On Wed, 14 Feb 2024 07:38:24 -0800
Tushar Sugandhi <tusharsu@xxxxxxxxxxxxxxxxxxx> wrote:
> ima_dump_measurement_list() is called during kexec 'load', which may
> result in loss of IMA measurements during kexec soft reboot. It needs
> to be called during kexec 'execute'.
>
> This patch includes the following changes:
> - Call kimage_file_post_load() from kexec_file_load() syscall only for
> kexec soft reboot scenarios and not for KEXEC_FILE_ON_CRASH. It will
> map the IMA segment, and register reboot notifier for the function
> ima_update_kexec_buffer() which would copy the IMA log at kexec soft
> reboot.
> - Make kexec_segment_size variable local static to the file, for it to be
> accessible both during kexec 'load' and 'execute'.
> - Move ima_dump_measurement_list() call from ima_add_kexec_buffer()
> to ima_update_kexec_buffer().
> - Remove ima_reset_kexec_file() call from ima_add_kexec_buffer(), now
> that the buffer is being copied at kexec 'execute', and resetting the
> file at kexec 'load' will corrupt the buffer.
>
> Signed-off-by: Tushar Sugandhi <tusharsu@xxxxxxxxxxxxxxxxxxx>
> ---
> kernel/kexec_file.c | 3 ++
> security/integrity/ima/ima_kexec.c | 45 +++++++++++++++++++-----------
> 2 files changed, 32 insertions(+), 16 deletions(-)
>
> diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
> index fe59cb7c179d..2d5df320c34f 100644
> --- a/kernel/kexec_file.c
> +++ b/kernel/kexec_file.c
> @@ -410,6 +410,9 @@ SYSCALL_DEFINE5(kexec_file_load, int, kernel_fd, int, initrd_fd,
>
> kimage_terminate(image);
>
> + if (!(flags & KEXEC_FILE_ON_CRASH))
> + kimage_file_post_load(image);
> +
> ret = machine_kexec_post_load(image);
> if (ret)
> goto out;
> diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
> index 1d4d6c122d82..98fc9b9782a2 100644
> --- a/security/integrity/ima/ima_kexec.c
> +++ b/security/integrity/ima/ima_kexec.c
> @@ -19,6 +19,7 @@
> #ifdef CONFIG_IMA_KEXEC
> static struct seq_file ima_kexec_file;
> static void *ima_kexec_buffer;
> +static size_t kexec_segment_size;
> static bool ima_kexec_update_registered;
>
> static void ima_reset_kexec_file(struct seq_file *sf)
> @@ -129,7 +130,6 @@ void ima_add_kexec_buffer(struct kimage *image)
> /* use more understandable variable names than defined in kbuf */
> void *kexec_buffer = NULL;
> size_t kexec_buffer_size;
> - size_t kexec_segment_size;
> int ret;
>
> /*
> @@ -154,14 +154,6 @@ void ima_add_kexec_buffer(struct kimage *image)
> return;
> }
>
> - ret = ima_dump_measurement_list(&kexec_buffer_size, &kexec_buffer,
> - kexec_segment_size);
> - if (ret < 0) {
> - pr_err("%s: Failed to dump IMA measurements. Error:%d.\n",
> - __func__, ret);
> - return;
> - }
> -
After removing these lines...
> kbuf.buffer = kexec_buffer;
> kbuf.bufsz = kexec_buffer_size;
^^^^^^^^^^^^^^^^^
... kexec_buffer_size is uninitialized here.
Petr T
_______________________________________________
kexec mailing list
kexec@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/kexec
