| Message ID | 20210209182200.30606-1-nramas@linux.microsoft.com (mailing list archive) |
|---|---|
| Headers | show |
| Series | Carry forward IMA measurement log on kexec on ARM64 | expand |
On Tue, Feb 09, 2021 at 10:21:50AM -0800, Lakshmi Ramasubramanian wrote: > On kexec file load Integrity Measurement Architecture (IMA) subsystem > may verify the IMA signature of the kernel and initramfs, and measure > it. The command line parameters passed to the kernel in the kexec call > may also be measured by IMA. A remote attestation service can verify > a TPM quote based on the TPM event log, the IMA measurement list, and > the TPM PCR data. This can be achieved only if the IMA measurement log > is carried over from the current kernel to the next kernel across > the kexec call. > > powerpc already supports carrying forward the IMA measurement log on > kexec. This patch set adds support for carrying forward the IMA > measurement log on kexec on ARM64. > > This patch set moves the platform independent code defined for powerpc > such that it can be reused for other platforms as well. A chosen node > "linux,ima-kexec-buffer" is added to the DTB for ARM64 to hold > the address and the size of the memory reserved to carry > the IMA measurement log. > > This patch set has been tested for ARM64 platform using QEMU. > I would like help from the community for testing this change on powerpc. > Thanks. > > This patch set is based on > commit 96acc833dec8 ("ima: Free IMA measurement buffer after kexec syscall") > in https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git > "next-integrity" branch. Is that a hard dependency still? Given this is now almost entirely deleting arch code and adding drivers/of/ code, I was going to apply it. Rob
On 2/10/21 9:15 AM, Rob Herring wrote: > On Tue, Feb 09, 2021 at 10:21:50AM -0800, Lakshmi Ramasubramanian wrote: >> On kexec file load Integrity Measurement Architecture (IMA) subsystem >> may verify the IMA signature of the kernel and initramfs, and measure >> it. The command line parameters passed to the kernel in the kexec call >> may also be measured by IMA. A remote attestation service can verify >> a TPM quote based on the TPM event log, the IMA measurement list, and >> the TPM PCR data. This can be achieved only if the IMA measurement log >> is carried over from the current kernel to the next kernel across >> the kexec call. >> >> powerpc already supports carrying forward the IMA measurement log on >> kexec. This patch set adds support for carrying forward the IMA >> measurement log on kexec on ARM64. >> >> This patch set moves the platform independent code defined for powerpc >> such that it can be reused for other platforms as well. A chosen node >> "linux,ima-kexec-buffer" is added to the DTB for ARM64 to hold >> the address and the size of the memory reserved to carry >> the IMA measurement log. >> >> This patch set has been tested for ARM64 platform using QEMU. >> I would like help from the community for testing this change on powerpc. >> Thanks. >> >> This patch set is based on >> commit 96acc833dec8 ("ima: Free IMA measurement buffer after kexec syscall") >> in https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git >> "next-integrity" branch. > > Is that a hard dependency still? Given this is now almost entirely > deleting arch code and adding drivers/of/ code, I was going to apply it. > I tried applying the patches in Linus' mainline branch - PATCH #5 0005-powerpc-Move-ima-buffer-fields-to-struct-kimage.patch doesn't apply. But if I apply the dependent patch set (link given below), all the patches in this patch set apply fine. https://patchwork.kernel.org/project/linux-integrity/patch/20210204174951.25771-2-nramas@linux.microsoft.com/ thanks, -lakshmi
On Wed, Feb 10, 2021 at 11:33 AM Lakshmi Ramasubramanian <nramas@linux.microsoft.com> wrote: > > On 2/10/21 9:15 AM, Rob Herring wrote: > > On Tue, Feb 09, 2021 at 10:21:50AM -0800, Lakshmi Ramasubramanian wrote: > >> On kexec file load Integrity Measurement Architecture (IMA) subsystem > >> may verify the IMA signature of the kernel and initramfs, and measure > >> it. The command line parameters passed to the kernel in the kexec call > >> may also be measured by IMA. A remote attestation service can verify > >> a TPM quote based on the TPM event log, the IMA measurement list, and > >> the TPM PCR data. This can be achieved only if the IMA measurement log > >> is carried over from the current kernel to the next kernel across > >> the kexec call. > >> > >> powerpc already supports carrying forward the IMA measurement log on > >> kexec. This patch set adds support for carrying forward the IMA > >> measurement log on kexec on ARM64. > >> > >> This patch set moves the platform independent code defined for powerpc > >> such that