Re: [PATCH v14 0/6] Carry forward IMA measurement log on kexec on ARM64

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Mimi Zohar <zohar@xxxxxxxxxxxxx> writes:

> On Tue, 2021-01-12 at 08:42 -0600, Rob Herring wrote:
>> On Mon, Jan 04, 2021 at 11:25:56AM -0800, Lakshmi Ramasubramanian wrote:
>> > On kexec file load Integrity Measurement Architecture (IMA) subsystem
>> > may verify the IMA signature of the kernel and initramfs, and measure
>> > it. The command line parameters passed to the kernel in the kexec call
>> > may also be measured by IMA. A remote attestation service can verify
>> > a TPM quote based on the TPM event log, the IMA measurement list, and
>> > the TPM PCR data. This can be achieved only if the IMA measurement log
>> > is carried over from the current kernel to the next kernel across
>> > the kexec call.
>> > 
>> > powerpc already supports carrying forward the IMA measurement log on
>> > kexec. This patch set adds support for carrying forward the IMA
>> > measurement log on kexec on ARM64. 
>> > 
>> > This patch set moves the platform independent code defined for powerpc
>> > such that it can be reused for other platforms as well. A chosen node
>> > "linux,ima-kexec-buffer" is added to the DTB for ARM64 to hold
>> > the address and the size of the memory reserved to carry
>> > the IMA measurement log.
>> > 
>> > This patch set has been tested for ARM64 platform using QEMU.
>> > I would like help from the community for testing this change on powerpc.
>> > Thanks.
>> > 
>> > This patch set is based on
>> > commit a29a64445089 ("powerpc: Use common of_kexec_setup_new_fdt()")
>> > in https://git.kernel.org/pub/scm/linux/kernel/git/robh/linux.git
>> > "dt/kexec" branch.
>> 
>> This all looks good to me. I'd suggest you send the above patches out as 
>> part of this series because I don't plan to do so.
>> 
>> I would like to also resolve the vmalloc vs. kmalloc difference for 
>> allocating the FDT. Then we can further consolidate the DT kexec code.
>> 
>> It all needs some acks from arm64 and powerpc maintainers. As far as 
>> merging, I think via the integrity tree makes the most sense.
>
> Thanks, Rob.  Lakshmi,  please update Rob's patches to include patch
> descriptions before re-posting.

Also please update the powerpc mailing list address to
linuxppc-dev@xxxxxxxxxxxxxxxx

-- 
Thiago Jung Bauermann
IBM Linux Technology Center
[Index of Archives]     [Device Tree Compilter]     [Device Tree Spec]     [Linux Driver Backports]     [Video for Linux]     [Linux USB Devel]     [Linux PCI Devel]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [XFree86]     [Yosemite Backpacking]

  Powered by Linux