/kexec.c | 236
t functions from
"arch/powerpc/kexec/ima.c" to "drivers/of/kexec.c".
Delete "arch/powerpc/kexec/ima.c" and "arch/powerpc/include/asm/ima.h".
Remove references to the deleted files in powerpc and in ima.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar
Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
---
arch/powerpc/include/asm/kexec.h | 1 -
arch/powerpc/kexec/file_load.c | 32
2 files changed, 33 deletions(-)
diff --git a/arch/powerpc/include/asm/kexec.h b/arch/powerpc/include/asm/kexec.h
in
On 1/22/21 1:21 PM, Paul Moore wrote:
Hi Paul,
Thanks for reviewing the changes.
...
Signed-off-by: Lakshmi Ramasubramanian
Suggested-by: Stephen Smalley
---
This patch is based on
commit e58bb688f2e4 "Merge branch 'measure-critical-data' into next-integrity"
in "next-in
On 8/4/20 8:29 AM, Stephen Smalley wrote:
Perhaps vmalloc would be better than using kmalloc? If there are
better options for such large buffer allocation, please let me know.
kvmalloc() can be used to select whichever one is most appropriate.
Other option would be for ima to compute and
this kernel configuration.
Update LSM hooks namely ima_measure_lsm_state() and ima_measure_lsm_policy
to utilize early boot measurement support.
Signed-off-by: Lakshmi Ramasubramanian
---
security/integrity/ima/Kconfig | 5 +-
security/integrity/ima/Makefile | 2
of the measurement operation from these
two IMA hooks.
Signed-off-by: Lakshmi Ramasubramanian
Reviewed-by: Tyler Hicks
---
include/linux/ima.h | 14 +
security/integrity/ima/ima.h | 6 ++--
security/integrity/ima/ima_main.c | 50 ++-
3 files changed, 60
ascii_runtime_measurements | cut -d' ' -f 4
Signed-off-by: Lakshmi Ramasubramanian
Suggested-by: Stephen Smalley
Reported-by: kernel test robot # error: implicit declaration
of function 'vfree'
Reported-by: kernel test robot # error: implicit declaration
of function 'crypto_alloc_shash
this measurement.
Define two new IMA policy func namely LSM_STATE and LSM_POLICY to
measure the state and the policy provided by the security modules.
Update ima_match_rules() and ima_validate_rule() to check for
the new func and ima_parse_rule() to handle the new func.
Signed-off-by: Lakshmi
of SELinux policy in the measured data for SELinux.
=> Call IMA hook from the security module directly instead of
redirecting through the LSM.
Lakshmi Ramasubramanian (4):
IMA: Add func to measure LSM state and policy
IMA: Define IMA hooks to measure LSM state and policy
LSM
On 8/4/20 6:04 PM, Casey Schaufler wrote:
On 8/4/2020 5:43 PM, Lakshmi Ramasubramanian wrote:
Critical data structures of security modules are currently not measured.
Therefore an attestation service, for instance, would not be able to
attest whether the security modules are always operating
On 8/5/20 8:45 AM, Tyler Hicks wrote:
On 2020-08-05 08:36:40, Casey Schaufler wrote:
On 8/4/2020 6:14 PM, Lakshmi Ramasubramanian wrote:
On 8/4/20 6:04 PM, Casey Schaufler wrote:
On 8/4/2020 5:43 PM, Lakshmi Ramasubramanian wrote:
Critical data structures of security modules are currently
On 8/5/20 10:03 AM, Mimi Zohar wrote:
On Wed, 2020-08-05 at 10:45 -0500, Tyler Hicks wrote:
In addition to SELINUX_STATE and SELINUX_POLICY, we should also consider
the proposed LSM_STATE and LSM_POLICY func values but require an "lsm"
rule conditional.
So the current proposed rules:
On 8/5/20 10:57 AM, Casey Schaufler wrote:
On 8/5/2020 10:25 AM, Lakshmi Ramasubramanian wrote:
On 8/5/20 10:03 AM, Mimi Zohar wrote:
On Wed, 2020-08-05 at 10:45 -0500, Tyler Hicks wrote:
In addition to SELINUX_STATE and SELINUX_POLICY, we should also consider
the proposed LSM_STATE
On 8/5/20 9:14 AM, Tyler Hicks wrote:
On 2020-08-05 09:07:48, Lakshmi Ramasubramanian wrote:
On 8/5/20 8:45 AM, Tyler Hicks wrote:
On 2020-08-05 08:36:40, Casey Schaufler wrote:
On 8/4/2020 6:14 PM, Lakshmi Ramasubramanian wrote:
On 8/4/20 6:04 PM, Casey Schaufler wrote:
On 8/4/2020 5:43 PM
chitecture specific function for ARM64 namely
arch_ima_add_kexec_buffer() that will set the address and size of
the current kernel's IMA buffer to be passed to the next kernel on kexec.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
he
ima buffer in the reserved memory. The same reserved memory is read
on kexec or cold boot.
Lakshmi Ramasubramanian (4):
powerpc: Refactor kexec functions to move arch independent code to
kernel
powerpc: Refactor kexec functions to move arch independent code to ima
arm64:
.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
Reviewed-by: Thiago Jung Bauermann
---
arch/arm64/Kconfig | 1 +
arch/arm64/kernel/machine_kexec_file.c | 18 ++
2 files changed, 19 insertions
for the chosen node, namely
"linux,ima-kexec-buffer", that is added to the DTB to hold
the address and the size of the memory reserved to carry
the IMA measurement log.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
Reported-by: k
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
---
arch/powerpc/include/asm/ima.h | 3 -
arch/powerpc/kexec/Makefile| 7 +-
arch/powerpc/kexec/ima.c | 56 -
security/integrity/ima/Makefile| 1 +
security/integrity/ima
On 8/5/20 11:25 AM, Casey Schaufler wrote:
I think moving away from the idea that measuring "critical" data should
be limited to LSMs, will clarify this.
Are you suggesting that instead of calling the hooks LSM_STATE and LSM_POLICY, we should
keep it more generic so that it can be utilized
this kernel configuration.
Update the IMA hook namely ima_measure_critical_data() to utilize
early boot measurement support.
Signed-off-by: Lakshmi Ramasubramanian
---
security/integrity/ima/Kconfig | 5 +-
security/integrity/ima/Makefile | 2 +-
security/integrity/ima
27/
https://patchwork.kernel.org/patch/11711249/
Lakshmi Ramasubramanian (2):
IMA: Handle early boot data measurement
SELinux: Measure state and hash of policy using IMA
security/integrity/ima/Kconfig | 5 +-
security/integrity/ima/Makefile | 2 +-
security/integrity
me_measurements | cut -d' ' -f 6
Signed-off-by: Lakshmi Ramasubramanian
Suggested-by: Stephen Smalley
Reported-by: kernel test robot # error: implicit declaration
of function 'vfree'
Reported-by: kernel test robot # error: implicit declaration
of function 'crypto_alloc_shash'
Reported-by: ker
On 8/13/20 10:42 AM, Stephen Smalley wrote:
diff --git a/security/selinux/measure.c b/security/selinux/measure.c
new file mode 100644
index ..f21b7de4e2ae
--- /dev/null
+++ b/security/selinux/measure.c
@@ -0,0 +1,204 @@
+static int selinux_hash_buffer(void *buf, size_t buf_len,
+
On 8/13/20 10:58 AM, Stephen Smalley wrote:
On Thu, Aug 13, 2020 at 1:52 PM Lakshmi Ramasubramanian
wrote:
On 8/13/20 10:42 AM, Stephen Smalley wrote:
diff --git a/security/selinux/measure.c b/security/selinux/measure.c
new file mode 100644
index ..f21b7de4e2ae
--- /dev/null
On 9/8/20 4:58 AM, Stephen Smalley wrote:
On Tue, Sep 8, 2020 at 12:44 AM Lakshmi Ramasubramanian
wrote:
On 9/7/20 3:32 PM, Stephen Smalley wrote:
Signed-off-by: Lakshmi Ramasubramanian
Suggested-by: Stephen Smalley
Reported-by: kernel test robot # error: implicit declaration
Srivastava
Signed-off-by: Lakshmi Ramasubramanian
---
arch/arm64/Kconfig | 1 +
arch/arm64/kernel/machine_kexec_file.c | 18 ++
2 files changed, 19 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 6d232837cbee..9f03c8245e5b 100644
chitecture specific function for ARM64 namely
arch_ima_add_kexec_buffer() that will set the address and size of
the current kernel's IMA buffer to be passed to the next kernel on kexec.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
"linux,ima-kexec-buffer", that is added to the DTB to hold
the address and the size of the memory reserved to carry
the IMA measurement log.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
---
arch/powerpc/include
a layer of abstraction to use the memory reserved by device tree
for ima buffer pass.
Add support for ima buffer pass using reserved memory for arm64 kexec.
Update the arch sepcific code path in kexec file load to store the
ima buffer in the reserved memory. The same reserved memory is
On 8/31/20 7:47 AM, Stephen Smalley wrote:
Could you please let me know when the current set of changes in SELinux
next branch would be completed and be ready to take new changes?
I mean, roughly - would it be a month from now or you expect that to
take longer?
I can't speak for Paul but
the memory reserved to carry
the IMA measurement log.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
---
arch/powerpc/include/asm/ima.h | 3 --
arch/powerpc/kexec/ima.c | 60 ++
include/linu
chitecture specific function for ARM64 namely
arch_ima_add_kexec_buffer() that will set the address and size of
the current kernel's IMA buffer to be passed to the next kernel on kexec.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
d by device tree
for ima buffer pass.
Add support for ima buffer pass using reserved memory for arm64 kexec.
Update the arch sepcific code path in kexec file load to store the
ima buffer in the reserved memory. The same reserved memory is read
on kexec or cold boot.
Lakshmi Ramasu
for storing the IMA log.
Update CONFIG_KEXEC_FILE to select CONFIG_HAVE_IMA_KEXEC to
indicate that the IMA measurement log information is present in
the device tree.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
---
arch/arm64/Kconfig
On 8/3/20 8:11 AM, Stephen Smalley wrote:
Possibly I'm missing something but with these patches applied on top of
next-integrity, and the following lines added to /etc/ima/ima-policy:
measure func=LSM_STATE template=ima-buf
measure func=LSM_POLICY
I still don't get the selinux-state or
On 8/3/20 1:29 PM, Stephen Smalley wrote:
On 8/3/20 4:00 PM, Stephen Smalley wrote:
On Mon, Aug 3, 2020 at 12:14 PM Lakshmi Ramasubramanian
wrote:
On 8/3/20 8:11 AM, Stephen Smalley wrote:
Possibly I'm missing something but with these patches applied on top of
next-integrity
On 8/3/20 2:07 PM, Stephen Smalley wrote:
[ 68.870715] irq event stamp: 23486085
[ 68.870715] hardirqs last enabled at (23486085):
[] _raw_spin_unlock_irqrestore+0x46/0x60
[ 68.870715] hardirqs last disabled at (23486084):
[] _raw_spin_lock_irqsave+0x23/0x90
[ 68.870715] softirqs last
early boot
measurement support.
This patch is dependent on the following patch series:
https://patchwork.kernel.org/patch/11709527/
https://patchwork.kernel.org/patch/11730193/
Signed-off-by: Lakshmi Ramasubramanian
---
security/integrity/ima/Kconfig | 2
nt on the following patch series:
https://patchwork.kernel.org/patch/11709527/
https://patchwork.kernel.org/patch/11730193/
https://patchwork.kernel.org/patch/11730757/
Signed-off-by: Lakshmi Ramasubramanian
Suggested-by: Stephen Smalley
Reported-by: kernel test robo
On 8/24/20 7:00 AM, Stephen Smalley wrote:
On Fri, Aug 21, 2020 at 9:00 PM Lakshmi Ramasubramanian
+int security_read_policy_kernel(struct selinux_state *state,
+ void **data, size_t *len)
+{
+ int rc;
+
+ rc = security_read_policy_len(state, len
On 12/11/20 7:41 AM, Tyler Hicks wrote:
On 2020-12-11 09:36:30, Tyler Hicks wrote:
The calls to pr_err() in this aren't quite following the style of the
other error SELinux error messages.
Sorry, I left out a word. I meant to say that the calls to pr_err() in
this *file* aren't quite
On 12/6/20 5:50 PM, Lakshmi Ramasubramanian wrote:
Hi Thiago,
On 12/4/20 6:22 PM, Thiago Jung Bauermann wrote
Hello Lakshmi,
Lakshmi Ramasubramanian writes:
delete_fdt_mem_rsv() retrieves the memory reserve map entry, for
the given starting address and size, from the device tree blob
On 12/11/20 10:19 AM, Thiago Jung Bauermann wrote:
Hi Lakshmi,
Lakshmi Ramasubramanian writes:
On 12/6/20 5:50 PM, Lakshmi Ramasubramanian wrote:
Hi Thiago,
On 12/4/20 6:22 PM, Thiago Jung Bauermann wrote
Hello Lakshmi,
Lakshmi Ramasubramanian writes:
delete_fdt_mem_rsv() retrieves
On 12/11/20 4:32 PM, Tyler Hicks wrote:
On 2020-12-11 15:58:07, Tushar Sugandhi wrote:
From: Lakshmi Ramasubramanian
SELinux stores the active policy in memory, so the changes to this data
at runtime would have an impact on the security guarantees provided
by SELinux. Measuring in-memory
On 12/11/20 2:10 PM, Rob Herring wrote:
Hi Rob,
Align with arm64 name so common code can use it.
As you'd stated in the cover letter, a better patch description would be
good to have here.
Code changes look good to me.
Reviewed-by: Lakshmi Ramasubramanian
thanks,
-lakshmi
Signed
On 12/11/20 2:10 PM, Rob Herring wrote:
Hi Rob,
Both arm64 and powerpc do essentially the same FDT /chosen setup for
kexec. We can simply combine everything each arch does. The differences
are either omissions that arm64 should have or additional properties
that will be ignored.
The
On 12/11/20 6:17 PM, Thiago Jung Bauermann wrote:
Lakshmi Ramasubramanian writes:
On 12/11/20 2:10 PM, Rob Herring wrote:
Hi Rob,
Both arm64 and powerpc do essentially the same FDT /chosen setup for
kexec. We can simply combine everything each arch does. The differences
are either
On 12/11/20 2:10 PM, Rob Herring wrote:
Signed-off-by: Rob Herring
---
arch/arm64/kernel/machine_kexec_file.c | 123 +
1 file changed, 3 insertions(+), 120 deletions(-)
This change looks good to me.
Reviewed-by: Lakshmi Ramasubramanian
-lakshmi
diff --git
.
Reviewed-by: Lakshmi Ramasubramanian
-lakshmi
diff --git a/arch/powerpc/kexec/file_load.c b/arch/powerpc/kexec/file_load.c
index e452b11df631..956bcb2d1ec2 100644
--- a/arch/powerpc/kexec/file_load.c
+++ b/arch/powerpc/kexec/file_load.c
@@ -16,6 +16,7 @@
#include
#include
+#include
On 12/22/20 6:26 AM, Mimi Zohar wrote:
Hi Mimi,
On Sat, 2020-12-19 at 09:57 -0800, Lakshmi Ramasubramanian wrote:
diff --git a/arch/powerpc/kexec/Makefile b/arch/powerpc/kexec/Makefile
index 4aff6846c772..b6c52608cb49 100644
--- a/arch/powerpc/kexec/Makefile
+++ b/arch/powerpc/kexec
On 12/22/20 11:45 AM, Mimi Zohar wrote:
On Tue, 2020-12-22 at 10:53 -0800, Lakshmi Ramasubramanian wrote:
On 12/22/20 6:26 AM, Mimi Zohar wrote:
Hi Mimi,
On Sat, 2020-12-19 at 09:57 -0800, Lakshmi Ramasubramanian wrote:
diff --git a/arch/powerpc/kexec/Makefile b/arch/powerpc/kexec
On 12/22/20 1:55 PM, Thiago Jung Bauermann wrote:
Rob Herring writes:
Signed-off-by: Rob Herring
---
After the IMA changes, delete_fdt_mem_rsv() can also be removed.
