| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <283be073924bd046f180880b5912338744550884.camel@linux.ibm.com>
Date: Tue, 27 May 2025 18:08:35 -0400
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: linux-integrity <linux-integrity@...r.kernel.org>,
linux-kernel
<linux-kernel@...r.kernel.org>,
Roberto Sassu
<roberto.sassu@...weicloud.com>
Subject: [GIT PULL] integrity: subsystem fixes for v6.16
Hi Linus,
Carrying the IMA measurement list across kexec is not a new feature, but is
updated to address a couple of issues:
- Carrying the IMA measurement list across kexec required knowing apriori all
the file measurements between the "kexec load" and "kexec execute" in order to
measure them before the "kexec load". Any delay between the "kexec load" and
"kexec exec" exacerbated the problem.
- Any file measurements post "kexec load" were not carried across kexec,
resulting in the measurement list being out of sync with the TPM PCR.
With these changes, the buffer for the IMA measurement list is still allocated
at "kexec load", but copying the IMA measurement list is deferred to after
quiescing the TPM.
Two new kexec critical data records are defined.
Note:
- The IMA kexec segment hash is not calculated or verified.
thanks,
Mimi
The following changes since commit b4432656b36e5cc1d50a1f2dc15357543add530e:
Linux 6.15-rc4 (2025-04-27 15:19:23 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/ tags/integrity-v6.16
for you to fetch changes up to fe3aebf27dc1875b2a0d13431e2e8cf3cf350cca:
ima: do not copy measurement list to kdump kernel (2025-05-14 06:40:09 -0400)
----------------------------------------------------------------
integrity-v6.16
----------------------------------------------------------------
Steven Chen (10):
ima: rename variable the seq_file "file" to "ima_kexec_file"
ima: define and call ima_alloc_kexec_file_buf()
kexec: define functions to map and unmap segments
ima: kexec: skip IMA segment validation after kexec soft reboot
ima: kexec: define functions to copy IMA log at soft boot
ima: kexec: move IMA log copy from kexec load to execute
ima: verify if the segment size has changed
ima: make the kexec extra memory configurable
ima: measure kexec load and exec events as critical data
ima: do not copy measurement list to kdump kernel
include/linux/ima.h | 3 +
include/linux/kexec.h | 9 ++
kernel/kexec_core.c | 54 ++++++++++
kernel/kexec_file.c | 33 ++++++-
security/integrity/ima/Kconfig | 11 +++
security/integrity/ima/ima.h | 6 ++
security/integrity/ima/ima_kexec.c | 196 ++++++++++++++++++++++++++++++-------
security/integrity/ima/ima_queue.c | 5 +
8 files changed, 283 insertions(+), 34 deletions(-)
Powered by blists - more mailing lists