| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <193deea5-c1b4-4189-a5a0-a3e29841225a@linux.microsoft.com>
Date: Sun, 20 Apr 2025 06:10:23 -0700
From: steven chen <chenste@...ux.microsoft.com>
To: Baoquan He <bhe@...hat.com>
Cc: zohar@...ux.ibm.com, stefanb@...ux.ibm.com,
roberto.sassu@...weicloud.com, roberto.sassu@...wei.com,
eric.snowberg@...cle.com, ebiederm@...ssion.com, paul@...l-moore.com,
code@...icks.com, bauermann@...abnow.com, linux-integrity@...r.kernel.org,
kexec@...ts.infradead.org, linux-security-module@...r.kernel.org,
linux-kernel@...r.kernel.org, madvenka@...ux.microsoft.com,
nramas@...ux.microsoft.com, James.Bottomley@...senpartnership.com,
vgoyal@...hat.com, dyoung@...hat.com
Subject: Re: [PATCH v12 9/9] ima: measure kexec load and exec events as
critical data
On 4/18/2025 2:08 AM, Baoquan He wrote:
> On 04/15/25 at 07:10pm, steven chen wrote:
>> From: Steven Chen <chenste@...ux.microsoft.com>
>>
>> The amount of memory allocated at kexec load, even with the extra memory
>> allocated, might not be large enough for the entire measurement list. The
>> indeterminate interval between kexec 'load' and 'execute' could exacerbate
>> this problem.
>>
>> Define two new IMA events, 'kexec_load' and 'kexec_execute', to be
>> measured as critical data at kexec 'load' and 'execute' respectively.
>> Report the allocated kexec segment size, IMA binary log size and the
>> runtime measurements count as part of those events.
>>
>> These events, and the values reported through them, serve as markers in
>> the IMA log to verify the IMA events are captured during kexec soft
>> reboot. The presence of a 'kexec_load' event in between the last two
>> 'boot_aggregate' events in the IMA log implies this is a kexec soft
>> reboot, and not a cold-boot. And the absence of 'kexec_execute' event
>> after kexec soft reboot implies missing events in that window which
>> results in inconsistency with TPM PCR quotes, necessitating a cold boot
>> for a successful remote attestation.
>>
>> These critical data events are displayed as hex encoded ascii in the
>> ascii_runtime_measurement_list. Verifying the critical data hash requires
>> calculating the hash of the decoded ascii string.
>>
>> For example, to verify the 'kexec_load' data hash:
>>
>> sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements
>> | grep kexec_load | cut -d' ' -f 6 | xxd -r -p | sha256sum
>>
>>
>> To verify the 'kexec_execute' data hash:
>>
>> sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements
>> | grep kexec_execute | cut -d' ' -f 6 | xxd -r -p | sha256sum
>>
>> Signed-off-by: Tushar Sugandhi <tusharsu@...ux.microsoft.com>
> ^^^^^
>> Signed-off-by: Steven Chen <chenste@...ux.microsoft.com>
> ^^^^^
Hi Baoquan,
I will add Co-developed-by tag in next version.
Thanks,
Steven
>> Reviewed-by: Mimi Zohar <zohar@...ux.ibm.com>
>> ---
>> security/integrity/ima/ima.h | 6 ++++++
>> security/integrity/ima/ima_kexec.c | 21 +++++++++++++++++++++
>> security/integrity/ima/ima_queue.c | 5 +++++
>> 3 files changed, 32 insertions(+)
> Acked-by: Baoquan He <bhe@...hat.com>
>
>> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
>> index 24d09ea91b87..34815baf5e21 100644
>> --- a/security/integrity/ima/ima.h
>> +++ b/security/integrity/ima/ima.h
>> @@ -240,6 +240,12 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key,
>> unsigned long flags, bool create);
>> #endif
>>
>> +#ifdef CONFIG_IMA_KEXEC
>> +void ima_measure_kexec_event(const char *event_name);
>> +#else
>> +static inline void ima_measure_kexec_event(const char *event_name) {}
>> +#endif
>> +
>> /*
>> * The default binary_runtime_measurements list format is defined as the
>> * platform native format. The canonical format is defined as little-endian.
>> diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
>> index d1c9d369ba08..38cb2500f4c3 100644
>> --- a/security/integrity/ima/ima_kexec.c
>> +++ b/security/integrity/ima/ima_kexec.c
>> @@ -17,6 +17,8 @@
>> #include "ima.h"
>>
>> #ifdef CONFIG_IMA_KEXEC
>> +#define IMA_KEXEC_EVENT_LEN 256
>> +
>> static bool ima_kexec_update_registered;
>> static struct seq_file ima_kexec_file;
>> static size_t kexec_segment_size;
>> @@ -31,6 +33,24 @@ static void ima_free_kexec_file_buf(struct seq_file *sf)
>> sf->count = 0;
>> }
>>
>> +void ima_measure_kexec_event(const char *event_name)
>> +{
>> + char ima_kexec_event[IMA_KEXEC_EVENT_LEN];
>> + size_t buf_size = 0;
>> + long len;
>> + int n;
>> +
>> + buf_size = ima_get_binary_runtime_size();
>> + len = atomic_long_read(&ima_htable.len);
>> +
>> + n = scnprintf(ima_kexec_event, IMA_KEXEC_EVENT_LEN,
>> + "kexec_segment_size=%lu;ima_binary_runtime_size=%lu;"
>> + "ima_runtime_measurements_count=%ld;",
>> + kexec_segment_size, buf_size, len);
>> +
>> + ima_measure_critical_data("ima_kexec", event_name, ima_kexec_event, n, false, NULL, 0);
>> +}
>> +
>> static int ima_alloc_kexec_file_buf(size_t segment_size)
>> {
>> /*
>> @@ -53,6 +73,7 @@ static int ima_alloc_kexec_file_buf(size_t segment_size)
>> out:
>> ima_kexec_file.read_pos = 0;
>> ima_kexec_file.count = sizeof(struct ima_kexec_hdr); /* reserved space */
>> + ima_measure_kexec_event("kexec_load");
>>
>> return 0;
>> }
>> diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
>> index 83d53824aa98..590637e81ad1 100644
>> --- a/security/integrity/ima/ima_queue.c
>> +++ b/security/integrity/ima/ima_queue.c
>> @@ -241,6 +241,11 @@ static int ima_reboot_notifier(struct notifier_block *nb,
>> unsigned long action,
>> void *data)
>> {
>> +#ifdef CONFIG_IMA_KEXEC
>> + if (action == SYS_RESTART && data && !strcmp(data, "kexec reboot"))
>> + ima_measure_kexec_event("kexec_execute");
>> +#endif
>> +
>> ima_measurements_suspend();
>>
>> return NOTIFY_DONE;
>> --
>> 2.43.0
>>
Powered by blists - more mailing lists