From: Tushar Sugandhi <tusharsu@linux.microsoft.com>
To: zohar@linux.ibm.com, ebiederm@xmission.com, noodles@fb.com,
bauermann@kolabnow.com, kexec@lists.infradead.org,
linux-integrity@vger.kernel.org
Cc: code@tyhicks.com, nramas@linux.microsoft.com, paul@paul-moore.com
Subject: [PATCH v2 0/7] ima: kexec: measure events between kexec load and execute
Date: Thu, 5 Oct 2023 11:25:55 -0700 [thread overview]
Message-ID: <20231005182602.634615-1-tusharsu@linux.microsoft.com> (raw)
The current Kernel behavior is IMA measurements snapshot is taken at
kexec 'load' and not at kexec 'execute'. IMA log is then carried
over to the new Kernel after kexec 'execute'.
Some systems can be configured to call kexec 'load' first, and followed
by kexec 'execute' after some time. (as opposed to calling 'load' and
'execute' in one single kexec command). In such scenario, if new IMA
measurements are added between kexec 'load' and kexec 'execute', the
TPM PCRs are extended with the IMA events between 'load' and 'execute'.
But those IMA events are not carried over to the new Kernel after kexec
soft reboot. This results in mismatch between TPM PCR quotes, and the
actual IMA measurements list, after the system boots into the new kexec
image. This mismatch results in the remote attestation failing for that
system.
This patch series proposes a solution to solve this problem by allocating
the necessary buffer at kexec 'load' time, and populating the buffer
with the IMA measurements at kexec 'execute' time.
The solution includes:
- refactoring the existing code to allocate a buffer to hold IMA
measurements at kexec 'load', and dump the measurements at kexec
'execute'
- ima functionality to suspend and resume measurements as needed during
buffer copy at kexec 'execute',
- ima functionality for mapping the measurement list from the current
Kernel to the subsequent one,
- necessary changes to the kexec_file_load syscall, enabling it to call
the ima functions,
- registering a reboot notifier which gets called during kexec
'execute',
- introducing a new Kconfig option to configure the amount of memory
to be allocated for passing IMA log from the current Kernel to the
next,
- introducing two new events to be measured by IMA during kexec, to
help diagnose if the IMA log was copied fully or partially, from the
current Kernel to the next,
The modifications proposed in this series ensure the integrity of the ima
measurements is preserved across kexec soft reboots, thus significantly
improving the security of the Kernel post kexec soft reboots.
There were previous attempts to fix this issue [1], [2], [3]. But they
were not merged into the mainline Kernel.
We took inspiration from the past work [1] and [2] while working on this
patch series.
References:
-----------
[1] [PATHC v2 5/9] ima: on soft reboot, save the measurement list
https://lore.kernel.org/lkml/1472596811-9596-6-git-send-email-zohar@linux.vnet.ibm.com/
[2] PATCH v2 4/6] kexec_file: Add mechanism to update kexec segments.
https://lkml.org/lkml/2016/8/16/577
[3] [PATCH 1/6] kexec_file: Add buffer hand-over support
https://lore.kernel.org/linuxppc-dev/1466473476-10104-6-git-send-email-bauerman@linux.vnet.ibm.com/T/
Change Log v2:
- Incorporated feedback from the community on v1 series.
- Refactored the existing ima_dump_measurement_list to move buffer
allocation functionality to ima_alloc_kexec_buf() function.
- Introduced a new Kconfig option to configure the memory.
- Updated the logic to copy the IMA log only in case of kexec soft
reboot, and not on kexec crash.
- Updated the logic to copy as many IMA events as possible in case of
memory constraint, rather than just bailing out.
- Introduced two new events to be measured by IMA during kexec, to
help diagnose if the IMA log was copied fully or partially from the
current Kernel to the next.
- Refactored patches to ensure no warnings during individual patch
compilation.
- Used virt_to_page instead of phys_to_page.
- Updated patch descriptions as necessary.
