Re: [PATCH v11 6/9] ima: kexec: move IMA log copy from kexec load to execute

From: steven chen
Date: Thu Apr 10 2025 - 10:19:31 EST

Next message: Usyskin, Alexander: "RE: [PATCH v7 01/12] mtd: core: always create master device"
Previous message: Geert Uytterhoeven: "Re: [PATCH] riscv: Fix unaligned access info messages"
In reply to: Mimi Zohar: "Re: [PATCH v11 6/9] ima: kexec: move IMA log copy from kexec load to execute"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4/8/2025 9:17 AM, Mimi Zohar wrote:

On Wed, 2025-04-02 at 05:47 -0700, steven chen wrote:

ima_dump_measurement_list() is called during kexec 'load', which may
result in loss of IMA measurements during kexec soft reboot. Due to
missed measurements that only occurred after kexec 'load', this function
needs to be called during kexec 'execute'.

Re-use the motivation from 5/9 (with tweak):

The IMA log is currently copied to the new kernel during kexec 'load' using
ima_dump_measurement_list(). However, the IMA measurement list copied at kexec
'load' may result in loss of IMA measurements records that only occurred after
the kexec 'load'.

And finish the paragraph with:
Move the IMA measurement list log copy from kexec 'load' to 'execute'.

Make the kexec_segment_size variable a local static variable within the
file, so it can be accessed during both kexec 'load' and 'execute'.
Implement the kexec_post_load() function to be invoked after the new kernel
image has been loaded for kexec. Instead of calling machine_kexec_post_load()
directly from the kexec_file_load() syscall, call kexec_post_load(), which in
turn calls machine_kexec_post_load() to maintain the original image processing.

Define kexec_post_load() as a wrapper for calling ima_kexec_post_load() and
machine_kexec_post_load(). Replace the existing direct call to
machine_kexec_post_load() with kexec_post_load().

Invoke ima_kexec_post_load() within the kexec_post_load() API only for kexec
soft reboot scenarios, excluding KEXEC_FILE_ON_CRASH.

"Don't call ima_kexec_post_load() on KEXEC_FILE_ON_CRASH" would be listed in the
Changelog if it changed, not here in the patch description. Please remove.

Register a reboot notifier for the ima_update_kexec_buffer() API within
ima_kexec_post_load() to ensure it is called upon receiving a reboot
notification.

Registering the reboot notifier was done in "[PATCH v11 5/9] ima: kexec: define
functions to copy IMA log at soft boot", not here. Please remove.

Move the ima_dump_measurement_list() call from ima_add_kexec_buffer() to
ima_update_kexec_buffer() to copy the IMA log at the kexec 'execute' stage.

This information was already stated in the first paragraph as part of the
motivation for the patch. Please remove.

When there is insufficient memory to copy all the measurement logs, copy as
much of the measurement list as possible.

Is this comment still applicable to this patch?

Please review your patch descriptions before posting, making sure that
everything is still applicable.

thanks,

Mimi

Hi Mimi,

Thanks for your comments. I will update in next version.

Steven

Signed-off-by: Tushar Sugandhi <tusharsu@xxxxxxxxxxxxxxxxxxx>
Cc: Eric Biederman <ebiederm@xxxxxxxxxxxx>
Cc: Baoquan He <bhe@xxxxxxxxxx>
Cc: Vivek Goyal <vgoyal@xxxxxxxxxx>
Cc: Dave Young <dyoung@xxxxxxxxxx>
Signed-off-by: steven chen <chenste@xxxxxxxxxxxxxxxxxxx>
Reviewed-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>

Next message: Usyskin, Alexander: "RE: [PATCH v7 01/12] mtd: core: always create master device"
Previous message: Geert Uytterhoeven: "Re: [PATCH] riscv: Fix unaligned access info messages"
In reply to: Mimi Zohar: "Re: [PATCH v11 6/9] ima: kexec: move IMA log copy from kexec load to execute"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]