Hi Lakshmi,
On Fri, 2020-11-13 at 11:22 -0800, Lakshmi Ramasubramanian wrote:
> ima_get_kexec_buffer() retrieves the address and size of the buffer
> used for carrying forward the IMA measurement logs on kexec from
> the device tree.
>
> ima_free_kexec_buffer() removes the chosen node namely
> "linux,ima-kexec-buffer" from the device tree, and frees the buffer
> used for carrying forward the IMA measurement logs on kexec.
>
> These functions do not have architecture specific code, but are
> currently limited to powerpc.
>
> Move ima_get_kexec_buffer() and ima_free_kexec_buffer() to ima_kexec.c
> in IMA so that they are accessible for other architectures as well.
This sentence flows from the previous line. No need for separate
paragraphs here.
>
> With the above change the functions in arch/powerpc/kexec/ima.c are
> defined only when the kernel config CONFIG_IMA_KEXEC is enabled.
> Update the Makefile to build arch/powerpc/kexec/ima.c only when
> CONFIG_IMA_KEXEC is enabled and remove "#ifdef CONFIG_IMA_KEXEC"
> in arch/powerpc/kexec/ima.c.
>
> Co-developed-by: Prakhar Srivastava <prsriva@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Prakhar Srivastava <prsriva@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx>
After making the two changes,
Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
> index 121de3e04af2..3f0fa2673dd3 100644
> --- a/security/integrity/ima/ima_kexec.c
> +++ b/security/integrity/ima/ima_kexec.c
> @@ -9,9 +9,60 @@
>
> #include <linux/seq_file.h>
> #include <linux/vmalloc.h>
> +#include <linux/memblock.h>
> +#include <linux/of.h>
> #include <linux/kexec.h>
> +#include <linux/ima.h>
> #include "ima.h"
>
> +/**
> + * ima_get_kexec_buffer - get IMA buffer from the previous kernel
> + * @addr: On successful return, set to point to the buffer contents.
> + * @size: On successful return, set to the buffer size.
> + *
> + * Return: 0 on success, negative errno on error.
> + */
> +static int ima_get_kexec_buffer(void **addr, size_t *size)
> +{
> + int ret;
> + unsigned long tmp_addr;
> + size_t tmp_size;
> +
> + ret = get_ima_kexec_buffer(NULL, 0, &tmp_addr, &tmp_size);
> + if (ret)
> + return ret;
> +
> + *addr = __va(tmp_addr);
> + *size = tmp_size;
> +
> + return 0;
> +}
> +
> +/**
> + * ima_free_kexec_buffer - free memory used by the IMA buffer
> + */
> +static int ima_free_kexec_buffer(void)
> +{
> + int ret;
> + unsigned long addr;
> + size_t size;
> + struct property *prop;
> +
> + prop = of_find_property(of_chosen, "linux,ima-kexec-buffer", NULL);
> + if (!prop)
> + return -ENOENT;
> +
> + ret = get_ima_kexec_buffer(NULL, 0, &addr, &size);
> + if (ret)
> + return ret;
> +
> + ret = of_remove_property(of_chosen, prop);
> + if (ret)
> + return ret;
> +
> + return memblock_free(addr, size);
> +}
> +
Please move these functions, after the ifdef below, before the function
where they're used.
Mimi
> #ifdef CONFIG_IMA_KEXEC
> static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer,
> unsigned long segment_size)
