lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <c661ce17-a5a6-0aa0-ed9d-eab99020d98a@linux.microsoft.com>
Date:   Tue, 12 Jan 2021 10:23:01 -0800
From:   Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
To:     Rob Herring <robh@...nel.org>
Cc:     zohar@...ux.ibm.com, bauerman@...ux.ibm.com,
        takahiro.akashi@...aro.org, gregkh@...uxfoundation.org,
        will@...nel.org, catalin.marinas@....com, mpe@...erman.id.au,
        james.morse@....com, sashal@...nel.org, benh@...nel.crashing.org,
        paulus@...ba.org, frowand.list@...il.com,
        vincenzo.frascino@....com, mark.rutland@....com,
        dmitry.kasatkin@...il.com, jmorris@...ei.org, serge@...lyn.com,
        pasha.tatashin@...een.com, allison@...utok.net,
        masahiroy@...nel.org, bhsharma@...hat.com, mbrugger@...e.com,
        hsinyi@...omium.org, tao.li@...o.com, christophe.leroy@....fr,
        prsriva@...ux.microsoft.com, balajib@...ux.microsoft.com,
        linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-arm-kernel@...ts.infradead.org, devicetree@...r.kernel.org
Subject: Re: [PATCH v14 0/6] Carry forward IMA measurement log on kexec on
 ARM64

On 1/12/21 6:42 AM, Rob Herring wrote:
> On Mon, Jan 04, 2021 at 11:25:56AM -0800, Lakshmi Ramasubramanian wrote:
>> On kexec file load Integrity Measurement Architecture (IMA) subsystem
>> may verify the IMA signature of the kernel and initramfs, and measure
>> it. The command line parameters passed to the kernel in the kexec call
>> may also be measured by IMA. A remote attestation service can verify
>> a TPM quote based on the TPM event log, the IMA measurement list, and
>> the TPM PCR data. This can be achieved only if the IMA measurement log
>> is carried over from the current kernel to the next kernel across
>> the kexec call.
>>
>> powerpc already supports carrying forward the IMA measurement log on
>> kexec. This patch set adds support for carrying forward the IMA
>> measurement log on kexec on ARM64.
>>
>> This patch set moves the platform independent code defined for powerpc
>> such that it can be reused for other platforms as well. A chosen node
>> "linux,ima-kexec-buffer" is added to the DTB for ARM64 to hold
>> the address and the size of the memory reserved to carry
>> the IMA measurement log.
>>
>> This patch set has been tested for ARM64 platform using QEMU.
>> I would like help from the community for testing this change on powerpc.
>> Thanks.
>>
>> This patch set is based on
>> commit a29a64445089 ("powerpc: Use common of_kexec_setup_new_fdt()")
>> in https://git.kernel.org/pub/scm/linux/kernel/git/robh/linux.git
>> "dt/kexec" branch.
> 
> This all looks good to me. I'd suggest you send the above patches out as
> part of this series because I don't plan to do so.

Thanks for reviewing the patches Rob.

Sure - I'll add your patches to this series.

> I would like to also resolve the vmalloc vs. kmalloc difference for
> allocating the FDT. Then we can further consolidate the DT kexec code.

I think FDT allocation using vmalloc for ARM64 can be changed to 
kmalloc. What are the other changes you'd like me to do in arm64/powerpc 
DT kexec code in this patch series?

@AKASHI Takahiro - could you please let me know if the above sounds right?

> 
> It all needs some acks from arm64 and powerpc maintainers. As far as
> merging, I think via the integrity tree makes the most sense.

I'll create the patch series in "next-integrity" branch.

Thiago/Mimi have acked some of the patches. Please review the remaining 
patches in this version.

Could arm64 maintainers please review the patches and respond?

thanks,
  -lakshmi


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