Hi, Mimi On 12/25/15 at 09:45am, Mimi Zohar wrote: > On Fri, 2015-12-25 at 13:33 +0800, Dave Young wrote: > > Hi, Mimi > > > > CCing kexec list, not all kexec people subscribed to IMA list. > > I just subscribed to it since Vivek CCed me last time about the V1 of this > > series. > > Thanks! > > > On 12/23/15 at 06:55pm, Mimi Zohar wrote: > > > This patch defines a new IMA hook ima_hash_and_process_file() for > > > measuring and appraising files read by the kernel. The caller loads > > > the file into memory before calling this function, which calculates > > > the hash followed by the normal IMA policy based processing. > > > > > > Two new IMA policy functions named KEXEC_CHECK and INITRAMFS_CHECK > > > are defined for measuring, appraising or auditing the kexec image > > > and initramfs. > > > > Could you help us understand why do we need it first. > > IMA can be viewed as extending secure and trusted boot to the running > system in a uniform and consistent manner. As files are accessed, > based on policy, IMA measures them, appends the file measurements to the > running measurement list (<securityfs>/ima/ascii_runtime_measurements) > and appraises the file's integrity, based on either the file's hash or > signature, which are stored as extended attributes in "security.ima". > > There are still a couple of file measurement and appraisal gaps that > need to be closed. > > > I think I do not really understand the purpose of the IMA handling > > about kexec kernel and initramfs. > > One of those measurement and appraisal gaps are files that are read by > the kernel, like the kexec image and initramfs. > > [There is a lot of code duplication in the kernel for reading a file and > verifying its signature. Each place does it just a bit differently > than the other. I'm working with Luis Rodriguez on defining a single, > common function - https://lkml.org/lkml/2015/12/21/478.] > > > * Does the files in disk space have already contains some hash values > > and when kernel load it IMA functions will do some checking? But seems I do not > > see such handling.. > > IMA sits on a number of the LSM hooks, where they exist, and in other > places defines its own hook. This patch set defines a new IMA hook for > measuring and appraising files being read by the kernel. > > > * Does it try to calculate the hash of the file buffer after copying, > > IMA calculates the file hash, in this case, based on the buffer > contents. The hash is calculated once and used for both measurement > and appraisal. If the file integrity appraisal fails (eg. hash > comparison or signature failure), IMA prevents the kexec files from > being used. > Ok, thanks for the explanatioin. But I have another question, why do we need a special hook for KEXEC? Shouldn't all files use same way to do the measurement and appraisal? Thanks Dave