On 1/28/2025 7:18 AM, Stefan Berger wrote:
On 1/24/25 5:55 PM, steven chen wrote:
The extra memory allocated for carrying the IMA measurement list across
kexec is hard-coded as half a PAGE. Make it configurable.
Define a Kconfig option, IMA_KEXEC_EXTRA_MEMORY_KB, to configure the
extra memory (in kb) to be allocated for IMA measurements added during
kexec soft reboot. Ensure the default value of the option is set such
that extra half a page of memory for additional measurements is
allocated
for the additional measurements.
Update ima_add_kexec_buffer() function to allocate memory based on the
Kconfig option value, rather than the currently hard-coded one.
From: Tushar Sugandhi <tusharsu@xxxxxxxxxxxxxxxxxxx>
Author: Tushar Sugandhi <tusharsu@xxxxxxxxxxxxxxxxxxx>
Suggested-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
Signed-off-by: Tushar Sugandhi <tusharsu@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: steven chen <chenste@xxxxxxxxxxxxxxxxxxx>
---
security/integrity/ima/Kconfig | 10 ++++++++++
security/integrity/ima/ima_kexec.c | 16 ++++++++++------
2 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/security/integrity/ima/Kconfig
b/security/integrity/ima/Kconfig
index 475c32615006..7dd2ed8b2cdc 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -321,4 +321,14 @@ config IMA_DISABLE_HTABLE
help
This option disables htable to allow measurement of
duplicate records.
+config IMA_KEXEC_EXTRA_MEMORY_KB
+ int
int "Extra memory for IMA measurements added during kexec soft reboot"
Without the description I wasn't able to modify the value.
+ depends on IMA_KEXEC
+ default 0
+ help
+ IMA_KEXEC_EXTRA_MEMORY_KB determines the extra memory to be
+ allocated (in kb) for IMA measurements added during kexec soft
reboot.
+ If set to the default value, an extra half a page of memory
for those
+ additional measurements will be allocated.
+
endif
diff --git a/security/integrity/ima/ima_kexec.c
b/security/integrity/ima/ima_kexec.c
index d5f004cfeaec..c9c916f69ca7 100644
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -128,22 +128,26 @@ void ima_add_kexec_buffer(struct kimage *image)
.buf_min = 0, .buf_max = ULONG_MAX,
.top_down = true };
unsigned long binary_runtime_size;
-
+ unsigned long extra_size;
/* use more understandable variable names than defined in kbuf */
void *kexec_buffer = NULL;
size_t kexec_buffer_size = 0;
int ret;
/*
- * Reserve an extra half page of memory for additional measurements
- * added during the kexec load.
+ * Reserve extra memory for measurements added during kexec.
*/
- binary_runtime_size = ima_get_binary_runtime_size();
+ if (CONFIG_IMA_KEXEC_EXTRA_MEMORY_KB <= 0)
+ extra_size = PAGE_SIZE / 2;
+ else
+ extra_size = CONFIG_IMA_KEXEC_EXTRA_MEMORY_KB * 1024;
+ binary_runtime_size = ima_get_binary_runtime_size() + extra_size;
+
if (binary_runtime_size >= ULONG_MAX - PAGE_SIZE)
kexec_segment_size = ULONG_MAX;
else
- kexec_segment_size = ALIGN(ima_get_binary_runtime_size() +
- PAGE_SIZE / 2, PAGE_SIZE);
+ kexec_segment_size = ALIGN(binary_runtime_size, PAGE_SIZE);
+
if ((kexec_segment_size == ULONG_MAX) ||
((kexec_segment_size >> PAGE_SHIFT) > totalram_pages() / 2)) {
pr_err("Binary measurement list too large.\n");
With the changes to Kconfig:
Reviewed-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>
Thanks, will update in the next release