arch/powerpc/kexec/file_load.c | 125 ++---
1 file changed, 6 insertions(+), 119
On 12/22/20 4:48 PM, Thiago Jung Bauermann wrote:
Actually, I have one more comment on this patch:
Lakshmi Ramasubramanian writes:
diff --git a/arch/powerpc/kexec/file_load.c b/arch/powerpc/kexec/file_load.c
index 956bcb2d1ec2..9f3ec0b239ef 100644
--- a/arch/powerpc/kexec/file_load.c
+++ b
On 12/22/20 4:19 PM, Thiago Jung Bauermann wrote:
Lakshmi Ramasubramanian writes:
The functions defined in "arch/powerpc/kexec/ima.c" handle setting up
and freeing the resources required to carry over the IMA measurement
list from the current kernel to the next kernel across ke
On 12/22/20 4:40 PM, Thiago Jung Bauermann wrote:
Lakshmi Ramasubramanian writes:
On 12/22/20 11:45 AM, Mimi Zohar wrote:
On Tue, 2020-12-22 at 10:53 -0800, Lakshmi Ramasubramanian wrote:
On 12/22/20 6:26 AM, Mimi Zohar wrote:
Hi Mimi,
On Sat, 2020-12-19 at 09:57 -0800, Lakshmi
On 12/22/20 5:08 PM, Thiago Jung Bauermann wrote:
Lakshmi Ramasubramanian writes:
delete_fdt_mem_rsv() defined in "arch/powerpc/kexec/file_load.c"
has been renamed to fdt_find_and_del_mem_rsv(), and moved to
"drivers/of/kexec.c".
Remove delete_fdt_mem_rsv() in
fer pass using reserved memory for arm64 kexec.
Update the arch sepcific code path in kexec file load to store the
ima buffer in the reserved memory. The same reserved memory is read
on kexec or cold boot.
Lakshmi Ramasubramanian (4):
powerpc: Use fdt_appendprop_addrrange() to add ima
()
fails.
Signed-off-by: Lakshmi Ramasubramanian
---
arch/arm64/kernel/machine_kexec_file.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/kernel/machine_kexec_file.c
b/arch/arm64/kernel/machine_kexec_file.c
index 7de9c47dee7c..3e045cd62451 100644
--- a/arch/arm64
erences to the deleted files
in powerpc and in ima.
delete_fdt_mem_rsv() defined in "arch/powerpc/kexec/file_load.c"
is not used anymore. Remove this function.
Signed-off-by: Lakshmi Ramasubramanian
---
arch/powerpc/include/asm/ima.h | 30 -
arch/powerpc/include/asm/kexec.h
exec-buffer" property to the device tree and
reserve the memory for storing the IMA log that needs to be passed from
the current kernel to the next one.
Update CONFIG_KEXEC_FILE to select CONFIG_HAVE_IMA_KEXEC to indicate
that the IMA measurement log information is present in the device
kernel across kexec system call.
Remove custom code that is used in setup_ima_buffer() to add
"linux,ima-kexec-buffer" property to the device tree.
Signed-off-by: Lakshmi Ramasubramanian
---
arch/powerpc/kexec/ima.c | 51 ++--
1 file changed,
On 12/17/20 9:37 AM, Lakshmi Ramasubramanian wrote:
On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs, and measure
it. The command line parameters passed to the kernel in the kexec call
may also be measured by IMA
On 12/17/20 9:37 AM, Lakshmi Ramasubramanian wrote:
fdt_appendprop_addrrange() function adds a property, with the given name,
to the device tree at the given node offset, and also sets the address
and size of the property. This function should be used to add
"linux,ima-kexec-buffer"
On 12/17/20 9:37 AM, Lakshmi Ramasubramanian wrote:
The functions defined in "arch/powerpc/kexec/ima.c" handle setting up
and freeing the resources required to carry over the IMA measurement
list from the current kernel to the next kernel across kexec system call.
These functions d
On 12/17/20 9:37 AM, Lakshmi Ramasubramanian wrote:
create_dtb() function allocates memory for the device tree blob (DTB)
and calls fdt_open_into(). If this call fails the memory allocated
for the DTB is not freed before returning from create_dtb() thereby
leaking memory.
