From patchwork Tue Sep 6 14:03:00 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mimi Zohar X-Patchwork-Id: 9317043 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 785C360869 for ; Tue, 6 Sep 2016 14:05:07 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 69E422841E for ; Tue, 6 Sep 2016 14:05:07 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 5F0C2287E6; Tue, 6 Sep 2016 14:05:07 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5F475284CB for ; Tue, 6 Sep 2016 14:05:04 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933062AbcIFODp (ORCPT ); Tue, 6 Sep 2016 10:03:45 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:45513 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1756586AbcIFODk (ORCPT ); Tue, 6 Sep 2016 10:03:40 -0400 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id u86E30MT129221 for ; Tue, 6 Sep 2016 10:03:40 -0400 Received: from e23smtp05.au.ibm.com (e23smtp05.au.ibm.com [202.81.31.147]) by mx0a-001b2d01.pphosted.com with ESMTP id 259vyt8hbu-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Tue, 06 Sep 2016 10:03:39 -0400 Received: from localhost by e23smtp05.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 7 Sep 2016 00:03:36 +1000 Received: from d23dlp01.au.ibm.com (202.81.31.203) by e23smtp05.au.ibm.com (202.81.31.211) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Wed, 7 Sep 2016 00:03:35 +1000 X-IBM-Helo: d23dlp01.au.ibm.com X-IBM-MailFrom: zohar@linux.vnet.ibm.com X-IBM-RcptTo: linux-kernel@vger.kernel.org; linux-security-module@vger.kernel.org Received: from d23relay08.au.ibm.com (d23relay08.au.ibm.com [9.185.71.33]) by d23dlp01.au.ibm.com (Postfix) with ESMTP id 804402CE8054; Wed, 7 Sep 2016 00:03:34 +1000 (EST) Received: from d23av01.au.ibm.com (d23av01.au.ibm.com [9.190.234.96]) by d23relay08.au.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id u86E3YHx49610836; Wed, 7 Sep 2016 00:03:34 +1000 Received: from d23av01.au.ibm.com (localhost [127.0.0.1]) by d23av01.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVout) with ESMTP id u86E3Xmn027991; Wed, 7 Sep 2016 00:03:34 +1000 Received: from localhost.localdomain.localdomain ([9.80.90.205]) by d23av01.au.ibm.com (8.14.4/8.14.4/NCO v10.0 AVin) with ESMTP id u86E38eS027443; Wed, 7 Sep 2016 00:03:30 +1000 From: Mimi Zohar To: linux-security-module Cc: Thiago Jung Bauermann , linux-ima-devel@lists.sourceforge.net, Dave Young , kexec@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, Andrew Morton , Mimi Zohar Subject: [PATCH v3 5/9] ima: on soft reboot, save the measurement list Date: Tue, 6 Sep 2016 10:03:00 -0400 X-Mailer: git-send-email 2.1.0 In-Reply-To: <1473170584-15094-1-git-send-email-zohar@linux.vnet.ibm.com> References: <1473170584-15094-1-git-send-email-zohar@linux.vnet.ibm.com> X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 16090614-0016-0000-0000-000001C8B92D X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 16090614-0017-0000-0000-0000055DE2B4 Message-Id: <1473170584-15094-6-git-send-email-zohar@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-09-06_05:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1609060219 Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Thiago Jung Bauermann This patch uses the kexec buffer passing mechanism to pass the serialized IMA binary_runtime_measurements to the next kernel. Changelog v3: - Request a kexec segment for storing the measurement list a half page, not a full page, more than needed for additional measurements. - Added binary_runtime_size overflow test - Limit maximum number of pages needed for kexec_segment_size to half of totalram_pages. (Dave Young) Changelog v2: - Fix build issue by defining a stub ima_add_kexec_buffer and stub struct kimage when CONFIG_IMA=n and CONFIG_IMA_KEXEC=n. (Fenguang Wu) - removed kexec_add_handover_buffer() checksum argument. - added skip_checksum member to kexec_buf - only register reboot notifier once Changelog v1: - updated to call IMA functions (Mimi) - move code from ima_template.c to ima_kexec.c (Mimi) Signed-off-by: Thiago Jung Bauermann Signed-off-by: Mimi Zohar --- include/linux/ima.h | 12 +++++ kernel/kexec_file.c | 4 ++ security/integrity/ima/ima_kexec.c | 96 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 112 insertions(+) diff --git a/include/linux/ima.h b/include/linux/ima.h index 0eb7c2e..7f6952f 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -11,6 +11,7 @@ #define _LINUX_IMA_H #include +#include struct linux_binprm; #ifdef CONFIG_IMA @@ -23,6 +24,10 @@ extern int ima_post_read_file(struct file *file, void *buf, loff_t size, enum kernel_read_file_id id); extern void ima_post_path_mknod(struct dentry *dentry); +#ifdef CONFIG_IMA_KEXEC +extern void ima_add_kexec_buffer(struct kimage *image); +#endif + #else static inline int ima_bprm_check(struct linux_binprm *bprm) { @@ -62,6 +67,13 @@ static inline void ima_post_path_mknod(struct dentry *dentry) #endif /* CONFIG_IMA */ +#ifndef CONFIG_IMA_KEXEC +struct kimage; + +static inline void ima_add_kexec_buffer(struct kimage *image) +{} +#endif + #ifdef CONFIG_IMA_APPRAISE extern void ima_inode_post_setattr(struct dentry *dentry); extern int ima_inode_setxattr(struct dentry *dentry, const char *xattr_name, diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c index 0e90d14..9585861 100644 --- a/kernel/kexec_file.c +++ b/kernel/kexec_file.c @@ -19,6 +19,7 @@ #include #include #include +#include #include #include #include @@ -200,6 +201,9 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd, return ret; image->kernel_buf_len = size; + /* IMA needs to pass the measurement list to the next kernel. */ + ima_add_kexec_buffer(image); + /* Call arch image probe handlers */ ret = arch_kexec_kernel_image_probe(image, image->kernel_buf, image->kernel_buf_len); diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c index e77ca9d..04a2e71 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -23,6 +23,11 @@ #include "ima.h" +#ifdef CONFIG_IMA_KEXEC +/* Physical address of the measurement buffer in the next kernel. */ +static unsigned long kexec_buffer_load_addr; +static size_t kexec_segment_size; + static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer, unsigned long segment_size) { @@ -75,6 +80,97 @@ out: } /* + * Called during kexec execute so that IMA can save the measurement list. + */ +static int ima_update_kexec_buffer(struct notifier_block *self, + unsigned long action, void *data) +{ + void *kexec_buffer = NULL; + size_t kexec_buffer_size; + int ret; + + if (!kexec_in_progress) + return NOTIFY_OK; + + kexec_buffer_size = ima_get_binary_runtime_size(); + if (kexec_buffer_size > kexec_segment_size) { + pr_err("Binary measurement list grew too large.\n"); + goto out; + } + + ima_dump_measurement_list(&kexec_buffer_size, &kexec_buffer, + kexec_segment_size); + if (!kexec_buffer) { + pr_err("Not enough memory for the kexec measurement buffer.\n"); + goto out; + } + ret = kexec_update_segment(kexec_buffer, kexec_buffer_size, + kexec_buffer_load_addr, kexec_segment_size); + if (ret) + pr_err("Error updating kexec buffer: %d\n", ret); +out: + return NOTIFY_OK; +} + +struct notifier_block update_buffer_nb = { + .notifier_call = ima_update_kexec_buffer, +}; + +/* + * Called during kexec_file_load so that IMA can add a segment to the kexec + * image for the measurement list for the next kernel. + */ +void ima_add_kexec_buffer(struct kimage *image) +{ + static int registered; + struct kexec_buf kbuf = { .image = image, .buf_align = PAGE_SIZE, + .buf_min = 0, .buf_max = ULONG_MAX, + .top_down = true, .skip_checksum = true }; + unsigned long binary_runtime_size; + int ret; + + if (!kexec_can_hand_over_buffer()) + return; + + /* + * Reserve at least an extra half page of memory for additional + * measurements between kexec load and execute. + */ + binary_runtime_size = ima_get_binary_runtime_size(); + if (binary_runtime_size >= ULONG_MAX - PAGE_SIZE) + kexec_segment_size = ULONG_MAX; + else + kexec_segment_size = ALIGN(ima_get_binary_runtime_size() + + PAGE_SIZE / 2, PAGE_SIZE); + if ((kexec_segment_size == ULONG_MAX) || + ((kexec_segment_size >> PAGE_SHIFT) > totalram_pages / 2)) { + pr_err("Binary measurement list too large.\n"); + return; + } + + /* Ask not to checksum the segment, we will update it later. */ + kbuf.buffer = NULL; + kbuf.bufsz = 0; + kbuf.memsz = kexec_segment_size; + ret = kexec_add_handover_buffer(&kbuf); + if (ret) { + pr_err("Error passing over kexec measurement buffer.\n"); + return; + } + kexec_buffer_load_addr = kbuf.mem; + + pr_debug("kexec measurement buffer for the loaded kernel at 0x%lx.\n", + kexec_buffer_load_addr); + + if (registered) + return; + + register_reboot_notifier(&update_buffer_nb); + registered = 1; +} +#endif /* IMA_KEXEC */ + +/* * Restore the measurement list from the previous kernel. */ void ima_load_kexec_buffer(void)