Re: ima measurement carrying on -mm
From: Thiago Jung Bauermann
Date: Thu Sep 29 2016 - 18:16:52 EST
Am Donnerstag, 29 September 2016, 16:53:50 schrieb Eric W. Biederman:
> Thiago Jung Bauermann <bauerman@xxxxxxxxxxxxxxxxxx> writes:
> > Am Donnerstag, 29 September 2016, 14:02:06 schrieb Andrew Morton:
> >> On Thu, 29 Sep 2016 17:44:10 -0300 Thiago Jung Bauermann
> > <bauerman@xxxxxxxxxxxxxxxxxx> wrote:
> >> > Hello Andrew,
> >> >
> >> > You have in the -mm tree a version of the "kexec handover buffer" and
> >> > "ima carry measurement list" patches that were NAKed by Eric
> >> > Biederman.
> >> > I would just like to double-check that there's no risk of that
> >> > version
> >> > reaching v4.9.
> >> >
> >> > Mimi posted v5 of a merged patch set that addresses Eric's concern:
> >> >
> >> > https://lists.ozlabs.org/pipermail/linuxppc-dev/2016-September/149183
> >> > .ht
> >> > ml
> >> >
> >> > There are no separate kexec handover patches anymore. They were
> >> > folded
> >> > into the series above. The kexec code is simplified now, it doesn't
> >> > support updating the buffer and recalculating the hash on reboot, and
> >> > is now IMA- specific instead of a generic kexec feature.
> >> Yup, thanks.
> >> I wasn't thinking any of this material is suitable for 4.9. Seems that
> >> a bit more consideration will be needed. Am I wrong about that?
> > Yes regarding the "ima carry measurement list" patches, but I was hoping
> > that at least the kexec_file_load patches would be upstreamed.
> Oh bah. I was confused about that straight forward adding of kexec_file
> support to powerpc. I thought that was already in existence.
> In that case let me say I am concerned about modifying the flattened
> device tree, especially in the kexec_file. I would think that the
> flattened device tree would be something that it would be desirable to
> keep intact.
> I know in the x86 boot protocol we have some variables that are purely
> passed by the bootloader (like the command line) and some that just
> representations of firmware provided information. Does powerpc not have
> that separation.
> I would think being able to pass the flattened device tree through
> unchanged would be very desirable in the kexec case as it removes the
> possibility of error.
As far as I know, that is not possible. The device tree always needs to be
modified to add or update the properties that indicate where the initrd is
loaded and, as you mentioned, the kernel command line. The IMA buffer
patches just adds another property.
Thiago Jung Bauermann
IBM Linux Technology Center