Hi Dave, On Wed, 2016-06-22 at 09:20 +0800, Dave Young wrote: > On 06/20/16 at 10:44pm, Thiago Jung Bauermann wrote: > > Hello, > > > > This patch series implements a mechanism which allows the kernel to pass on > > a buffer to the kernel that will be kexec'd. This buffer is passed as a > > segment which is added to the kimage when it is being prepared by > > kexec_file_load. > > > > How the second kernel is informed of this buffer is architecture-specific. > > On PowerPC, this is done via the device tree, by checking the properties > > /chosen/linux,kexec-handover-buffer-start and > > /chosen/linux,kexec-handover-buffer-end, which is analogous to how the > > kernel finds the initrd. > > > > This feature was implemented because the Integrity Measurement Architecture > > subsystem needs to preserve its measurement list accross the kexec reboot. > > This is so that IMA can implement trusted boot support on the OpenPower > > platform, because on such systems an intermediary Linux instance running as > > part of the firmware is used to boot the target operating system via kexec. > > Using this mechanism, IMA on this intermediary instance can hand over to the > > target OS the measurements of the components that were used to boot it. > > We have CONFIG_KEXEC_VERIFY_SIG, why not verifying the kernel to be > loaded instead? I feel IMA should rebuild its measurement instead of > passing it to another kernel. Kexec reboot is also a reboot. If we have > to preserve something get from firmware we can do it, but other than > that I think it sounds not a good idea. The signature verification is needed for secure boot. Carrying the IMA measurement list across kexec is needed for trusted boot. In this case, the boot loader is Linux, which needs to carry the measurements, stored in memory, across kexec to the target system. The kernel_read_file_from_fd() calls the pre and post security kernel_read hooks. These hooks can verify file signatures, store measurements in the IMA measurement list and extend the TPM. To enable both measuring and appraising (signature verification) of the kernel image and the initramfs, include the following rules in the IMA policy: measure func=KEXEC_KERNEL_CHECK appraise func=KEXEC_KERNEL_CHECK appraise_type=imasig # measure func=KEXEC_INITRAMFS_CHECK appraise func=KEXEC_INITRAMFS_CHECK appraise_type=imasig Thiago's path set provides the means for carrying the trusted boot measurements across kexec. Mimi
