On 1/24/24 06:07, Mimi Zohar wrote:
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -121,6 +121,7 @@ void ima_add_kexec_buffer(struct kimage *image)
.buf_min = 0, .buf_max = ULONG_MAX,
.top_down = true };
unsigned long binary_runtime_size;
+ unsigned long extra_size;
/* use more understandable variable names than defined in kbuf */
void *kexec_buffer = NULL;
@@ -128,15 +129,19 @@ void ima_add_kexec_buffer(struct kimage *image)
int ret;
/*
- * Reserve an extra half page of memory for additional measurements
- * added during the kexec load.
+ * Reserve extra memory for measurements added during kexec.
*/
The memory is still being allocated at kexec "load", so the extra memory is for
additional measurement records "since" kexec load.
Mimi
This wording was an attempt to address the comment in v3[1].
So I tried to make the comment generic. But maybe I made it too generic.
I will update.
[1] Re: [PATCH v3 6/7] ima: configure memory to log events between kexec
load and execute
https://lore.kernel.org/all/fbe6aa7577875b23a9913a39f858f06f1d2aa903.camel@xxxxxxxxxxxxx/
"Additional records could be added as a result of the kexec
load itself.
...
Please remove any references to measurements between kexec load and
execute."
~Tushar
- binary_runtime_size = ima_get_binary_runtime_size();
+ if (CONFIG_IMA_KEXEC_EXTRA_MEMORY_KB <= 0)
+ extra_size = PAGE_SIZE / 2;
+ else
+ extra_size = CONFIG_IMA_KEXEC_EXTRA_MEMORY_KB * 1024;
+ binary_runtime_size = ima_get_binary_runtime_size() + extra_size;
+
if (binary_runtime_size >= ULONG_MAX - PAGE_SIZE)
kexec_segment_size = ULONG_MAX;
else
- kexec_segment_size = ALIGN(ima_get_binary_runtime_size() +
- PAGE_SIZE / 2, PAGE_SIZE);
+ kexec_segment_size = ALIGN(binary_runtime_size, PAGE_SIZE);
+
if ((kexec_segment_size == ULONG_MAX) ||
((kexec_segment_size >> PAGE_SHIFT) > totalram_pages() / 2)) {
pr_err("Binary measurement list too large.\n");
