Re: [PATCH v4 0/5] kexec_file: Add buffer hand-over for the next kernel

From: Thiago Jung Bauermann
Date: Thu Sep 08 2016 - 15:21:03 EST


Am Mittwoch, 07 September 2016, 09:19:40 schrieb Eric W. Biederman:
> ebiederm@xxxxxxxxxxxx (Eric W. Biederman) writes:
> > Thiago Jung Bauermann <bauerman@xxxxxxxxxxxxxxxxxx> writes:
> >> Hello,
> >>
> >> The purpose of this new version of the series is to fix a small issue
> >> that I found, which is that the kernel doesn't remove the memory
> >> reservation for the hand-over buffer it received from the previous
> >> kernel in the device tree it sets up for the next kernel. The result
> >> is that for each successive kexec, a stale hand-over buffer is left
> >> behind, wasting memory.
> >>
> >> This is fixed by changes to kexec_free_handover_buffer and
> >> setup_handover_buffer in patch 2. The other change is to fix checkpatch
> >> warnings in the last patch.
> >
> > This is fundamentally broken. You do not increase the integrity of a
> > system by dropping integrity checks.
> >
> > No. No. No. No.
> >
> > Nacked-by: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx>

The IMA measurement list can be verified without the need of a checksum over
its contents by replaying the PCR extend operations and checking that the
result matches the registers in the TPM device. So the fact that it is not
part of the kexec segments checksum verification doesn't actually reduce the
integrity of the system.

Currently, IMA doesn't perform that verification when it restores the
measurement list from the kexec handover buffer, so if you believe it's
necessary to do that check at boot time, we could do one of the following:

1. Have IMA replay the PCR extend operations when it restores the
measurement list from the handover buffer and validate it against the TPM
PCRs, or

2. Have a buffer hash in the ima_kexec_hdr that IMA includes in the handover
buffer, and verify the buffer checksum before restoring the measurement
list.

What do you think?

> To be constructive the way we have handled similiar situations in the
> past (hotplu memory) is to call kexec_load again.

Thanks for your suggestion. Unfortunately it's always possible for new
measurements to be added to the measurement list between the kexec_file_load
and the reboot. We see that happen in practice with system scripts and
configuration files that are only read or executed during the reboot
process. They are only measured by IMA as a result of the kexec execute.

--
[]'s
Thiago Jung Bauermann
IBM Linux Technology Center