Re: [PATCH v17 00/10] Carry forward IMA measurement log on kexec on ARM64

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Feb 10, 2021 at 11:33 AM Lakshmi Ramasubramanian
<nramas@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On 2/10/21 9:15 AM, Rob Herring wrote:
> > On Tue, Feb 09, 2021 at 10:21:50AM -0800, Lakshmi Ramasubramanian wrote:
> >> On kexec file load Integrity Measurement Architecture (IMA) subsystem
> >> may verify the IMA signature of the kernel and initramfs, and measure
> >> it.  The command line parameters passed to the kernel in the kexec call
> >> may also be measured by IMA.  A remote attestation service can verify
> >> a TPM quote based on the TPM event log, the IMA measurement list, and
> >> the TPM PCR data.  This can be achieved only if the IMA measurement log
> >> is carried over from the current kernel to the next kernel across
> >> the kexec call.
> >>
> >> powerpc already supports carrying forward the IMA measurement log on
> >> kexec.  This patch set adds support for carrying forward the IMA
> >> measurement log on kexec on ARM64.
> >>
> >> This patch set moves the platform independent code defined for powerpc
> >> such that it can be reused for other platforms as well.  A chosen node
> >> "linux,ima-kexec-buffer" is added to the DTB for ARM64 to hold
> >> the address and the size of the memory reserved to carry
> >> the IMA measurement log.
> >>
> >> This patch set has been tested for ARM64 platform using QEMU.
> >> I would like help from the community for testing this change on powerpc.
> >> Thanks.
> >>
> >> This patch set is based on
> >> commit 96acc833dec8 ("ima: Free IMA measurement buffer after kexec syscall")
> >> in https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
> >> "next-integrity" branch.
> >
> > Is that a hard dependency still? Given this is now almost entirely
> > deleting arch code and adding drivers/of/ code, I was going to apply it.
> >
>
> I tried applying the patches in Linus' mainline branch -
> PATCH #5 0005-powerpc-Move-ima-buffer-fields-to-struct-kimage.patch
> doesn't apply.
>
> But if I apply the dependent patch set (link given below), all the
> patches in this patch set apply fine.
>
> https://patchwork.kernel.org/project/linux-integrity/patch/20210204174951.25771-2-nramas@xxxxxxxxxxxxxxxxxxx/

Ideally, we don't apply the same patch in 2 branches. It looks like
there's a conflict but no real dependence on the above patch (the
ima_buffer part). The conflict seems trivial enough that Linus can
resolve it in the merge window.

Or Mimi can take the whole thing if preferred?

Rob
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux