lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1f01055c-acb8-6497-0144-dfeb78f08eee@linux.microsoft.com>
Date:   Tue, 3 Nov 2020 11:26:45 -0800
From:   Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>, bauerman@...ux.ibm.com,
        robh@...nel.org, gregkh@...uxfoundation.org, james.morse@....com,
        catalin.marinas@....com, sashal@...nel.org, will@...nel.org,
        mpe@...erman.id.au, benh@...nel.crashing.org, paulus@...ba.org,
        robh+dt@...nel.org, frowand.list@...il.com,
        vincenzo.frascino@....com, mark.rutland@....com,
        dmitry.kasatkin@...il.com, jmorris@...ei.org, serge@...lyn.com,
        pasha.tatashin@...een.com, allison@...utok.net,
        kstewart@...uxfoundation.org, takahiro.akashi@...aro.org,
        tglx@...utronix.de, masahiroy@...nel.org, bhsharma@...hat.com,
        mbrugger@...e.com, hsinyi@...omium.org, tao.li@...o.com,
        christophe.leroy@....fr
Cc:     linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
        devicetree@...r.kernel.org, prsriva@...ux.microsoft.com,
        balajib@...ux.microsoft.com
Subject: Re: [PATCH v8 0/4] Carry forward IMA measurement log on kexec on
 ARM64

On 11/3/20 7:18 AM, Mimi Zohar wrote:

Hi Mimi,

> On Fri, 2020-10-30 at 10:44 -0700, Lakshmi Ramasubramanian wrote:
>> On kexec file load Integrity Measurement Architecture (IMA) subsystem
>> may verify the IMA signature of the kernel and initramfs, and measure
>> it. The command line parameters passed to the kernel in the kexec call
>> may also be measured by IMA. A remote attestation service can verify
>> the measurement through the IMA log and the TPM PCR data. This can be
>> achieved only if the IMA measurement log is carried over from
>> the current kernel to the next kernel across the kexec call.
> 
> Nice, but you might want to tweak it a bit.  This is just a suggestion.
> "A remote attestation service can verify a TPM quote based on the TPM
> event log, the IMA measurement list, and the TPM PCR data".
Sure - will make this change.

> 
>> However in the current implementation the IMA measurement logs are not
>> carried over on ARM64 platforms. Therefore a remote attestation service
>> cannot verify the authenticity of the running kernel on ARM64 platforms
>> when the kernel is updated through the kexec system call.
> 
> The paragraphs above and below are redundant.  The first paragraph
> already explained why carrying the measurement across kexec is needed.
> Perhaps drop the above paragraph.
Sure.

> 
>> This patch series adds support for carrying forward the IMA measurement
>> log on kexec on ARM64. powerpc already supports carrying forward
>> the IMA measurement log on kexec.
> 
> And invert these sentences, starting the paragraph with "Powerpc
> already" and ending with ARM64.
Sure.

> 
>>
>> This series refactors the platform independent code defined for powerpc
>> such that it can be reused for ARM64 as well. A chosen node namely
>> "linux,ima-kexec-buffer" is added to the DTB for ARM64 to hold
>> the address and the size of the memory reserved to carry
>> the IMA measurement log.
> 
> ^This patch set moves ..."
Sure - will make this change.

Thanks again for reviewing the patches. Will post the updated patch set 
shortly.

  -lakshmi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