Re: [PATCH v2 1/2] Add support for arm64 to carry ima measurement log in kexec_file_load

From: prsriva
Date: Wed Oct 09 2019 - 16:49:12 EST




On 10/8/19 2:22 PM, Sasha Levin wrote:
On Mon, Oct 07, 2019 at 11:59:42AM -0700, Prakhar Srivastava wrote:
During kexec_file_load, carrying forward the ima measurement log allows
a verifying party to get the entire runtime event log since the last
full reboot since that is when PCRs were last reset.

Signed-off-by: Prakhar Srivastava <prsriva@xxxxxxxxxxxxxxxxxxx>
---
arch/KconfigÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ |ÂÂ 6 +-
arch/arm64/include/asm/ima.hÂÂÂÂÂÂÂÂÂÂ |Â 24 +++
arch/arm64/include/asm/kexec.hÂÂÂÂÂÂÂÂ |ÂÂ 5 +
arch/arm64/kernel/MakefileÂÂÂÂÂÂÂÂÂÂÂÂ |ÂÂ 3 +-
arch/arm64/kernel/ima_kexec.cÂÂÂÂÂÂÂÂÂ |Â 78 ++++++++++
arch/arm64/kernel/machine_kexec_file.c |ÂÂ 6 +
drivers/of/KconfigÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ |ÂÂ 6 +
drivers/of/MakefileÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ |ÂÂ 1 +
drivers/of/of_ima.cÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ | 204 +++++++++++++++++++++++++
include/linux/of.hÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ |Â 31 ++++
10 files changed, 362 insertions(+), 2 deletions(-)
create mode 100644 arch/arm64/include/asm/ima.h
create mode 100644 arch/arm64/kernel/ima_kexec.c
create mode 100644 drivers/of/of_ima.c

diff --git a/arch/Kconfig b/arch/Kconfig
index a7b57dd42c26..d53e1596c5b1 100644
--- a/arch/Kconfig
+++ b/arch/Kconfig
@@ -19,7 +19,11 @@ config KEXEC_CORE
ÂÂÂÂbool

config HAVE_IMA_KEXEC
-ÂÂÂ bool
+ÂÂÂ bool "Carry over IMA measurement log during kexec_file_load() syscall"
+ÂÂÂ depends on KEXEC_FILE
+ÂÂÂ help
+ÂÂÂÂÂ Select this option to carry over IMA measurement log during
+ÂÂÂÂÂ kexec_file_load.

This change looks very wrong: HAVE_* config symbols are used to indicate
the availability of certain arch specific capability, rather than act as
a config option. How does this work with CONFIG_IMA_KEXEC ?

Thanks for pointing this out. My attempt was to move this out of arch dependent config. I will fix the CONFIG.

Also, please, at the very least verify that basic functionality works on
the architectures we have access to. Trying it on x86:


Let me fix the build issues for other archs.
I have tested these changes for arm64.

$ make allmodconfig
scripts/kconfig/conf --allmodconfig Kconfig
#
# No change to .config
#
$ make
ÂCALLÂÂÂ scripts/checksyscalls.sh
ÂCALLÂÂÂ scripts/atomic/check-atomics.sh
ÂDESCENDÂ objtool
ÂCCÂÂÂÂÂ security/integrity/ima/ima_fs.o
In file included from security/integrity/ima/ima_fs.c:26:
security/integrity/ima/ima.h:28:10: fatal error: asm/ima.h: No such file or directory
#include <asm/ima.h>
ÂÂÂÂÂÂÂÂ ^~~~~~~~~~~
compilation terminated.
make[3]: *** [scripts/Makefile.build:266: security/integrity/ima/ima_fs.o] Error 1
make[2]: *** [scripts/Makefile.build:509: security/integrity/ima] Error 2
make[1]: *** [scripts/Makefile.build:509: security/integrity] Error 2
make: *** [Makefile:1649: security] Error 2

--
Thanks,
Sasha