Typo in the email
On 12/17/20 9:37 AM, Lakshmi Ramasubramanian wrote:
Address and size of the buffer containing the IMA measurement log need
to be passed from the current kernel to the next kernel on kexec.
Typo in the email address of James Morse (ARM.com). Sorry about that.
Adding the correct email address
On 12/17/20 12:05 PM, Rob Herring wrote:
On Thu, Dec 17, 2020 at 09:37:06AM -0800, Lakshmi Ramasubramanian wrote:
The functions defined in "arch/powerpc/kexec/ima.c" handle setting up
and freeing the resources required to carry over the IMA measurement
list from the current kernel t
On 12/17/20 2:01 PM, Rob Herring wrote:
On Thu, Dec 17, 2020 at 2:52 PM Lakshmi Ramasubramanian
wrote:
On 12/17/20 12:05 PM, Rob Herring wrote:
On Thu, Dec 17, 2020 at 09:37:06AM -0800, Lakshmi Ramasubramanian wrote:
The functions defined in "arch/powerpc/kexec/ima.c" handle
On 12/17/20 2:01 PM, Rob Herring wrote:
[...]
+#ifdef CONFIG_IMA_KEXEC
+/**
+ * arch_ima_add_kexec_buffer - do arch-specific steps to add the IMA buffer
+ *
+ * @image: kimage struct to set IMA buffer data
+ * @load_addr: Starting address where IMA buffer is loaded at
+ * @size: Number of
rpc.
Move arch_ima_add_kexec_buffer() to ima.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
---
arch/powerpc/include/asm/ima.h | 3 ---
arch/powerpc/kexec/ima.c | 17 -
security/integrity/ima/ima_ke
kernel across kexec system call.
Remove custom code that is used in setup_ima_buffer() to add
"linux,ima-kexec-buffer" property to the device tree.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
quot; and "arch/powerpc/include/asm/ima.h".
Remove references to the deleted files in powerpc and in ima.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
---
arch/powerpc/include/asm/ima.h | 27
arch/powerpc/kexec/Makef
ree
for ARM64.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
---
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/kexec.h | 5 +
2 files changed, 6 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
he
ima buffer in the reserved memory. The same reserved memory is read
on kexec or cold boot.
Lakshmi Ramasubramanian (6):
ima: Move arch_ima_add_kexec_buffer() to ima
powerpc: Move arch independent ima kexec functions to
drivers/of/kexec.c
kexec: Use fdt_appendprop_addrrange() to a
Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
---
arch/powerpc/include/asm/kexec.h | 1 -
arch/powerpc/kexec/file_load.c | 32
2 files changed, 33 deletions(-)
diff --git a/arch/powerpc/include/asm/kexec.h b/arch/powerpc/include/asm/kexec.h
in
()
fails.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
---
arch/arm64/kernel/machine_kexec_file.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/arch/arm64/kernel/machine_kexec_file.c
b/arch/arm64/kernel
c64() and
remove setup_new_fdt() in "arch/powerpc/kexec/file_load.c".
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
---
arch/powerpc/include/asm/kexec.h | 4 ---
arch/powerpc/kexec/file_load.c| 60 ---
rpc.
Move arch_ima_add_kexec_buffer() to ima.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
Acked-by: Mimi Zohar
Reviewed-by: Thiago Jung Bauermann
---
arch/powerpc/include/asm/ima.h | 3 ---
arch/powerpc/kexec/ima.c
y for arm64 kexec.
Update the arch sepcific code path in kexec file load to store the
ima buffer in the reserved memory. The same reserved memory is read
on kexec or cold boot.
Lakshmi Ramasubramanian (6):
ima: Move arch_ima_add_kexec_buffer() to ima
powerpc: Move arch independent
quot; and "arch/powerpc/include/asm/ima.h".
Remove references to the deleted files in powerpc and in ima.
Co-developed-by: Prakhar Srivastava
Signed-off-by: Prakhar Srivastava
Signed-off-by: Lakshmi Ramasubramanian
---
arch/powerpc/Kconfig | 2 +-
arch/powerpc/include/asm/im
1 - 100 of 382 matches
Mail list logo