lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 12 Jan 2021 10:23:01 -0800
From:   Lakshmi Ramasubramanian <>
To:     Rob Herring <>
Subject: Re: [PATCH v14 0/6] Carry forward IMA measurement log on kexec on

On 1/12/21 6:42 AM, Rob Herring wrote:
> On Mon, Jan 04, 2021 at 11:25:56AM -0800, Lakshmi Ramasubramanian wrote:
>> On kexec file load Integrity Measurement Architecture (IMA) subsystem
>> may verify the IMA signature of the kernel and initramfs, and measure
>> it. The command line parameters passed to the kernel in the kexec call
>> may also be measured by IMA. A remote attestation service can verify
>> a TPM quote based on the TPM event log, the IMA measurement list, and
>> the TPM PCR data. This can be achieved only if the IMA measurement log
>> is carried over from the current kernel to the next kernel across
>> the kexec call.
>> powerpc already supports carrying forward the IMA measurement log on
>> kexec. This patch set adds support for carrying forward the IMA
>> measurement log on kexec on ARM64.
>> This patch set moves the platform independent code defined for powerpc
>> such that it can be reused for other platforms as well. A chosen node
>> "linux,ima-kexec-buffer" is added to the DTB for ARM64 to hold
>> the address and the size of the memory reserved to carry
>> the IMA measurement log.
>> This patch set has been tested for ARM64 platform using QEMU.
>> I would like help from the community for testing this change on powerpc.
>> Thanks.
>> This patch set is based on
>> commit a29a64445089 ("powerpc: Use common of_kexec_setup_new_fdt()")
>> in
>> "dt/kexec" branch.
> This all looks good to me. I'd suggest you send the above patches out as
> part of this series because I don't plan to do so.

Thanks for reviewing the patches Rob.

Sure - I'll add your patches to this series.

> I would like to also resolve the vmalloc vs. kmalloc difference for
> allocating the FDT. Then we can further consolidate the DT kexec code.

I think FDT allocation using vmalloc for ARM64 can be changed to 
kmalloc. What are the other changes you'd like me to do in arm64/powerpc 
DT kexec code in this patch series?

@AKASHI Takahiro - could you please let me know if the above sounds right?

> It all needs some acks from arm64 and powerpc maintainers. As far as
> merging, I think via the integrity tree makes the most sense.

I'll create the patch series in "next-integrity" branch.

Thiago/Mimi have acked some of the patches. Please review the remaining 
patches in this version.

Could arm64 maintainers please review the patches and respond?


Powered by blists - more mailing lists