Re: [PATCH v2 0/7] ima: kexec: measure events between kexec load and execute

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2023-10-05 at 11:25 -0700, Tushar Sugandhi wrote:
> The current Kernel behavior is IMA measurements snapshot is taken at
> kexec 'load' and not at kexec 'execute'.  IMA log is then carried
> over to the new Kernel after kexec 'execute'.
> 
> Some systems can be configured to call kexec 'load' first, and followed
> by kexec 'execute' after some time.  (as opposed to calling 'load' and
> 'execute' in one single kexec command).

Additional measurements may be introduced by the kexec load itself. 
Saving the measurement list as close as possible to the reboot is
beneficial, whether or not the kexec load and kexec execute are
executed separately.

> In such scenario, if new IMA
> measurements are added between kexec 'load' and kexec 'execute', the
> TPM PCRs are extended with the IMA events between 'load' and 'execute'.
> But those IMA events are not carried over to the new Kernel after kexec
> soft reboot.  This results in mismatch between TPM PCR quotes, and the
> actual IMA measurements list, after the system boots into the new kexec
> image.  This mismatch results in the remote attestation failing for that
> system.
> 
> This patch series proposes a solution to solve this problem by allocating
> the necessary buffer at kexec 'load' time, and populating the buffer
> with the IMA measurements at kexec 'execute' time. 

How about beginning the paragraph with "To solve this problem allocate
... and populate ..."

-- 
thanks,

Mimi




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux