On Tue, 2023-07-11 at 10:59 -0700, Tushar Sugandhi wrote: > Adding Eric to cc. > > On 7/7/23 06:00, Mimi Zohar wrote: > > Hi Tushar, > > > > On Mon, 2023-07-03 at 14:57 -0700, Tushar Sugandhi wrote: > >> IMA does not provide a mechanism to allocate memory for IMA log storage > >> during kexec operation. > > The IMA measurement list is currently being carried across kexec, so > > obviously a buffer is being allocated for it. IMA not allocating > > memory for the measurment list is not the problem statement. Please > > concisely provide the problem statement, explaining why IMA needs to > > allocate the buffer. > > > I meant IMA does not provide separate functions to allocate buffer and > populate measurements. Both operations are wrapped in an atomic > ima_dump_measurement_list(). Ok. > As I mentioned in the comment in the cover letter, if there is no such > technical limitation to allocate the buffer and copy the measurements at > kexec ‘execute’ – I will make the necessary code changes and update the > above line in the patch description accordingly. The "normal" way of making this type of change would be to split the existing ima_dump_measurement_list() function. Copying the measurement list would still be named ima_dump_measurement_list(). The other could be named ima_alloc_kexec_buf(). Both functions initially would be called. Eric, besides updating the buffer at kexec execute, is there anything else that needs to be done (e.g. updating digests)? > >> The function should handle the scenario where > >> the kexec load is called multiple times. > > Currently the buffer is being freed with the kexec 'unload'. With this > > patch IMA is allocating a buffer for the measurement list, which needs > > to be freed independently of the kexec 'unload'. > If we end up allocating the buffer at kexec ‘execute’ (which results in > soft boot to next Kernel) – is it technically possible that > kexec ‘unload’ being called after calling kexec ‘execute’? > If not, should I still free the buffer at kexec ‘unload’ in this > scenario? The question is how to access the buffer once kexec_add_buffer() is called. Mimi
