Re: [PATCH v9 1/7] ima: copy only complete measurement records across kexec

From: steven chen
Date: Thu Mar 06 2025 - 17:46:21 EST

Next message: Andrew Lunn: "Re: [PATCH 3/4] arm64: dts: rockchip: Add GMAC nodes for RK3528"
Previous message: Luiz Capitulino: "[PATCH v3 3/3] mm: page_owner: use new iteration API"
In reply to: Mimi Zohar: "Re: [PATCH v9 1/7] ima: copy only complete measurement records across kexec"
Next in thread: Mimi Zohar: "Re: [PATCH v9 1/7] ima: copy only complete measurement records across kexec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/5/2025 4:27 AM, Mimi Zohar wrote:

On Wed, 2025-03-05 at 20:08 +0800, Baoquan He wrote:

On 03/04/25 at 11:03am, steven chen wrote:

Carrying the IMA measurement list across kexec requires allocating a
buffer and copying the measurement records. Separate allocating the
buffer and copying the measurement records into separate functions in
order to allocate the buffer at kexec 'load' and copy the measurements
at kexec 'execute'.

This patch includes the following changes:

I don't know why one patch need include so many changes. From below log,
it should be split into separate patches. It may not need to make one
patch to reflect one change, we should at least split and wrap several
kind of changes to ease patch understanding and reviewing. My personal
opinion.

Agreed, well explained.

Mimi

- Refactor ima_dump_measurement_list() to move the memory allocation
to a separate function ima_alloc_kexec_file_buf() which allocates
buffer of size 'kexec_segment_size' at kexec 'load'.
- Make the local variable ima_kexec_file in ima_dump_measurement_list()
a local static to the file, so that it can be accessed from
ima_alloc_kexec_file_buf(). Compare actual memory required to ensure
there is enough memory for the entire measurement record.
- Copy only complete measurement records.
- Make necessary changes to the function ima_add_kexec_buffer() to call
the above two functions.
- Compared the memory size allocated with memory size of the entire
measurement record. Copy only complete measurement records if there
is enough memory. If there is not enough memory, it will not copy
any IMA measurement records, and this situation will result in a
failure of remote attestation.

Suggested-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
Signed-off-by: Tushar Sugandhi <tusharsu@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: steven chen <chenste@xxxxxxxxxxxxxxxxxxx>

I will split this patch into the following two patches:

ima: define and call ima_alloc_kexec_file_buf
ima: copy measurement records as much as possible across kexec

Thanks,

Steven

Next message: Andrew Lunn: "Re: [PATCH 3/4] arm64: dts: rockchip: Add GMAC nodes for RK3528"
Previous message: Luiz Capitulino: "[PATCH v3 3/3] mm: page_owner: use new iteration API"
In reply to: Mimi Zohar: "Re: [PATCH v9 1/7] ima: copy only complete measurement records across kexec"
Next in thread: Mimi Zohar: "Re: [PATCH v9 1/7] ima: copy only complete measurement records across kexec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]