[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <0278ab6a2891effd9b1eb8c0221769e332ec6082.camel@linux.ibm.com>
Date: Sun, 13 Feb 2022 13:53:12 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Michal Suchanek <msuchanek@...e.de>, keyrings@...r.kernel.org,
linux-crypto@...r.kernel.org, linux-integrity@...r.kernel.org
Cc: kexec@...ts.infradead.org, Philipp Rudo <prudo@...hat.com>,
Nayna <nayna@...ux.vnet.ibm.com>, Rob Herring <robh@...nel.org>,
linux-s390@...r.kernel.org, Vasily Gorbik <gor@...ux.ibm.com>,
Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
Heiko Carstens <hca@...ux.ibm.com>,
Jessica Yu <jeyu@...nel.org>, linux-kernel@...r.kernel.org,
David Howells <dhowells@...hat.com>,
Christian Borntraeger <borntraeger@...ibm.com>,
Luis Chamberlain <mcgrof@...nel.org>,
Paul Mackerras <paulus@...ba.org>,
Hari Bathini <hbathini@...ux.ibm.com>,
Alexander Gordeev <agordeev@...ux.ibm.com>,
linuxppc-dev@...ts.ozlabs.org,
Frank van der Linden <fllinden@...zon.com>,
Thiago Jung Bauermann <bauerman@...ux.ibm.com>,
Daniel Axtens <dja@...ens.net>, buendgen@...ibm.com,
Michael Ellerman <mpe@...erman.id.au>,
Benjamin Herrenschmidt <benh@...nel.crashing.org>,
Christian Borntraeger <borntraeger@...ux.ibm.com>,
Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
Dmitry Kasatkin <dmitry.kasatkin@...il.com>,
James Morris <jmorris@...ei.org>,
"Serge E. Hallyn" <serge@...lyn.com>,
Sven Schnelle <svens@...ux.ibm.com>,
Baoquan He <bhe@...hat.com>,
linux-security-module@...r.kernel.org
Subject: Re: [PATCH v5 0/6] KEXEC_SIG with appended signature
Hi Michal,
On Tue, 2022-01-11 at 12:37 +0100, Michal Suchanek wrote:
> Hello,
>
> This is a refresh of the KEXEC_SIG series.
> This adds KEXEC_SIG support on powerpc and deduplicates the code dealing
> with appended signatures in the kernel.
>
> powerpc supports IMA_KEXEC but that's an exception rather than the norm.
> On the other hand, KEXEC_SIG is portable across platforms.
This Kconfig carries the IMA measurement list across kexec. This has
nothing to do with appended signatures.
config IMA_KEXEC
bool "Enable carrying the IMA measurement list across a soft
boot"
depends on IMA && TCG_TPM && HAVE_IMA_KEXEC
In addition to powerpc, arm64 sets HAVE_IMA_KEXEC.
Even prior to the kexec appended signature support, like all other
files, the kexec kernel image signature could be stored in
security.ima.
>
> For distributions to have uniform security features across platforms one
> option should be used on all platforms.
The kexec kernel image measurement will not be included in the BIOS
event log. Even if the measurement is included in the IMA measurement
list, without the IMA_KEXEC Kconfig the measurement list will not be
carried across kexec. For those not interested in "trusted boot" or
those who do not need it for compliance, the simplification should be
fine.
--
thanks,
Mimi
Powered by blists - more mailing lists