On Fri, 2019-03-22 at 17:27 +0000, Prakhar Srivastava wrote: > Hi, > > Currently Kexec (kexec_file_load) code path does not measure the cmdline > arguments passed to the next kernel.The boot_aggregate won't change since > the EFI loader hasn't been triggered. Attesting the same in K2 has no impact. > Adding the cmdline measurement will add some attestable criteria. > > To account for the cmdline passed, we are looking at using IMA to measure and > pass the buffer so that it can be attested. > > Do you have any alternate solutions/concerns with this approach? I started looking at this a couple of years ago, but haven't had time. I definitely don't have problems with extending IMA to measure the boot command line. Mimi
