On Tue, 2021-01-12 at 08:42 -0600, Rob Herring wrote:
> On Mon, Jan 04, 2021 at 11:25:56AM -0800, Lakshmi Ramasubramanian wrote:
> > On kexec file load Integrity Measurement Architecture (IMA) subsystem
> > may verify the IMA signature of the kernel and initramfs, and measure
> > it. The command line parameters passed to the kernel in the kexec call
> > may also be measured by IMA. A remote attestation service can verify
> > a TPM quote based on the TPM event log, the IMA measurement list, and
> > the TPM PCR data. This can be achieved only if the IMA measurement log
> > is carried over from the current kernel to the next kernel across
> > the kexec call.
> >
> > powerpc already supports carrying forward the IMA measurement log on
> > kexec. This patch set adds support for carrying forward the IMA
> > measurement log on kexec on ARM64.
> >
> > This patch set moves the platform independent code defined for powerpc
> > such that it can be reused for other platforms as well. A chosen node
> > "linux,ima-kexec-buffer" is added to the DTB for ARM64 to hold
> > the address and the size of the memory reserved to carry
> > the IMA measurement log.
> >
> > This patch set has been tested for ARM64 platform using QEMU.
> > I would like help from the community for testing this change on powerpc.
> > Thanks.
> >
> > This patch set is based on
> > commit a29a64445089 ("powerpc: Use common of_kexec_setup_new_fdt()")
> > in https://git.kernel.org/pub/scm/linux/kernel/git/robh/linux.git
> > "dt/kexec" branch.
>
> This all looks good to me. I'd suggest you send the above patches out as
> part of this series because I don't plan to do so.
>
> I would like to also resolve the vmalloc vs. kmalloc difference for
> allocating the FDT. Then we can further consolidate the DT kexec code.
>
> It all needs some acks from arm64 and powerpc maintainers. As far as
> merging, I think via the integrity tree makes the most sense.
Thanks, Rob. Lakshmi, please update Rob's patches to include patch
descriptions before re-posting.
Mimi
