On 1/12/21 10:05 AM, Mimi Zohar wrote:
On Tue, 2021-01-12 at 08:42 -0600, Rob Herring wrote:
On Mon, Jan 04, 2021 at 11:25:56AM -0800, Lakshmi Ramasubramanian wrote:
On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs, and measure
it. The command line parameters passed to the kernel in the kexec call
may also be measured by IMA. A remote attestation service can verify
a TPM quote based on the TPM event log, the IMA measurement list, and
the TPM PCR data. This can be achieved only if the IMA measurement log
is carried over from the current kernel to the next kernel across
the kexec call.
powerpc already supports carrying forward the IMA measurement log on
kexec. This patch set adds support for carrying forward the IMA
measurement log on kexec on ARM64.
This patch set moves the platform independent code defined for powerpc
such that it can be reused for other platforms as well. A chosen node
"linux,ima-kexec-buffer" is added to the DTB for ARM64 to hold
the address and the size of the memory reserved to carry
the IMA measurement log.
This patch set has been tested for ARM64 platform using QEMU.
I would like help from the community for testing this change on powerpc.
Thanks.
This patch set is based on
commit a29a64445089 ("powerpc: Use common of_kexec_setup_new_fdt()")
in https://git.kernel.org/pub/scm/linux/kernel/git/robh/linux.git
"dt/kexec" branch.
This all looks good to me. I'd suggest you send the above patches out as
part of this series because I don't plan to do so.
I would like to also resolve the vmalloc vs. kmalloc difference for
allocating the FDT. Then we can further consolidate the DT kexec code.
It all needs some acks from arm64 and powerpc maintainers. As far as
merging, I think via the integrity tree makes the most sense.
Thanks, Rob. Lakshmi, please update Rob's patches to include patch
descriptions before re-posting.
Will do Mimi.
thanks,
-lakshmi