| Message ID | 20211224131454.45577-1-bmeneg@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v2] ima: silence measurement list hexdump during kexec | expand |
Hi Bruno, On Fri, 2021-12-24 at 10:14 -0300, Bruno Meneguele wrote: > The measurement list is dumped during a soft reset (kexec) through the call > to print_hex_dump(KERN_DEBUG, ...), printing to the system log ignoring both > DEBUG build flag and CONFIG_DYNAMIC_DEBUG option. Before upstreaming this patch, the reason for the config options "being ignored", if that is really what is happening, needs to be understood and documented here in the patch description. thanks, Mimi > > To honor the above conditions the macro print_hex_dump_debug() should be > used instead, thus depending on the enabled option/flag the output is given > by a different function call or even silenced. > > Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
Hi Mimi, On Fri, Dec 24, 2021 at 08:28:01AM -0500, Mimi Zohar wrote: > Hi Bruno, > > On Fri, 2021-12-24 at 10:14 -0300, Bruno Meneguele wrote: > > The measurement list is dumped during a soft reset (kexec) through the call > > to print_hex_dump(KERN_DEBUG, ...), printing to the system log ignoring both > > DEBUG build flag and CONFIG_DYNAMIC_DEBUG option. > > Before upstreaming this patch, the reason for the config options "being > ignored", if that is really what is happening, needs to be understood > and documented here in the patch description. I don't see why the code would intentionally ignore the option, considering that CONFIG_DYNAMIC_DEBUG basically give the user the ability to enable/disable pr_debug/printk(KERN_DEBUG) calls during runtime. Maybe I shouldn't use the word "ignoring" in the description, would it make things clearer? > > thanks, > > Mimi > > > > > To honor the above conditions the macro print_hex_dump_debug() should be > > used instead, thus depending on the enabled option/flag the output is given > > by a different function call or even silenced. > > > > Signed-off-by: Bruno Meneguele <bmeneg@redhat.com> >
diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c index f799cc278a9a..13753136f03f 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -61,9 +61,9 @@ static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer, } memcpy(file.buf, &khdr, sizeof(khdr)); - print_hex_dump(KERN_DEBUG, "ima dump: ", DUMP_PREFIX_NONE, - 16, 1, file.buf, - file.count < 100 ? file.count : 100, true); + print_hex_dump_debug("ima dump: ", DUMP_PREFIX_NONE, 16, 1, + file.buf, file.count < 100 ? file.count : 100, + true); *buffer_size = file.count; *buffer = file.buf;
The measurement list is dumped during a soft reset (kexec) through the call to print_hex_dump(KERN_DEBUG, ...), printing to the system log ignoring both DEBUG build flag and CONFIG_DYNAMIC_DEBUG option. To honor the above conditions the macro print_hex_dump_debug() should be used instead, thus depending on the enabled option/flag the output is given by a different function call or even silenced. Signed-off-by: Bruno Meneguele <bmeneg@redhat.com> --- security/integrity/ima/ima_kexec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)