it can be reused for other platforms as well. A chosen node > >> "linux,ima-kexec-buffer" is added to the DTB for ARM64 to hold > >> the address and the size of the memory reserved to carry > >> the IMA measurement log. > >> > >> This patch set has been tested for ARM64 platform using QEMU. > >> I would like help from the community for testing this change on powerpc. > >> Thanks. > >> > >> This patch set is based on > >> commit 96acc833dec8 ("ima: Free IMA measurement buffer after kexec syscall") > >> in https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git > >> "next-integrity" branch. > > > > Is that a hard dependency still? Given this is now almost entirely > > deleting arch code and adding drivers/of/ code, I was going to apply it. > > > > I tried applying the patches in Linus' mainline branch - > PATCH #5 0005-powerpc-Move-ima-buffer-fields-to-struct-kimage.patch > doesn't apply. > > But if I apply the dependent patch set (link given below), all the > patches in this patch set apply fine. > > https://patchwork.kernel.org/project/linux-integrity/patch/20210204174951.25771-2-nramas@linux.microsoft.com/ Ideally, we don't apply the same patch in 2 branches. It looks like there's a conflict but no real dependence on the above patch (the ima_buffer part). The conflict seems trivial enough that Linus can resolve it in the merge window. Or Mimi can take the whole thing if preferred? Rob
On Wed, 2021-02-10 at 14:42 -0600, Rob Herring wrote: > On Wed, Feb 10, 2021 at 11:33 AM Lakshmi Ramasubramanian > <nramas@linux.microsoft.com> wrote: > > > > On 2/10/21 9:15 AM, Rob Herring wrote: > > > On Tue, Feb 09, 2021 at 10:21:50AM -0800, Lakshmi Ramasubramanian wrote: > > >> On kexec file load Integrity Measurement Architecture (IMA) subsystem > > >> may verify the IMA signature of the kernel and initramfs, and measure > > >> it. The command line parameters passed to the kernel in the kexec call > > >> may also be measured by IMA. A remote attestation service can verify > > >> a TPM quote based on the TPM event log, the IMA measurement list, and > > >> the TPM PCR data. This can be achieved only if the IMA measurement log > > >> is carried over from the current kernel to the next kernel across > > >> the kexec call. > > >> > > >> powerpc already supports carrying forward the IMA measurement log on > > >> kexec. This patch set adds support for carrying forward the IMA > > >> measurement log on kexec on ARM64. > > >> > > >> This patch set moves the platform independent code defined for powerpc > > >> such that it can be reused for other platforms as well. A chosen node > > >> "linux,ima-kexec-buffer" is added to the DTB for ARM64 to hold > > >> the address and the size of the memory reserved to carry > > >> the IMA measurement log. > > >> > > >> This patch set has been tested for ARM64 platform using QEMU. > > >> I would like help from the community for testing this change on powerpc. > > >> Thanks. > > >> > > >> This patch set is based on > > >> commit 96acc833dec8 ("ima: Free IMA measurement buffer after kexec syscall") > > >> in https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git > > >> "next-integrity" branch. > > > > > > Is that a hard dependency still? Given this is now almost entirely > > > deleting arch code and adding drivers/of/ code, I was going to apply it. > > > > > > > I tried applying the patches in Linus' mainline branch - > > PATCH #5 0005-powerpc-Move-ima-buffer-fields-to-struct-kimage.patch > > doesn't apply. > > > > But if I apply the dependent patch set (link given below), all the > > patches in this patch set apply fine. > > > > https://patchwork.kernel.org/project/linux-integrity/patch/20210204174951.25771-2-nramas@linux.microsoft.com/ > > Ideally, we don't apply the same patch in 2 branches. It looks like > there's a conflict but no real dependence on the above patch (the > ima_buffer part). The conflict seems trivial enough that Linus can > resolve it in the merge window. > > Or Mimi can take the whole thing if preferred? How about I create a topic branch with just the two patches, allowing both of us to merge it? There shouldn't be a problem with re-writing next-integrity history. Mimi
On Wed, 2021-02-10 at 15:55 -0500, Mimi Zohar wrote: > On Wed, 2021-02-10 at 14:42 -0600, Rob Herring wrote: > > On Wed, Feb 10, 2021 at 11:33 AM Lakshmi Ramasubramanian > > > Ideally, we don't apply the same patch in 2 branches. It looks like > > there's a conflict but no real dependence on the above patch (the > > ima_buffer part). The conflict seems trivial enough that Linus can > > resolve it in the merge window. > > > > Or Mimi can take the whole thing if preferred? > > How about I create a topic branch with just the two patches, allowing > both of us to merge it? There shouldn't be a problem with re-writing > next-integrity history. The 2 patches are now in the ima-kexec-fixes branch. Mimi
