@@ -49,6 +49,9 @@ static inline void ima_appraise_parse_cmdline(void) {}
#ifdef CONFIG_IMA_KEXEC
extern void ima_add_kexec_buffer(struct kimage *image);
+extern void ima_kexec_post_load(struct kimage *image);
+#else
+static inline void ima_kexec_post_load(struct kimage *image) {}
#endif
#else
@@ -12,6 +12,8 @@
#include <linux/kexec.h>
#include <linux/of.h>
#include <linux/ima.h>
+#include <linux/reboot.h>
+#include <asm/page.h>
#include "ima.h"
#ifdef CONFIG_IMA_KEXEC
@@ -19,6 +21,7 @@ struct seq_file ima_kexec_file;
struct ima_kexec_hdr ima_khdr;
static size_t kexec_segment_size;
static void *ima_kexec_buffer;
+static bool ima_kexec_update_registered;
void ima_clear_kexec_file(void)
{
@@ -222,6 +225,38 @@ static int ima_update_kexec_buffer(struct notifier_block *self,
return NOTIFY_OK;
}
+struct notifier_block update_buffer_nb = {
+ .notifier_call = ima_update_kexec_buffer,
+};
+
+/*
+ * Create a mapping for the source pages that contain the IMA buffer
+ * so we can update it later.
+ */
+void ima_kexec_post_load(struct kimage *image)
+{
+ if (ima_kexec_buffer) {
+ kimage_unmap_segment(ima_kexec_buffer);
+ ima_kexec_buffer = NULL;
+ }
+
+ if (!image->ima_buffer_addr)
+ return;
+
+ ima_kexec_buffer = kimage_map_segment(image,
+ image->ima_buffer_addr,
+ image->ima_buffer_size);
+ if (!ima_kexec_buffer) {
+ pr_err("%s: Could not map measurements buffer.\n", __func__);
+ return;
+ }
+
+ if (!ima_kexec_update_registered) {
+ register_reboot_notifier(&update_buffer_nb);
+ ima_kexec_update_registered = true;
+ }
+}
+
#endif /* IMA_KEXEC */
/*
The IMA subsystem needs to ensure that the measurement list is up to date during a kexec operation, i.e., when the kernel is rebooted without going through the full system reboot process. Currently, there is no mechanism to update the measurement list when the system is soft booted using kexec. Add a notifier function ima_update_kexec_buffer that is called during a kexec soft reboot. Implement ima_kexec_post_load, which maps the IMA buffer after a kexec load and registers the reboot notifier. Define a new notifier block update_buffer_nb, with ima_update_kexec_buffer as its notifier function. Register the notifier function in ima_kexec_post_load if it hasn't been already, indicated by the ima_kexec_update_registered flag. When a kexec soft reboot is triggered, ima_update_kexec_buffer will be executed to update the IMA buffer. This ensures that the events between kexec 'load' and 'execute' are captured and integrity of measurements remains intact across kexec reboots. Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com> --- include/linux/ima.h | 3 +++ security/integrity/ima/ima_kexec.c | 35 ++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+)