| Message ID | 20190612221549.28399-4-prsriva02@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | Add support for measuring the boot command line during kexec_file_load | expand |
On Wed, 12 Jun 2019, Prakhar Srivastava wrote: > During soft reboot(kexec_file_load) boot cmdline args > are not measured.Thus the new kernel on load boots with > an assumption of cold reboot. > > This patch makes a call to the ima hook ima_kexec_cmdline, > added in "Define a new IMA hook to measure the boot command > line arguments" > to measure the boot cmdline args into the ima log. > > - call ima_kexec_cmdline from kexec_file_load. > - move the call ima_add_kexec_buffer after the cmdline > args have been measured. > > Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com> > --- > kernel/kexec_file.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) Reviewed-by: James Morris <jamorris@linux.microsoft.com>
On Thu, 2019-06-13 at 16:26 +0800, Dave Young wrote: > On 06/12/19 at 06:31pm, Mimi Zohar wrote: > > [Cc: kexec mailing list] > > > > Hi Eric, Dave, > > > > On Wed, 2019-06-12 at 15:15 -0700, Prakhar Srivastava wrote: > > > During soft reboot(kexec_file_load) boot cmdline args > > > are not measured.Thus the new kernel on load boots with > > > an assumption of cold reboot. > > > > > > This patch makes a call to the ima hook ima_kexec_cmdline, > > > added in "Define a new IMA hook to measure the boot command > > > line arguments" > > > to measure the boot cmdline args into the ima log. > > > > > > - call ima_kexec_cmdline from kexec_file_load. > > > - move the call ima_add_kexec_buffer after the cmdline > > > args have been measured. > > > > > > Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com> > > Cc: Eric W. Biederman <ebiederm@xmission.com> > > Cc: Dave Young <dyoung@redhat.com> > > > > Any chance we could get some Acks? > > The ima_* is blackbox functions to me, looks like this patch is trying > to measure kexec cmdline buffer and save in some ima logs and then add all the > measure results including those for kernel/initrd to a kexec_buf and pass to 2nd Right, including the new boot command line measurement. > kernel. > > It should be good and only take effect when IMA enabled. If all the > assumptions are right: > > Acked-by: Dave Young <dyoung@redhat.com> Thanks, Dave.
On Wed, 2019-06-12 at 15:15 -0700, Prakhar Srivastava wrote: > During soft reboot(kexec_file_load) boot cmdline args Any reason for not spelling it out and using the "boot command line"? > are not measured.Thus the new kernel on load boots with > an assumption of cold reboot. Double spaces after a period. What does "boots with an assumption of cold reboot" mean? Not all systems are booted the same way. Is this comment relevant? > > This patch makes a call to the ima hook ima_kexec_cmdline, > added in "Define a new IMA hook to measure the boot command > line arguments" "added in ..." is unnecessry. > to measure the boot cmdline args into the ima log. ^IMA measurement list. Mimi
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 072b6ee55e3f..b0c724e5d86c 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -198,9 +198,6 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, return ret; image->kernel_buf_len = size; - /* IMA needs to pass the measurement list to the next kernel. */ - ima_add_kexec_buffer(image); - /* Call arch image probe handlers */ ret = arch_kexec_kernel_image_probe(image, image->kernel_buf, image->kernel_buf_len); @@ -241,8 +238,14 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, ret = -EINVAL; goto out; } + + ima_kexec_cmdline(image->cmdline_buf, + image->cmdline_buf_len - 1); } + /* IMA needs to pass the measurement list to the next kernel. */ + ima_add_kexec_buffer(image); + /* Call arch image load handlers */ ldata = arch_kexec_kernel_image_load(image);
During soft reboot(kexec_file_load) boot cmdline args are not measured.Thus the new kernel on load boots with an assumption of cold reboot. This patch makes a call to the ima hook ima_kexec_cmdline, added in "Define a new IMA hook to measure the boot command line arguments" to measure the boot cmdline args into the ima log. - call ima_kexec_cmdline from kexec_file_load. - move the call ima_add_kexec_buffer after the cmdline args have been measured. Signed-off-by: Prakhar Srivastava <prsriva02@gmail.com> --- kernel/kexec_file.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)