On Mon, 2019-05-20 at 17:06 -0700, Prakhar Srivastava wrote: > A buffer(cmdline args) measured into ima cannot be appraised > without already being aware of the buffer contents.Since we > don't know what cmdline args will be passed (or need to validate > what was passed) it is not possible to appraise it. > > Since hashs are non reversible the raw buffer is needed to > recompute the hash. > To regenrate the hash of the buffer and appraise the same > the contents of the buffer need to be available. > > A new template field buf is added to the existing ima template > fields, which can be used to store/read the buffer itself. > Two new fields are added to the ima_event_data to carry the > buf and buf_len whenever necessary. > > Updated the process_buffer_measurement call to add the buf > to the ima_event_data. > process_buffer_measurement added in "Add a new ima hook > ima_kexec_cmdline to measure cmdline args" > > - Add a new template field 'buf' to be used to store/read > the buffer data. > - Added two new fields to ima_event_data to hold the buf and > buf_len [Suggested by Roberto] > -Updated process_buffer_meaurement to add the buffer to > ima_event_data This patch description can be written more concisely. Patch 1/3 in this series introduces measuring the kexec boot command line. This patch defines a new template field for storing the kexec boot command line in the measurement list in order for a remote attestation server to verify. As mentioned, the first patch description should include a shell command for verifying the digest in the kexec boot command line measurement list record against /proc/cmdline. This patch description should include a shell command showing how to verify the digest based on the new field. Should the new field in the ascii measurement list be displayed as a string, not hex? Mimi
