From patchwork Wed Apr 2 12:47:17 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: steven chen X-Patchwork-Id: 14035943 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 12AB823CEE7; Wed, 2 Apr 2025 12:47:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=13.77.154.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1743598067; cv=none; b=G3EmwY6Z8BiiMBESsn3SGQFGomR4P2d7jutXoFj/DgH3lRdeZppdc3/QZrVePgTikDeDIPbyMZcHIc40f0tlXddVx4bbw91izYmKp9Qk4T+98kqEloa5veICSQXPGsSVAVz7XXKciaRdSX+i+k9NZD6guI7LpG7lk7DqFymd8G4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1743598067; c=relaxed/simple; bh=T3Hfr90BRed4n5w5wi1LRWAKc4YqrbCTD1TtzLonDDk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=DhZ4IiaBTytuQZ0aGgoQm43tNhVrNsUoIhvyYltzfyPQRBlFG2bwAm34/6OTxCQkA47JTvxjoiOqKzHMZqbcYQT52eLpmPV6mBQDFLUjMJfA4HsqZfacm35jat6PKfCjO0Jk/A+NZUxs0IyQUeb08wzOHMO+V3YVp4gqzCoPFls= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com; spf=pass smtp.mailfrom=linux.microsoft.com; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b=VWtKRD9h; arc=none smtp.client-ip=13.77.154.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.microsoft.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="VWtKRD9h" Received: from DESKTOP-VOT081N.hsd1.ga.comcast.net (unknown [20.114.144.49]) by linux.microsoft.com (Postfix) with ESMTPSA id CA1142041313; Wed, 2 Apr 2025 05:47:43 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com CA1142041313 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1743598065; bh=zDG3eUVOxWNYbh+dKB76Ss704ucd6Sf4P9j4KBe+zSk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VWtKRD9hs4KfHbL785HIVTK2K+oSUajcz5knH7cam+io/9ERQFTln+MaK6zxgpUe8 w+p4RRlXVLVHs3C0yt5qquaQWKblcp+FyQYDEIjUP1k/S1RPRdrhUVpUxu5wy1rLNP 4PStfWXTyTP+uHwUZx0zrzoGkf1x2LZW3D8TbnQs= From: steven chen To: zohar@linux.ibm.com, stefanb@linux.ibm.com, roberto.sassu@huaweicloud.com, roberto.sassu@huawei.com, eric.snowberg@oracle.com, ebiederm@xmission.com, paul@paul-moore.com, code@tyhicks.com, bauermann@kolabnow.com, linux-integrity@vger.kernel.org, kexec@lists.infradead.org, linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org Cc: madvenka@linux.microsoft.com, nramas@linux.microsoft.com, James.Bottomley@HansenPartnership.com, bhe@redhat.com, vgoyal@redhat.com, dyoung@redhat.com Subject: [PATCH v11 4/9] ima: kexec: skip IMA segment validation after kexec soft reboot Date: Wed, 2 Apr 2025 05:47:17 -0700 Message-ID: <20250402124725.5601-5-chenste@linux.microsoft.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250402124725.5601-1-chenste@linux.microsoft.com> References: <20250402124725.5601-1-chenste@linux.microsoft.com> Precedence: bulk X-Mailing-List: linux-integrity@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The kexec_calculate_store_digests() function calculates and stores the digest of the segment during the kexec_file_load syscall, where the IMA segment is also allocated. With this series, the IMA segment will be updated with the measurement log at the kexec execute stage when a soft reboot is initiated. Therefore, the digests should be updated for the IMA segment in the normal case. The content of memory segments carried over to the new kernel during the kexec systemcall can be changed at kexec 'execute' stage, but the size and the location of the memory segments cannot be changed at kexec 'execute' stage. However, during the kexec execute stage, if kexec_calculate_store_digests() API is called to update the digest, it does not reuse the same memory segment allocated during the kexec 'load' stage and the new memory segment required cannot be transferred/mapped to the new kernel. As a result, digest verification will fail in verify_sha256_digest() after a kexec soft reboot into the new kernel. Therefore, the digest calculation/verification of the IMA segment needs to be skipped. To address this, skip the calculation and storage of the digest for the IMA segment in kexec_calculate_store_digests() so that it is not added to the purgatory_sha_regions. Since verify_sha256_digest() only verifies 'purgatory_sha_regions', no change is needed in verify_sha256_digest() in this context. With this change, the IMA segment is not included in the digest calculation, storage, and verification. Signed-off-by: Tushar Sugandhi Cc: Eric Biederman Cc: Baoquan He Cc: Vivek Goyal Cc: Dave Young Signed-off-by: steven chen Reviewed-by: Stefan Berger Reviewed-by: Mimi Zohar Acked-by: Baoquan He --- include/linux/kexec.h | 3 +++ kernel/kexec_file.c | 22 ++++++++++++++++++++++ security/integrity/ima/ima_kexec.c | 3 +++ 3 files changed, 28 insertions(+) diff --git a/include/linux/kexec.h b/include/linux/kexec.h index 7d6b12f8b8d0..107e726f2ef3 100644 --- a/include/linux/kexec.h +++ b/include/linux/kexec.h @@ -362,6 +362,9 @@ struct kimage { phys_addr_t ima_buffer_addr; size_t ima_buffer_size; + + unsigned long ima_segment_index; + bool is_ima_segment_index_set; #endif /* Core ELF header buffer */ diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 3eedb8c226ad..606132253c79 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -38,6 +38,21 @@ void set_kexec_sig_enforced(void) } #endif +#ifdef CONFIG_IMA_KEXEC +static bool check_ima_segment_index(struct kimage *image, int i) +{ + if (image->is_ima_segment_index_set && i == image->ima_segment_index) + return true; + else + return false; +} +#else +static bool check_ima_segment_index(struct kimage *image, int i) +{ + return false; +} +#endif + static int kexec_calculate_store_digests(struct kimage *image); /* Maximum size in bytes for kernel/initrd files. */ @@ -764,6 +779,13 @@ static int kexec_calculate_store_digests(struct kimage *image) if (ksegment->kbuf == pi->purgatory_buf) continue; + /* + * Skip the segment if ima_segment_index is set and matches + * the current index + */ + if (check_ima_segment_index(image, i)) + continue; + ret = crypto_shash_update(desc, ksegment->kbuf, ksegment->bufsz); if (ret) diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c index b12ac3619b8f..7e0a19c3483f 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -145,6 +145,7 @@ void ima_add_kexec_buffer(struct kimage *image) kbuf.buffer = kexec_buffer; kbuf.bufsz = kexec_buffer_size; kbuf.memsz = kexec_segment_size; + image->is_ima_segment_index_set = false; ret = kexec_add_buffer(&kbuf); if (ret) { pr_err("Error passing over kexec measurement buffer.\n"); @@ -155,6 +156,8 @@ void ima_add_kexec_buffer(struct kimage *image) image->ima_buffer_addr = kbuf.mem; image->ima_buffer_size = kexec_segment_size; image->ima_buffer = kexec_buffer; + image->ima_segment_index = image->nr_segments - 1; + image->is_ima_segment_index_set = true; kexec_dprintk("kexec measurement buffer for the loaded kernel at 0x%lx.\n", kbuf.mem);