| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aAIJ/vpJD7GpBwKe@MiWiFi-R3L-srv>
Date: Fri, 18 Apr 2025 16:14:54 +0800
From: Baoquan He <bhe@...hat.com>
To: steven chen <chenste@...ux.microsoft.com>
Cc: zohar@...ux.ibm.com, stefanb@...ux.ibm.com,
roberto.sassu@...weicloud.com, roberto.sassu@...wei.com,
eric.snowberg@...cle.com, ebiederm@...ssion.com,
paul@...l-moore.com, code@...icks.com, bauermann@...abnow.com,
linux-integrity@...r.kernel.org, kexec@...ts.infradead.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org,
madvenka@...ux.microsoft.com, nramas@...ux.microsoft.com,
James.Bottomley@...senpartnership.com, vgoyal@...hat.com,
dyoung@...hat.com
Subject: Re: [PATCH v12 8/9] ima: make the kexec extra memory configurable
On 04/15/25 at 07:10pm, steven chen wrote:
> From: Steven Chen <chenste@...ux.microsoft.com>
>
> The extra memory allocated for carrying the IMA measurement list across
> kexec is hard-coded as half a PAGE. Make it configurable.
>
> Define a Kconfig option, IMA_KEXEC_EXTRA_MEMORY_KB, to configure the
> extra memory (in kb) to be allocated for IMA measurements added during
> kexec soft reboot. Ensure the default value of the option is set such
> that extra half a page of memory for additional measurements is allocated
> for the additional measurements.
>
> Update ima_add_kexec_buffer() function to allocate memory based on the
> Kconfig option value, rather than the currently hard-coded one.
>
> Suggested-by: Stefan Berger <stefanb@...ux.ibm.com>
> Signed-off-by: Tushar Sugandhi <tusharsu@...ux.microsoft.com>
^^^^^^^^^^^^^^^^
> Signed-off-by: Steven Chen <chenste@...ux.microsoft.com>
> ---
> security/integrity/ima/Kconfig | 11 +++++++++++
> security/integrity/ima/ima_kexec.c | 16 +++++++++++-----
> 2 files changed, 22 insertions(+), 5 deletions(-)
The contributor's tag need be updated too, otherwise,
Acked-by: Baoquan He <bhe@...hat.com>
>
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index 475c32615006..976e75f9b9ba 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -321,4 +321,15 @@ config IMA_DISABLE_HTABLE
> help
> This option disables htable to allow measurement of duplicate records.
>
> +config IMA_KEXEC_EXTRA_MEMORY_KB
> + int "Extra memory for IMA measurements added during kexec soft reboot"
> + range 0 40
> + depends on IMA_KEXEC
> + default 0
> + help
> + IMA_KEXEC_EXTRA_MEMORY_KB determines the extra memory to be
> + allocated (in kb) for IMA measurements added during kexec soft reboot.
> + If set to the default value of 0, an extra half page of memory for those
> + additional measurements will be allocated.
> +
> endif
> diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
> index ed867734ee70..d1c9d369ba08 100644
> --- a/security/integrity/ima/ima_kexec.c
> +++ b/security/integrity/ima/ima_kexec.c
> @@ -118,6 +118,7 @@ void ima_add_kexec_buffer(struct kimage *image)
> .buf_min = 0, .buf_max = ULONG_MAX,
> .top_down = true };
> unsigned long binary_runtime_size;
> + unsigned long extra_memory;
>
> /* use more understandable variable names than defined in kbuf */
> size_t kexec_buffer_size = 0;
> @@ -125,15 +126,20 @@ void ima_add_kexec_buffer(struct kimage *image)
> int ret;
>
> /*
> - * Reserve an extra half page of memory for additional measurements
> - * added during the kexec load.
> + * Reserve extra memory for measurements added during kexec.
> */
> - binary_runtime_size = ima_get_binary_runtime_size();
> + if (CONFIG_IMA_KEXEC_EXTRA_MEMORY_KB <= 0)
> + extra_memory = PAGE_SIZE / 2;
> + else
> + extra_memory = CONFIG_IMA_KEXEC_EXTRA_MEMORY_KB * 1024;
> +
> + binary_runtime_size = ima_get_binary_runtime_size() + extra_memory;
> +
> if (binary_runtime_size >= ULONG_MAX - PAGE_SIZE)
> kexec_segment_size = ULONG_MAX;
> else
> - kexec_segment_size = ALIGN(ima_get_binary_runtime_size() +
> - PAGE_SIZE / 2, PAGE_SIZE);
> + kexec_segment_size = ALIGN(binary_runtime_size, PAGE_SIZE);
> +
> if ((kexec_segment_size == ULONG_MAX) ||
> ((kexec_segment_size >> PAGE_SHIFT) > totalram_pages() / 2)) {
> pr_err("Binary measurement list too large.\n");
> --
> 2.43.0
>
Powered by blists - more mailing lists