lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <c0dcf292-4c43-4e87-8016-34194f2bddb4@linux.microsoft.com>
Date: Mon, 12 May 2025 07:23:23 -0700
From: steven chen <chenste@...ux.microsoft.com>
To: zohar@...ux.ibm.com, stefanb@...ux.ibm.com,
 roberto.sassu@...weicloud.com, roberto.sassu@...wei.com,
 eric.snowberg@...cle.com, ebiederm@...ssion.com, paul@...l-moore.com,
 code@...icks.com, bauermann@...abnow.com, linux-integrity@...r.kernel.org,
 kexec@...ts.infradead.org, linux-security-module@...r.kernel.org,
 linux-kernel@...r.kernel.org
Cc: madvenka@...ux.microsoft.com, nramas@...ux.microsoft.com,
 James.Bottomley@...senPartnership.com, bhe@...hat.com
Subject: Re: [PATCH] ima: Kdump kernel doesn't need IMA to do integrity
 measurement

On 5/2/2025 1:03 PM, steven chen wrote:
> From: Steven Chen <chenste@...ux.microsoft.com>
>
> Kdump kernel doesn't need IMA to do integrity measurement.
> Hence the measurement list in 1st kernel doesn't need to be copied to
> kdump kenrel.
>
> Here skip allocating buffer for measurement list copying if loading
> kdump kernel. Then there won't be the later handling related to
> ima_kexec_buffer.
>
> Signed-off-by: Steven Chen <chenste@...ux.microsoft.com>
> ---
>   security/integrity/ima/ima_kexec.c | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
> index 38cb2500f4c3..7362f68f2d8b 100644
> --- a/security/integrity/ima/ima_kexec.c
> +++ b/security/integrity/ima/ima_kexec.c
> @@ -146,6 +146,9 @@ void ima_add_kexec_buffer(struct kimage *image)
>   	void *kexec_buffer = NULL;
>   	int ret;
>   
> +	if (image->type == KEXEC_TYPE_CRASH)
> +		return;
> +
>   	/*
>   	 * Reserve extra memory for measurements added during kexec.
>   	 */

Hi Baoquan,

Could you tell me when will you have time to validate kdump scenario 
using this patch?

This patch is based on the next-integrity branch of 
https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/

Thanks,

Steven

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