[Add Eric in cc] On Tue, 4 Jul 2023 at 05:58, Tushar Sugandhi <tusharsu@xxxxxxxxxxxxxxxxxxx> wrote: > > The current Kernel behavior is IMA measurements snapshot is taken at > kexec 'load' and not at kexec 'execute'. IMA log is then carried > over to the new Kernel after kexec 'execute'. > > Some devices can be configured to call kexec 'load' first, and followed > by kexec 'execute' after some time. (as opposed to calling 'load' and > 'execute' in one single kexec command). In such scenario, if new IMA > measurements are added between kexec 'load' and kexec 'execute', the > TPM PCRs are extended with the IMA events between 'load' and 'execute'; > but those IMA events are not carried over to the new kernel after kexec > soft reboot. This results in mismatch between TPM PCR quotes and the > actual IMA measurements list after the device boots into the new kexec > image. This mismatch results in the remote attestation failing for that > device. > > This patch series proposes a solution to solve this problem by allocating > the necessary buffer at kexec 'load' time, and populating the buffer > with the IMA measurements at kexec 'execute' time. > > The solution includes: > - addition of new functionality to allocate a buffer to hold IMA > measurements at kexec 'load', > > - ima functionality to suspend and resume measurements as needed during > buffer copy at kexec 'execute', > > - ima functionality for mapping the measurement list from the current > Kernel to the subsequent one, > > - necessary changes to the kexec_file_load syscall, enabling it to call > the ima functions > > - registering a reboot notifier which gets called during kexec 'execute', > > - and removal of deprecated functions. > > The modifications proposed in this series ensure the integrity of the ima > measurements is preserved across kexec soft reboots, thus significantly > improving the security of the Kernel post kexec soft reboots. > > There were previous attempts to fix this issue [1], [2], [3]. But they > were not merged into the mainline Kernel. > > We took inspiration from the past work [1] and [2] while working on this > patch series. > > References: > ----------- > > [1] [PATHC v2 5/9] ima: on soft reboot, save the measurement list > https://lore.kernel.org/lkml/1472596811-9596-6-git-send-email-zohar@xxxxxxxxxxxxxxxxxx/ > > [2] PATCH v2 4/6] kexec_file: Add mechanism to update kexec segments. > https://lkml.org/lkml/2016/8/16/577 > > [3] [PATCH 1/6] kexec_file: Add buffer hand-over support > https://lore.kernel.org/linuxppc-dev/1466473476-10104-6-git-send-email-bauerman@xxxxxxxxxxxxxxxxxx/T/ > > Tushar Sugandhi (10): > ima: implement function to allocate buffer at kexec load > ima: implement function to populate buffer at kexec execute > ima: allocate buffer at kexec load to hold ima measurements > ima: implement functions to suspend and resume measurements > kexec: implement functions to map and unmap segment to kimage > ima: update buffer at kexec execute with ima measurements > ima: remove function ima_dump_measurement_list > ima: implement and register a reboot notifier function to update kexec > buffer > ima: suspend measurements while the kexec buffer is being copied > kexec: update kexec_file_load syscall to call ima_kexec_post_load > > include/linux/ima.h | 3 + > include/linux/kexec.h | 13 ++ > kernel/kexec_core.c | 72 +++++++++- > kernel/kexec_file.c | 7 + > kernel/kexec_internal.h | 1 + > security/integrity/ima/ima.h | 4 + > security/integrity/ima/ima_kexec.c | 211 +++++++++++++++++++++++------ > security/integrity/ima/ima_queue.c | 32 +++++ > 8 files changed, 295 insertions(+), 48 deletions(-) > > -- > 2.25.1 > > > _______________________________________________ > kexec mailing list > kexec@xxxxxxxxxxxxxxxxxxx > http://lists.infradead.org/mailman/listinfo/kexec >
