Re: [PATCH v8 7/7] ima: measure kexec load and exec events as critical data

From: Mimi Zohar
Date: Thu Feb 20 2025 - 19:47:56 EST

Next message: Jakub Kicinski: "Re: [PATCH] MAINTAINERS: fix DWMAC S32 entry"
Previous message: Alexey Klimov: "Re: [PATCH] ASoC: codecs: wsa883x: Implement temperature reading and hwmon"
In reply to: steven chen: "Re: [PATCH v8 7/7] ima: measure kexec load and exec events as critical data"
Next in thread: steven chen: "Re: [PATCH v8 7/7] ima: measure kexec load and exec events as critical data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 2025-02-18 at 14:55 -0800, steven chen wrote:
> The amount of memory allocated at kexec load, even with the extra memory
> allocated, might not be large enough for the entire measurement list. The
> indeterminate interval between kexec 'load' and 'execute' could exacerbate
> this problem.
>
> Define two new IMA events, 'kexec_load' and 'kexec_execute', to be
> measured as critical data at kexec 'load' and 'execute' respectively.
> Report the allocated kexec segment size, IMA binary log size and the
> runtime measurements count as part of those events.
>
> These events, and the values reported through them, serve as markers in
> the IMA log to verify the IMA events are captured during kexec soft
> reboot. The presence of a 'kexec_load' event in between the last two
> 'boot_aggregate' events in the IMA log implies this is a kexec soft
> reboot, and not a cold-boot. And the absence of 'kexec_execute' event
> after kexec soft reboot implies missing events in that window which
> results in inconsistency with TPM PCR quotes, necessitating a cold boot
> for a successful remote attestation.
>
> The 'kexec_load' event IMA log can be found using the following command:
> sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements |
>    grep kexec_load
>
> The 'kexec_load' event IMA log can be found using the following command:

-> kexec_execute

> sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements |
>    grep kexec_execute

These critical data events are displayed as hex encoded ascii in the
ascii_runtime_measurement_list. Verifying the critical data hash requires calculating the
hash of the decoded ascii string. For example:

sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | grep kexec_load
| cut -d' ' -f 6 | xxd -r -p | sha256sum

>
> Signed-off-by: Tushar Sugandhi <tusharsu@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: steven chen <chenste@xxxxxxxxxxxxxxxxxxx>
> ---
> security/integrity/ima/ima.h       | 6 ++++++
> security/integrity/ima/ima_kexec.c | 21 +++++++++++++++++++++
> security/integrity/ima/ima_queue.c | 5 +++++
> 3 files changed, 32 insertions(+)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index 4428fcf42167..1452c98242a4 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -240,6 +240,12 @@ void ima_post_key_create_or_update(struct key *keyring, struct key
> *key,
>    unsigned long flags, bool create);
> #endif
>
> +#ifdef CONFIG_IMA_KEXEC
> +void ima_measure_kexec_event(const char *event_name);
> +#else
> +static inline void ima_measure_kexec_event(const char *event_name) {}
> +#endif
> +
> /*
> * The default binary_runtime_measurements list format is defined as the
> * platform native format. The canonical format is defined as little-endian.
> diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
> index 6c8c203ad81e..8d0782e51ffa 100644
> --- a/security/integrity/ima/ima_kexec.c
> +++ b/security/integrity/ima/ima_kexec.c
> @@ -17,6 +17,8 @@
> #include "ima.h"
>
> #ifdef CONFIG_IMA_KEXEC
> +#define IMA_KEXEC_EVENT_LEN 256
> +
> static struct seq_file ima_kexec_file;
> static void *ima_kexec_buffer;
> static size_t kexec_segment_size;
> @@ -36,6 +38,24 @@ static void ima_free_kexec_file_buf(struct seq_file *sf)
> ima_reset_kexec_file(sf);
> }
>
> +void ima_measure_kexec_event(const char *event_name)
> +{
> + char ima_kexec_event[IMA_KEXEC_EVENT_LEN];
> + size_t buf_size = 0;
> + long len;
> +
> + buf_size = ima_get_binary_runtime_size();
> + len = atomic_long_read(&ima_htable.len);
> +
> + scnprintf(ima_kexec_event, IMA_KEXEC_EVENT_LEN,
> + "kexec_segment_size=%lu;ima_binary_runtime_size=%lu;"
> + "ima_runtime_measurements_count=%ld;",
> + kexec_segment_size, buf_size, len);
> +
> + ima_measure_critical_data("ima_kexec", event_name, ima_kexec_event,
> + strlen(ima_kexec_event), false, NULL, 0);

As previously mentioned, scnprintf() returns the length. No need to use strlen() here.

Mimi

> +}
> +
> static int ima_alloc_kexec_file_buf(size_t segment_size)
> {
> /*
> @@ -58,6 +78,7 @@ static int ima_alloc_kexec_file_buf(size_t segment_size)
> out:
> ima_kexec_file.read_pos = 0;
> ima_kexec_file.count = sizeof(struct ima_kexec_hdr); /* reserved space */
> + ima_measure_kexec_event("kexec_load");
>
> return 0;
> }
> diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
> index 3dfd178d4292..6afb46989cf6 100644
> --- a/security/integrity/ima/ima_queue.c
> +++ b/security/integrity/ima/ima_queue.c
> @@ -241,6 +241,11 @@ static int ima_reboot_notifier(struct notifier_block *nb,
>        unsigned long action,
>        void *data)
> {
> +#ifdef CONFIG_IMA_KEXEC
> + if (action == SYS_RESTART && data && !strcmp(data, "kexec reboot"))
> + ima_measure_kexec_event("kexec_execute");
> +#endif
> +
> ima_measurements_suspend();
>
> return NOTIFY_DONE;

Next message: Jakub Kicinski: "Re: [PATCH] MAINTAINERS: fix DWMAC S32 entry"
Previous message: Alexey Klimov: "Re: [PATCH] ASoC: codecs: wsa883x: Implement temperature reading and hwmon"
In reply to: steven chen: "Re: [PATCH v8 7/7] ima: measure kexec load and exec events as critical data"
Next in thread: steven chen: "Re: [PATCH v8 7/7] ima: measure kexec load and exec events as critical data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]