| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Jun 2019 16:26:27 +0800
From: Dave Young <dyoung@...hat.com>
To: Mimi Zohar <zohar@...ux.ibm.com>
Cc: Prakhar Srivastava <prsriva02@...il.com>,
linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, roberto.sassu@...wei.com,
"Eric W. Biederman" <ebiederm@...ssion.com>, vgoyal@...hat.com,
kexec <kexec@...ts.infradead.org>
Subject: Re: [PATCH V8 3/3] Call ima_kexec_cmdline to measure the cmdline args
On 06/12/19 at 06:31pm, Mimi Zohar wrote:
> [Cc: kexec mailing list]
>
> Hi Eric, Dave,
>
> On Wed, 2019-06-12 at 15:15 -0700, Prakhar Srivastava wrote:
> > During soft reboot(kexec_file_load) boot cmdline args
> > are not measured.Thus the new kernel on load boots with
> > an assumption of cold reboot.
> >
> > This patch makes a call to the ima hook ima_kexec_cmdline,
> > added in "Define a new IMA hook to measure the boot command
> > line arguments"
> > to measure the boot cmdline args into the ima log.
> >
> > - call ima_kexec_cmdline from kexec_file_load.
> > - move the call ima_add_kexec_buffer after the cmdline
> > args have been measured.
> >
> > Signed-off-by: Prakhar Srivastava <prsriva02@...il.com>
> Cc: Eric W. Biederman <ebiederm@...ssion.com>
> Cc: Dave Young <dyoung@...hat.com>
>
> Any chance we could get some Acks?
The ima_* is blackbox functions to me, looks like this patch is trying
to measure kexec cmdline buffer and save in some ima logs and then add all the
measure results including those for kernel/initrd to a kexec_buf and pass to 2nd
kernel.
It should be good and only take effect when IMA enabled. If all the
assumptions are right:
Acked-by: Dave Young <dyoung@...hat.com>
>
> thanks,
>
> Mimi
>
> > ---
> > kernel/kexec_file.c | 9 ++++++---
> > 1 file changed, 6 insertions(+), 3 deletions(-)
> >
> > diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> > index 072b6ee55e3f..b0c724e5d86c 100644
> > --- a/kernel/kexec_file.c
> > +++ b/kernel/kexec_file.c
> > @@ -198,9 +198,6 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
> > return ret;
> > image->kernel_buf_len = size;
> >
> > - /* IMA needs to pass the measurement list to the next kernel. */
> > - ima_add_kexec_buffer(image);
> > -
> > /* Call arch image probe handlers */
> > ret = arch_kexec_kernel_image_probe(image, image->kernel_buf,
> > image->kernel_buf_len);
> > @@ -241,8 +238,14 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
> > ret = -EINVAL;
> > goto out;
> > }
> > +
> > + ima_kexec_cmdline(image->cmdline_buf,
> > + image->cmdline_buf_len - 1);
> > }
> >
> > + /* IMA needs to pass the measurement list to the next kernel. */
> > + ima_add_kexec_buffer(image);
> > +
> > /* Call arch image load handlers */
> > ldata = arch_kexec_kernel_image_load(image);
> >
>
>
> _______________________________________________
> kexec mailing list
> kexec@...ts.infradead.org
> http://lists.infradead.org/mailman/listinfo/kexec
Thanks
Dave
Powered by blists - more mailing lists