Re: [RFC][PATCH 0/2] Add support for using reserved memory for ima buffer pass

[Prakhar Srivastava]

On 5/22/20 9:08 PM, Thiago Jung Bauermann wrote:
> Hello Prakhar,
>
> Prakhar Srivastava <prsriva@xxxxxxxxxxxxxxxxxxx> writes:
>
> > On 5/12/20 4:05 PM, Rob Herring wrote:
> > > On Wed, May 06, 2020 at 10:50:04PM -0700, Prakhar Srivastava wrote:
> > > > Hi Mark,
> > >
> > > Please don't top post.
> > >
> > > > This patch set currently only address the Pure DT implementation.
> > > > EFI and ACPI implementations will be posted in subsequent patchsets.
> > > >
> > > > The logs are intended to be carried over the kexec and once read the
> > > > logs are no longer needed and in prior conversation with James(
> > > > https://lore.kernel.org/linux-arm-kernel/0053eb68-0905-4679-c97a-00c5cb6f1abb@xxxxxxx/)
> > > > the apporach of using a chosen node doesn't
> > > > support the case.
> > > >
> > > > The DT entries make the reservation permanent and thus doesnt need kernel
> > > > segments to be used for this, however using a chosen-node with
> > > > reserved memory only changes the node information but memory still is
> > > > reserved via reserved-memory section.
> > >
> > > I think Mark's point was whether it needs to be permanent. We don't
> > > hardcode the initrd address for example.
> > Thankyou for clarifying my misunderstanding, i am modelling this keeping to the
> > TPM log implementation that uses a reserved memory. I will rev up the version
> > with chosen-node support.
> > That will make the memory reservation free after use.
>
> Nice. Do you intend to use the same property that powerpc uses
> (linux,ima-kexec-buffer)?
I was naming it ima-buffer, but naming is not a huge concern.
I will use linux,ima-kexec-buffer.
> > > > On 5/5/20 2:59 AM, Mark Rutland wrote:
> > > > > Hi Prakhar,
> > > > >
> > > > > On Mon, May 04, 2020 at 01:38:27PM -0700, Prakhar Srivastava wrote:
> > > > > > IMA during kexec(kexec file load) verifies the kernel signature and measures
> > >
> > > What's IMAIMA is a LSM attempting to detect if files have been accidentally or
> > maliciously altered, both remotely and locally, it can also be used
> > to appraise a file's measurement against a "good" value stored as an extended
> > attribute, and enforce local file integrity.
> >
> > IMA also validates and measures the signers of the kernel and initrd
> > during kexec. The measurements are extended to PCR 10(configurable) and the logs
> > stored in memory, however once kexec'd the logs are lost. Kexec is used as
> > secondary boot loader in may use cases and loosing the signer
> > creates a security hole.
> >
> > This patch is an implementation to carry over the logs and making it
> > possible to remotely validate the signers of the kernel and initrd. Such a
> > support exits only in powerpc.
> > This patch makes the carry over of logs architecture independent and puts the
> > complexity in a driver.
>
> If I'm not mistaken, the code at arch/powerpc/kexec/ima.c isn't actually
> powerpc-specific. It could be moved to an arch-independent directory and
> used by any other architecture which supports device trees.
>
> I think that's the simplest way forward. And to be honest I'm still
> trying to understand why you didn't take that approach. Did you try it
> and hit some obstacle or noticed a disadvantage for your use case?
The approach i have in this patch set is to provide an abstraction layer 
that can be called from any architecture.
However taking a deeper look only the setup dtb is probably architecture
specific, only because the architecture specific kexec sets up the 
device tree. I can also move the code up in security/ima. However i do
have some concerns with layering. I am hoping you can provide me with 
some guidance in this aspect, i will send you the patch i am working on
to get some early feedback.

Thanks,
Prakhar Srivastava


> --
> Thiago Jung Bauermann
> IBM Linux Technology Center