The patch titled Subject: ima: serialize the binary_runtime_measurements has been removed from the -mm tree. Its filename was ima-serialize-the-binary_runtime_measurements.patch This patch was dropped because an updated version will be merged ------------------------------------------------------ From: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> Subject: ima: serialize the binary_runtime_measurements The TPM PCRs are only reset on a hard reboot. In order to validate a TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list of the running kernel must be saved and restored on boot. This patch serializes the IMA measurement list in the binary_runtime_measurements format. Link: http://lkml.kernel.org/r/1473938771-2782-5-git-send-email-zohar@xxxxxxxxxxxxxxxxxx Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> Cc: Eric Biederman <ebiederm@xxxxxxxxxxxx> Cc: Dave Young <dyoung@xxxxxxxxxx> Cc: Vivek Goyal <vgoyal@xxxxxxxxxx> Cc: Baoquan He <bhe@xxxxxxxxxx> Cc: Michael Ellerman <mpe@xxxxxxxxxxxxxx> Cc: Stewart Smith <stewart@xxxxxxxxxxxxxxxxxx> Cc: Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> Cc: Eric Richter <erichte@xxxxxxxxxxxxxxxxxx> Cc: Balbir Singh <bsingharora@xxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- security/integrity/ima/ima.h | 1 security/integrity/ima/ima_fs.c | 2 - security/integrity/ima/ima_kexec.c | 51 +++++++++++++++++++++++++++ 3 files changed, 53 insertions(+), 1 deletion(-) diff -puN security/integrity/ima/ima.h~ima-serialize-the-binary_runtime_measurements security/integrity/ima/ima.h --- a/security/integrity/ima/ima.h~ima-serialize-the-binary_runtime_measurements +++ a/security/integrity/ima/ima.h @@ -133,6 +133,7 @@ void ima_print_digest(struct seq_file *m struct ima_template_desc *ima_template_desc_current(void); int ima_restore_measurement_entry(struct ima_template_entry *entry); int ima_restore_measurement_list(loff_t bufsize, void *buf); +int ima_measurements_show(struct seq_file *m, void *v); unsigned long ima_get_binary_runtime_size(void); int ima_init_template(void); diff -puN security/integrity/ima/ima_fs.c~ima-serialize-the-binary_runtime_measurements security/integrity/ima/ima_fs.c --- a/security/integrity/ima/ima_fs.c~ima-serialize-the-binary_runtime_measurements +++ a/security/integrity/ima/ima_fs.c @@ -116,7 +116,7 @@ void ima_putc(struct seq_file *m, void * * [eventdata length] * eventdata[n]=template specific data */ -static int ima_measurements_show(struct seq_file *m, void *v) +int ima_measurements_show(struct seq_file *m, void *v) { /* the list never shrinks, so we don't need a lock here */ struct ima_queue_entry *qe = v; diff -puN security/integrity/ima/ima_kexec.c~ima-serialize-the-binary_runtime_measurements security/integrity/ima/ima_kexec.c --- a/security/integrity/ima/ima_kexec.c~ima-serialize-the-binary_runtime_measurements +++ a/security/integrity/ima/ima_kexec.c @@ -23,6 +23,57 @@ #include "ima.h" +static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer, + unsigned long segment_size) +{ + struct ima_queue_entry *qe; + struct seq_file file; + struct ima_kexec_hdr khdr = { + .version = 1, .buffer_size = 0, .count = 0}; + int ret = 0; + + /* segment size can't change between kexec load and execute */ + file.buf = vmalloc(segment_size); + if (!file.buf) { + ret = -ENOMEM; + goto out; + } + + file.size = segment_size; + file.read_pos = 0; + file.count = sizeof(khdr); /* reserved space */ + + list_for_each_entry_rcu(qe, &ima_measurements, later) { + if (file.count < file.size) { + khdr.count++; + ima_measurements_show(&file, qe); + } else { + ret = -EINVAL; + break; + } + } + + if (ret < 0) + goto out; + + /* + * fill in reserved space with some buffer details + * (eg. version, buffer size, number of measurements) + */ + khdr.buffer_size = file.count; + memcpy(file.buf, &khdr, sizeof(khdr)); + print_hex_dump(KERN_DEBUG, "ima dump: ", DUMP_PREFIX_NONE, + 16, 1, file.buf, + file.count < 100 ? file.count : 100, true); + + *buffer_size = file.count; + *buffer = file.buf; +out: + if (ret == -EINVAL) + vfree(file.buf); + return ret; +} + /* * Restore the measurement list from the previous kernel. */ _ Patches currently in -mm which might be from zohar@xxxxxxxxxxxxxxxxxx are ima-store-the-builtin-custom-template-definitions-in-a-list.patch ima-support-restoring-multiple-template-formats.patch ima-define-a-canonical-binary_runtime_measurements-list-format.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html