Hello, prsriva <prsriva@xxxxxxxxxxxxxxxxxxx> writes: > On 9/19/19 8:07 PM, Thiago Jung Bauermann wrote: >> Hello Prakhar, >> >> Prakhar Srivastava <prsriva@xxxxxxxxxxxxxxxxxxx> writes: >> >>> diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig >>> index 3adcec05b1f6..f39b12dbf9e8 100644 >>> --- a/arch/arm64/Kconfig >>> +++ b/arch/arm64/Kconfig >>> @@ -976,6 +976,13 @@ config KEXEC_VERIFY_SIG >>> verification for the corresponding kernel image type being >>> loaded in order for this to work. >>> >>> +config HAVE_IMA_KEXEC >>> + bool "Carry over IMA measurement log during kexec_file_load() syscall" >>> + depends on KEXEC_FILE >>> + help >>> + Select this option to carry over IMA measurement log during >>> + kexec_file_load. >>> + >>> config KEXEC_IMAGE_VERIFY_SIG >>> bool "Enable Image signature verification support" >>> default y >> This is not right. As it stands, HAVE_IMA_KEXEC is essentially a synonym >> for IMA_KEXEC. >> >> It's not meant to be user-visible in the config process. Instead, it's >> meant to be selected by the arch Kconfig (probably by the ARM64 config >> symbol) to signal to IMA's Kconfig that it can offer the IMA_KEXEC >> option. >> >> I also mentioned in my previous review that config HAVE_IMA_KEXEC should >> be defined in arch/Kconfig, not separately in both arch/arm64/Kconfig >> and arch/powerpc/Kconfig. > > I see the entry exists in arch/Kconfig and is overwritten. > I will remove entries both from powerpc and arm64. > > How do i cross-compile for powerpc? There are some instructions here: https://github.com/linuxppc/wiki/wiki/Building-powerpc-kernels >>> diff --git a/arch/arm64/include/asm/ima.h b/arch/arm64/include/asm/ima.h >>> new file mode 100644 >>> index 000000000000..e23cee84729f >>> --- /dev/null >>> +++ b/arch/arm64/include/asm/ima.h >>> @@ -0,0 +1,29 @@ >>> +/* SPDX-License-Identifier: GPL-2.0 */ >>> +#ifndef _ASM_ARM64_IMA_H >>> +#define _ASM_ARM64_IMA_H >>> + >>> +struct kimage; >>> + >>> +int ima_get_kexec_buffer(void **addr, size_t *size); >>> +int ima_free_kexec_buffer(void); >>> + >>> +#ifdef CONFIG_IMA >>> +void remove_ima_buffer(void *fdt, int chosen_node); >>> +#else >>> +static inline void remove_ima_buffer(void *fdt, int chosen_node) {} >>> +#endif >> I mentioned in my previous review that remove_ima_buffer() should exist >> even if CONFIG_IMA isn't set. Did you arrive at a different conclusion? > > I made the needed changed in makefile, missed removing the > > configs here. Thanks for pointing this out. Thanks. -- Thiago Jung Bauermann IBM Linux Technology Center _______________________________________________ kexec mailing list kexec@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/kexec
