diff mbox series

[v9,7/8] arm64: Store IMA log information in kimage used for kexec

Message ID 20201113192243.1993-8-nramas@linux.microsoft.com (mailing list archive)
State New, archived
Headers show
Series Carry forward IMA measurement log on kexec on ARM64 | expand

Commit Message

Lakshmi Ramasubramanian Nov. 13, 2020, 7:22 p.m. UTC 
Address and size of the buffer containing the IMA measurement log need
to be passed from the current kernel to the next kernel on kexec.

Add address and size fields to "struct kimage_arch" for ARM64 platform
to hold the address and size of the IMA measurement log buffer.
Define an architecture specific function for ARM64 namely
arch_ima_add_kexec_buffer() that will set the address and size of
the current kernel's IMA buffer to be passed to the next kernel on kexec.

Co-developed-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
Signed-off-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
---
 arch/arm64/include/asm/ima.h   | 18 ++++++++++++++++++
 arch/arm64/include/asm/kexec.h |  3 +++
 arch/arm64/kernel/Makefile     |  1 +
 arch/arm64/kernel/ima_kexec.c  | 34 ++++++++++++++++++++++++++++++++++
 4 files changed, 56 insertions(+)
 create mode 100644 arch/arm64/include/asm/ima.h
 create mode 100644 arch/arm64/kernel/ima_kexec.c

Comments

Mimi Zohar Dec. 1, 2020, 11:39 a.m. UTC | #1 
On Fri, 2020-11-13 at 11:22 -0800, Lakshmi Ramasubramanian wrote:
> Address and size of the buffer containing the IMA measurement log need
> to be passed from the current kernel to the next kernel on kexec.
> 
> Add address and size fields to "struct kimage_arch" for ARM64 platform
> to hold the address and size of the IMA measurement log buffer.
> Define an architecture specific function for ARM64 namely
> arch_ima_add_kexec_buffer() that will set the address and size of
> the current kernel's IMA buffer to be passed to the next kernel on kexec.
> 
> Co-developed-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
> Signed-off-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
> Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
> ---
>  arch/arm64/include/asm/ima.h   | 18 ++++++++++++++++++
>  arch/arm64/include/asm/kexec.h |  3 +++
>  arch/arm64/kernel/Makefile     |  1 +
>  arch/arm64/kernel/ima_kexec.c  | 34 ++++++++++++++++++++++++++++++++++
>  4 files changed, 56 insertions(+)
>  create mode 100644 arch/arm64/include/asm/ima.h
>  create mode 100644 arch/arm64/kernel/ima_kexec.c
> 
> diff --git a/arch/arm64/include/asm/ima.h b/arch/arm64/include/asm/ima.h
> new file mode 100644
> index 000000000000..507fc94ddaba
> --- /dev/null
> +++ b/arch/arm64/include/asm/ima.h
> @@ -0,0 +1,18 @@
> +/* SPDX-License-Identifier: GPL-2.0-or-later */
> +/*
> + * Copyright (C) 2019 Microsoft Corporation
> + *
> + * Author: Prakhar Srivastava <prsriva@linux.microsoft.com>
> + *
> + */
> +#ifndef _ASM_ARCH_IMA_H
> +#define _ASM_ARCH_IMA_H
> +
> +struct kimage;
> +
> +#ifdef CONFIG_IMA_KEXEC
> +int arch_ima_add_kexec_buffer(struct kimage *image, unsigned long load_addr,
> +			      size_t size);
> +#endif /* CONFIG_IMA_KEXEC */
> +
> +#endif /* _ASM_ARCH_IMA_H */
> diff --git a/arch/arm64/include/asm/kexec.h b/arch/arm64/include/asm/kexec.h
> index d24b527e8c00..7bd60c185ad3 100644
> --- a/arch/arm64/include/asm/kexec.h
> +++ b/arch/arm64/include/asm/kexec.h
> @@ -100,6 +100,9 @@ struct kimage_arch {
>  	void *elf_headers;
>  	unsigned long elf_headers_mem;
>  	unsigned long elf_headers_sz;
> +
> +	phys_addr_t ima_buffer_addr;
> +	size_t ima_buffer_size;
>  };

Any reason these definitions are not conditionally defined based on
CONFIG_IMA_KEXEC, like on powerpc?

> 
> diff --git a/arch/arm64/kernel/ima_kexec.c b/arch/arm64/kernel/ima_kexec.c
> new file mode 100644
> index 000000000000..1847f1230710
> --- /dev/null
> +++ b/arch/arm64/kernel/ima_kexec.c
> @@ -0,0 +1,34 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (C) 2019 Microsoft Corporation
> + *
> + * Author: Prakhar Srivastava <prsriva@linux.microsoft.com>
> + *
> + * File: ima_kexec.c
> + *       Defines IMA kexec functions.
> + */
> +
> +#include <linux/kernel.h>
> +#include <linux/kexec.h>
> +#include <linux/types.h>
> +#include <asm/ima.h>
> +
> +/**
> + * arch_ima_add_kexec_buffer - do arch-specific steps to add the IMA buffer
> + *
> + * @image: kimage structure to set ima buffer information in for kexec
> + * @load_addr: Start address of the IMA buffer
> + * @size: size of the IMA buffer
> + *
> + * Architectures should use this function to pass on the IMA buffer
> + * information to the next kernel.
> + *
> + * Return: 0 on success, negative errno on error.
> + */
> +int arch_ima_add_kexec_buffer(struct kimage *image, unsigned long load_addr,
> +			      size_t size)
> +{
> +	image->arch.ima_buffer_addr = load_addr;
> +	image->arch.ima_buffer_size = size;
> +	return 0;
> +}

This is exactly the same as the powerpc version.  Couldn't there be a
common version of this as well?

Mimi
Lakshmi Ramasubramanian Dec. 1, 2020, 7:08 p.m. UTC | #2 
On 12/1/20 3:39 AM, Mimi Zohar wrote:
> On Fri, 2020-11-13 at 11:22 -0800, Lakshmi Ramasubramanian wrote:
>> Address and size of the buffer containing the IMA measurement log need
>> to be passed from the current kernel to the next kernel on kexec.
>>
>> Add address and size fields to "struct kimage_arch" for ARM64 platform
>> to hold the address and size of the IMA measurement log buffer.
>> Define an architecture specific function for ARM64 namely
>> arch_ima_add_kexec_buffer() that will set the address and size of
>> the current kernel's IMA buffer to be passed to the next kernel on kexec.
>>
>> Co-developed-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
>> Signed-off-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
>> Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
>> Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
>> ---
>>   arch/arm64/include/asm/ima.h   | 18 ++++++++++++++++++
>>   arch/arm64/include/asm/kexec.h |  3 +++
>>   arch/arm64/kernel/Makefile     |  1 +
>>   arch/arm64/kernel/ima_kexec.c  | 34 ++++++++++++++++++++++++++++++++++
>>   4 files changed, 56 insertions(+)
>>   create mode 100644 arch/arm64/include/asm/ima.h
>>   create mode 100644 arch/arm64/kernel/ima_kexec.c
>>
>> diff --git a/arch/arm64/include/asm/ima.h b/arch/arm64/include/asm/ima.h
>> new file mode 100644
>> index 000000000000..507fc94ddaba
>> --- /dev/null
>> +++ b/arch/arm64/include/asm/ima.h
>> @@ -0,0 +1,18 @@
>> +/* SPDX-License-Identifier: GPL-2.0-or-later */
>> +/*
>> + * Copyright (C) 2019 Microsoft Corporation
>> + *
>> + * Author: Prakhar Srivastava <prsriva@linux.microsoft.com>
>> + *
>> + */
>> +#ifndef _ASM_ARCH_IMA_H
>> +#define _ASM_ARCH_IMA_H
>> +
>> +struct kimage;
>> +
>> +#ifdef CONFIG_IMA_KEXEC
>> +int arch_ima_add_kexec_buffer(struct kimage *image, unsigned long load_addr,
>> +			      size_t size);
>> +#endif /* CONFIG_IMA_KEXEC */
>> +
>> +#endif /* _ASM_ARCH_IMA_H */
>> diff --git a/arch/arm64/include/asm/kexec.h b/arch/arm64/include/asm/kexec.h
>> index d24b527e8c00..7bd60c185ad3 100644
>> --- a/arch/arm64/include/asm/kexec.h
>> +++ b/arch/arm64/include/asm/kexec.h
>> @@ -100,6 +100,9 @@ struct kimage_arch {
>>   	void *elf_headers;
>>   	unsigned long elf_headers_mem;
>>   	unsigned long elf_headers_sz;
>> +
>> +	phys_addr_t ima_buffer_addr;
>> +	size_t ima_buffer_size;
>>   };
> 
> Any reason these definitions are not conditionally defined based on
> CONFIG_IMA_KEXEC, like on powerpc?

I'll define ima buffer related fields conditionally (CONFIG_IMA_KEXEC).

> 
>>
>> diff --git a/arch/arm64/kernel/ima_kexec.c b/arch/arm64/kernel/ima_kexec.c
>> new file mode 100644
>> index 000000000000..1847f1230710
>> --- /dev/null
>> +++ b/arch/arm64/kernel/ima_kexec.c
>> @@ -0,0 +1,34 @@
>> +// SPDX-License-Identifier: GPL-2.0-or-later
>> +/*
>> + * Copyright (C) 2019 Microsoft Corporation
>> + *
>> + * Author: Prakhar Srivastava <prsriva@linux.microsoft.com>
>> + *
>> + * File: ima_kexec.c
>> + *       Defines IMA kexec functions.
>> + */
>> +
>> +#include <linux/kernel.h>
>> +#include <linux/kexec.h>
>> +#include <linux/types.h>
>> +#include <asm/ima.h>
>> +
>> +/**
>> + * arch_ima_add_kexec_buffer - do arch-specific steps to add the IMA buffer
>> + *
>> + * @image: kimage structure to set ima buffer information in for kexec
>> + * @load_addr: Start address of the IMA buffer
>> + * @size: size of the IMA buffer
>> + *
>> + * Architectures should use this function to pass on the IMA buffer
>> + * information to the next kernel.
>> + *
>> + * Return: 0 on success, negative errno on error.
>> + */
>> +int arch_ima_add_kexec_buffer(struct kimage *image, unsigned long load_addr,
>> +			      size_t size)
>> +{
>> +	image->arch.ima_buffer_addr = load_addr;
>> +	image->arch.ima_buffer_size = size;
>> +	return 0;
>> +}
> 
> This is exactly the same as the powerpc version.  Couldn't there be a
> common version of this as well?

I think it can be moved to a common version. I'll make that change.

thanks,
  -lakshmi
diff mbox series

Patch

diff --git a/arch/arm64/include/asm/ima.h b/arch/arm64/include/asm/ima.h
new file mode 100644
index 000000000000..507fc94ddaba
--- /dev/null
+++ b/arch/arm64/include/asm/ima.h
@@ -0,0 +1,18 @@ 
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * Copyright (C) 2019 Microsoft Corporation
+ *
+ * Author: Prakhar Srivastava <prsriva@linux.microsoft.com>
+ *
+ */
+#ifndef _ASM_ARCH_IMA_H
+#define _ASM_ARCH_IMA_H
+
+struct kimage;
+
+#ifdef CONFIG_IMA_KEXEC
+int arch_ima_add_kexec_buffer(struct kimage *image, unsigned long load_addr,
+			      size_t size);
+#endif /* CONFIG_IMA_KEXEC */
+
+#endif /* _ASM_ARCH_IMA_H */
diff --git a/arch/arm64/include/asm/kexec.h b/arch/arm64/include/asm/kexec.h
index d24b527e8c00..7bd60c185ad3 100644
--- a/arch/arm64/include/asm/kexec.h
+++ b/arch/arm64/include/asm/kexec.h
@@ -100,6 +100,9 @@  struct kimage_arch {
 	void *elf_headers;
 	unsigned long elf_headers_mem;
 	unsigned long elf_headers_sz;
+
+	phys_addr_t ima_buffer_addr;
+	size_t ima_buffer_size;
 };
 
 extern const struct kexec_file_ops kexec_image_ops;
diff --git a/arch/arm64/kernel/Makefile b/arch/arm64/kernel/Makefile
index bbaf0bc4ad60..1cddf55fb601 100644
--- a/arch/arm64/kernel/Makefile
+++ b/arch/arm64/kernel/Makefile
@@ -60,6 +60,7 @@  obj-$(CONFIG_ARM_SDE_INTERFACE)		+= sdei.o
 obj-$(CONFIG_ARM64_PTR_AUTH)		+= pointer_auth.o
 obj-$(CONFIG_SHADOW_CALL_STACK)		+= scs.o
 obj-$(CONFIG_ARM64_MTE)			+= mte.o
+obj-$(CONFIG_IMA_KEXEC)			+= ima_kexec.o
 
 obj-y					+= vdso/ probes/
 obj-$(CONFIG_COMPAT_VDSO)		+= vdso32/
diff --git a/arch/arm64/kernel/ima_kexec.c b/arch/arm64/kernel/ima_kexec.c
new file mode 100644
index 000000000000..1847f1230710
--- /dev/null
+++ b/arch/arm64/kernel/ima_kexec.c
@@ -0,0 +1,34 @@ 
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (C) 2019 Microsoft Corporation
+ *
+ * Author: Prakhar Srivastava <prsriva@linux.microsoft.com>
+ *
+ * File: ima_kexec.c
+ *       Defines IMA kexec functions.
+ */
+
+#include <linux/kernel.h>
+#include <linux/kexec.h>
+#include <linux/types.h>
+#include <asm/ima.h>
+
+/**
+ * arch_ima_add_kexec_buffer - do arch-specific steps to add the IMA buffer
+ *
+ * @image: kimage structure to set ima buffer information in for kexec
+ * @load_addr: Start address of the IMA buffer
+ * @size: size of the IMA buffer
+ *
+ * Architectures should use this function to pass on the IMA buffer
+ * information to the next kernel.
+ *
+ * Return: 0 on success, negative errno on error.
+ */
+int arch_ima_add_kexec_buffer(struct kimage *image, unsigned long load_addr,
+			      size_t size)
+{
+	image->arch.ima_buffer_addr = load_addr;
+	image->arch.ima_buffer_size = size;
+	return 0;
+}