On Wed, 2022-05-11 at 13:53 -0400, Mimi Zohar wrote: > Hi Jonathan, > > On Wed, 2022-05-11 at 09:59 +0000, Jonathan McDowell wrote: > > On kexec file load Integrity Measurement Architecture (IMA) subsystem > > may verify the IMA signature of the kernel and initramfs, and measure > > it. The command line parameters passed to the kernel in the kexec call > > may also be measured by IMA. A remote attestation service can verify > > a TPM quote based on the TPM event log, the IMA measurement list, and > > the TPM PCR data. This can be achieved only if the IMA measurement log > > is carried over from the current kernel to the next kernel across > > the kexec call. > > > > powerpc and ARM64 both achieve this using device tree with a > > "linux,ima-kexec-buffer" node. x86 platforms generally don't make use of > > device tree, so use the setup_data mechanism to pass the IMA buffer to > > the new kernel. > > > > Signed-off-by: Jonathan McDowell <noodles@xxxxxx> Thanks, Jonathan. The measurement list is now properly being restored independently of CONFIG_IMA_KEXEC being configured. > > +++ b/include/linux/ima.h > > @@ -140,6 +140,9 @@ static inline int ima_measure_critical_data(const char *event_label, > > > > #endif /* CONFIG_IMA */ > > #ifdef CONFIG_HAVE_IMA_KEXEC > > +int ima_free_kexec_buffer(void); > > +int ima_get_kexec_buffer(void **addr, size_t *size); #endif > > Wouldn't moving these function definitions here imply they are > implemented on all architectures or are using the version in > drivers/of/kexec.c. Adding the ifdef around these functions should resolve any issues. thanks, Mimi
