Message ID | 20250304190351.96975-8-chenste@linux.microsoft.com (mailing list archive) |
---|---|
State | Handled Elsewhere |
Headers | show |
Series | ima: kexec: measure events between kexec load and execute | expand |
Hi Steven, On Tue, 2025-03-04 at 11:03 -0800, steven chen wrote: > +void ima_measure_kexec_event(const char *event_name) > +{ > + char ima_kexec_event[IMA_KEXEC_EVENT_LEN]; > + size_t buf_size = 0; > + long len; > + > + buf_size = ima_get_binary_runtime_size(); > + len = atomic_long_read(&ima_htable.len); > + > + int n = scnprintf(ima_kexec_event, IMA_KEXEC_EVENT_LEN, > + "kexec_segment_size=%lu;ima_binary_runtime_size=%lu;" > + "ima_runtime_measurements_count=%ld;", > + kexec_segment_size, buf_size, len); Variables should not be defined inline, but at the beginning of the function. After doing that, scripts/checkpatch.pl complains about the formatting. Mimi > + > + ima_measure_critical_data("ima_kexec", event_name, ima_kexec_event, n, false, NULL, 0); > +} > +
On 3/4/2025 4:25 PM, Mimi Zohar wrote: > Hi Steven, > > On Tue, 2025-03-04 at 11:03 -0800, steven chen wrote: >> +void ima_measure_kexec_event(const char *event_name) >> +{ >> + char ima_kexec_event[IMA_KEXEC_EVENT_LEN]; >> + size_t buf_size = 0; >> + long len; >> + >> + buf_size = ima_get_binary_runtime_size(); >> + len = atomic_long_read(&ima_htable.len); >> + >> + int n = scnprintf(ima_kexec_event, IMA_KEXEC_EVENT_LEN, >> + "kexec_segment_size=%lu;ima_binary_runtime_size=%lu;" >> + "ima_runtime_measurements_count=%ld;", >> + kexec_segment_size, buf_size, len); > Variables should not be defined inline, but at the beginning of the function. > After doing that, scripts/checkpatch.pl complains about the formatting. > > Mimi Hi Mimi, I will update it in next release. Thanks, Steven >> + >> + ima_measure_critical_data("ima_kexec", event_name, ima_kexec_event, n, false, NULL, 0); >> +} >> +
diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 4428fcf42167..1452c98242a4 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -240,6 +240,12 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key, unsigned long flags, bool create); #endif +#ifdef CONFIG_IMA_KEXEC +void ima_measure_kexec_event(const char *event_name); +#else +static inline void ima_measure_kexec_event(const char *event_name) {} +#endif + /* * The default binary_runtime_measurements list format is defined as the * platform native format. The canonical format is defined as little-endian. diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c index 9fb1bf5a592a..e40c6da4504c 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -17,6 +17,8 @@ #include "ima.h" #ifdef CONFIG_IMA_KEXEC +#define IMA_KEXEC_EVENT_LEN 256 + static struct seq_file ima_kexec_file; static void *ima_kexec_buffer; static size_t kexec_segment_size; @@ -36,6 +38,23 @@ static void ima_free_kexec_file_buf(struct seq_file *sf) ima_reset_kexec_file(sf); } +void ima_measure_kexec_event(const char *event_name) +{ + char ima_kexec_event[IMA_KEXEC_EVENT_LEN]; + size_t buf_size = 0; + long len; + + buf_size = ima_get_binary_runtime_size(); + len = atomic_long_read(&ima_htable.len); + + int n = scnprintf(ima_kexec_event, IMA_KEXEC_EVENT_LEN, + "kexec_segment_size=%lu;ima_binary_runtime_size=%lu;" + "ima_runtime_measurements_count=%ld;", + kexec_segment_size, buf_size, len); + + ima_measure_critical_data("ima_kexec", event_name, ima_kexec_event, n, false, NULL, 0); +} + static int ima_alloc_kexec_file_buf(size_t segment_size) { /* @@ -58,6 +77,7 @@ static int ima_alloc_kexec_file_buf(size_t segment_size) out: ima_kexec_file.read_pos = 0; ima_kexec_file.count = sizeof(struct ima_kexec_hdr); /* reserved space */ + ima_measure_kexec_event("kexec_load"); return 0; } diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c index 3dfd178d4292..6afb46989cf6 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -241,6 +241,11 @@ static int ima_reboot_notifier(struct notifier_block *nb, unsigned long action, void *data) { +#ifdef CONFIG_IMA_KEXEC + if (action == SYS_RESTART && data && !strcmp(data, "kexec reboot")) + ima_measure_kexec_event("kexec_execute"); +#endif + ima_measurements_suspend(); return NOTIFY_DONE;