| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Jan 2021 10:23:01 -0800
From: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
To: Rob Herring <robh@...nel.org>
Cc: zohar@...ux.ibm.com, bauerman@...ux.ibm.com,
takahiro.akashi@...aro.org, gregkh@...uxfoundation.org,
will@...nel.org, catalin.marinas@....com, mpe@...erman.id.au,
james.morse@....com, sashal@...nel.org, benh@...nel.crashing.org,
paulus@...ba.org, frowand.list@...il.com,
vincenzo.frascino@....com, mark.rutland@....com,
dmitry.kasatkin@...il.com, jmorris@...ei.org, serge@...lyn.com,
pasha.tatashin@...een.com, allison@...utok.net,
masahiroy@...nel.org, bhsharma@...hat.com, mbrugger@...e.com,
hsinyi@...omium.org, tao.li@...o.com, christophe.leroy@....fr,
prsriva@...ux.microsoft.com, balajib@...ux.microsoft.com,
linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org, devicetree@...r.kernel.org
Subject: Re: [PATCH v14 0/6] Carry forward IMA measurement log on kexec on
ARM64
On 1/12/21 6:42 AM, Rob Herring wrote:
> On Mon, Jan 04, 2021 at 11:25:56AM -0800, Lakshmi Ramasubramanian wrote:
>> On kexec file load Integrity Measurement Architecture (IMA) subsystem
>> may verify the IMA signature of the kernel and initramfs, and measure
>> it. The command line parameters passed to the kernel in the kexec call
>> may also be measured by IMA. A remote attestation service can verify
>> a TPM quote based on the TPM event log, the IMA measurement list, and
>> the TPM PCR data. This can be achieved only if the IMA measurement log
>> is carried over from the current kernel to the next kernel across
>> the kexec call.
>>
>> powerpc already supports carrying forward the IMA measurement log on
>> kexec. This patch set adds support for carrying forward the IMA
>> measurement log on kexec on ARM64.
>>
>> This patch set moves the platform independent code defined for powerpc
>> such that it can be reused for other platforms as well. A chosen node
>> "linux,ima-kexec-buffer" is added to the DTB for ARM64 to hold
>> the address and the size of the memory reserved to carry
>> the IMA measurement log.
>>
>> This patch set has been tested for ARM64 platform using QEMU.
>> I would like help from the community for testing this change on powerpc.
>> Thanks.
>>
>> This patch set is based on
>> commit a29a64445089 ("powerpc: Use common of_kexec_setup_new_fdt()")
>> in https://git.kernel.org/pub/scm/linux/kernel/git/robh/linux.git
>> "dt/kexec" branch.
>
> This all looks good to me. I'd suggest you send the above patches out as
> part of this series because I don't plan to do so.
Thanks for reviewing the patches Rob.
Sure - I'll add your patches to this series.
> I would like to also resolve the vmalloc vs. kmalloc difference for
> allocating the FDT. Then we can further consolidate the DT kexec code.
I think FDT allocation using vmalloc for ARM64 can be changed to
kmalloc. What are the other changes you'd like me to do in arm64/powerpc
DT kexec code in this patch series?
@AKASHI Takahiro - could you please let me know if the above sounds right?
>
> It all needs some acks from arm64 and powerpc maintainers. As far as
> merging, I think via the integrity tree makes the most sense.
I'll create the patch series in "next-integrity" branch.
Thiago/Mimi have acked some of the patches. Please review the remaining
patches in this version.
Could arm64 maintainers please review the patches and respond?
thanks,
-lakshmi
Powered by blists - more mailing lists