Tushar Sugandhi (7):
ima: refactor ima_dump_measurement_list to move memory allocation to a
separate function
ima: move ima_dump_measurement_list call from kexec load to execute
ima: kexec: map source pages containing IMA buffer to image post kexec
load
kexec: update kexec_file_load syscall to call ima_kexec_post_load
ima: suspend measurements while the buffer is being copied during
kexec reboot
ima: make the memory for events between kexec load and exec
configurable
ima: record log size at kexec load and execute
include/linux/ima.h | 3 +
include/linux/kexec.h | 13 ++
kernel/kexec_core.c | 73 ++++++++-
kernel/kexec_file.c | 8 +
security/integrity/ima/Kconfig | 9 ++
security/integrity/ima/ima.h | 2 +
security/integrity/ima/ima_kexec.c | 246 ++++++++++++++++++++++++-----
security/integrity/ima/ima_queue.c | 31 ++++
8 files changed, 341 insertions(+), 44 deletions(-)
--
2.25.1
next reply other threads:[~2023-10-05 18:26 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-05 18:25 Tushar Sugandhi [this message]
2023-10-05 18:25 ` [PATCH v2 1/7] ima: refactor ima_dump_measurement_list to move memory allocation to a separate function Tushar Sugandhi
2023-10-13 0:28 ` Stefan Berger
2023-10-20 20:33 ` Tushar Sugandhi
2023-10-20 21:21 ` Stefan Berger
2023-10-20 21:50 ` Tushar Sugandhi
2023-10-26 20:16 ` Mimi Zohar
2023-10-27 3:25 ` Mimi Zohar
2023-11-14 22:32 ` Tushar Sugandhi
2023-11-14 22:31 ` Tushar Sugandhi
2023-10-05 18:25 ` [PATCH v2 2/7] ima: move ima_dump_measurement_list call from kexec load to execute Tushar Sugandhi
2023-10-13 0:28 ` Stefan Berger
2023-10-20 20:35 ` Tushar Sugandhi
[not found] ` <989af3e9a8621f57643b67b717d9a39fdb2ffe24.camel@linux.ibm.com>
2023-11-14 22:43 ` Tushar Sugandhi
2023-11-15 22:30 ` Tushar Sugandhi
2023-10-05 18:25 ` [PATCH v2 3/7] ima: kexec: map source pages containing IMA buffer to image post kexec load Tushar Sugandhi
2023-10-13 0:29 ` Stefan Berger
2023-10-20 20:36 ` Tushar Sugandhi
2023-10-05 18:25 ` [PATCH v2 4/7] kexec: update kexec_file_load syscall to call ima_kexec_post_load Tushar Sugandhi
2023-10-05 18:26 ` [PATCH v2 5/7] ima: suspend measurements while the buffer is being copied during kexec reboot Tushar Sugandhi
2023-10-05 18:26 ` [PATCH v2 6/7] ima: make the memory for events between kexec load and exec configurable Tushar Sugandhi
2023-10-13 0:27 ` Stefan Berger
2023-10-20 20:39 ` Tushar Sugandhi
2023-10-20 21:16 ` Stefan Berger
2023-10-20 21:53 ` Tushar Sugandhi
2023-10-05 18:26 ` [PATCH v2 7/7] ima: record log size at kexec load and execute Tushar Sugandhi
2023-10-13 0:27 ` Stefan Berger
2023-10-20 20:40 ` Tushar Sugandhi
[not found] ` <2b95e8b9ebe10a24c7cb6fc90cb2d1342a157ed5.camel@linux.ibm.com>
2023-11-14 22:48 ` Tushar Sugandhi
[not found] ` <8f87e7e4fe5c5a24cdc0d3e2267eeaf00825d1bb.camel@linux.ibm.com>
2023-10-27 19:51 ` [PATCH v2 0/7] ima: kexec: measure events between " Mimi Zohar
2023-11-15 19:21 ` Tushar Sugandhi
2023-11-14 23:24 ` Tushar Sugandhi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231005182602.634615-1-tusharsu@linux.microsoft.com \
--to=tusharsu@linux.microsoft.com \
--cc=bauermann@kolabnow.com \
--cc=code@tyhicks.com \
--cc=ebiederm@xmission.com \
--cc=kexec@lists.infradead.org \
--cc=linux-integrity@vger.kernel.org \
--cc=noodles@fb.com \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).