On 2/10/21 1:39 PM, Mimi Zohar wrote: > On Wed, 2021-02-10 at 15:55 -0500, Mimi Zohar wrote: >> On Wed, 2021-02-10 at 14:42 -0600, Rob Herring wrote: >>> On Wed, Feb 10, 2021 at 11:33 AM Lakshmi Ramasubramanian >> >>> Ideally, we don't apply the same patch in 2 branches. It looks like >>> there's a conflict but no real dependence on the above patch (the >>> ima_buffer part). The conflict seems trivial enough that Linus can >>> resolve it in the merge window. >>> >>> Or Mimi can take the whole thing if preferred? >> >> How about I create a topic branch with just the two patches, allowing >> both of us to merge it? There shouldn't be a problem with re-writing >> next-integrity history. > > The 2 patches are now in the ima-kexec-fixes branch. > Thanks a lot Mimi. Rob - I will address the 2 comments you'd provided today, and build the patches in ima-kexec-fixes branch. If you have more comments in the v17 patches, please let me know. thanks, -lakshmi
On kexec file load Integrity Measurement Architecture (IMA) subsystem may verify the IMA signature of the kernel and initramfs, and measure it. The command line parameters passed to the kernel in the kexec call may also be measured by IMA. A remote attestation service can verify a TPM quote based on the TPM event log, the IMA measurement list, and the TPM PCR data. This can be achieved only if the IMA measurement log is carried over from the current kernel to the next kernel across the kexec call. powerpc already supports carrying forward the IMA measurement log on kexec. This patch set adds support for carrying forward the IMA measurement log on kexec on ARM64. This patch set moves the platform independent code defined for powerpc such that it can be reused for other platforms as well. A chosen node "linux,ima-kexec-buffer" is added to the DTB for ARM64 to hold the address and the size of the memory reserved to carry the IMA measurement log. This patch set has been tested for ARM64 platform using QEMU. I would like help from the community for testing this change on powerpc. Thanks. This patch set is based on commit 96acc833dec8 ("ima: Free IMA measurement buffer after kexec syscall") in https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git "next-integrity" branch. Changelog: v17 - Renamed of_kexec_setup_new_fdt() to of_kexec_alloc_and_setup_fdt(), and moved memory allocation for the new FDT to this function. v16 - Defined functions to allocate and free buffer for FDT for powerpc and arm64. - Moved ima_buffer_addr and ima_buffer_size fields from "struct kimage_arch" in powerpc to "struct kimage" v15 - Included Rob's patches in the patch set, and rebased the changes to "next-integrity" branch. - Allocate memory for DTB, on arm64, using kmalloc() instead of vmalloc() to keep it consistent with powerpc implementation. - Call of_kexec_setup_new_fdt() from setup_new_fdt_ppc64() and remove setup_new_fdt() in the same patch to keep it bisect safe. v14 - Select CONFIG_HAVE_IMA_KEXEC for CONFIG_KEXEC_FILE, for powerpc and arm64, if CONFIG_IMA is enabled. - Use IS_ENABLED() macro instead of "#ifdef" in remove_ima_buffer(), ima_get_kexec_buffer(), and ima_free_kexec_buffer(). - Call of_kexec_setup_new_fdt() from setup_new_fdt_ppc64() and remove setup_new_fdt() in "arch/powerpc/kexec/file_load.c". v13 - Moved the arch independent functions to drivers/of/kexec.c and then refactored the code. - Moved arch_ima_add_kexec_buffer() to security/integrity/ima/ima_kexec.c v12 - Use fdt_appendprop_addrrange() in setup_ima_buffer() to setup the IMA measurement list property in the device tree. - Moved architecture independent functions from "arch/powerpc/kexec/ima.c" to "drivers/of/kexec." - Deleted "arch/powerpc/kexec/ima.c" and "arch/powerpc/include/asm/ima.h". v11 - Rebased the changes on the kexec code refactoring done by Rob Herring in his "dt/kexec" branch - Removed "extern" keyword in function declarations - Removed unnecessary header files included in C files - Updated patch descriptions per Thiago's comments v10 - Moved delete_fdt_mem_rsv(), remove_ima_buffer(), get_ima_kexec_buffer, and get_root_addr_size_cells() to drivers/of/kexec.c - Moved arch_ima_add_kexec_buffer() to security/integrity/ima/ima_kexec.c - Conditionally define IMA buffer fields in struct kimage_arch v9 - Moved delete_fdt_mem_rsv() to drivers/of/kexec_fdt.c - Defined a new function get_ima_kexec_buffer() in drivers/of/ima_kexec.c to replace do_get_kexec_buffer() - Changed remove_ima_kexec_buffer() to the original function name remove_ima_buffer() - Moved remove_ima_buffer() to drivers/of/ima_kexec.c - Moved ima_get_kexec_buffer() and ima_free_kexec_buffer() to security/integrity/ima/ima_kexec.c v8: - Moved remove_ima_kexec_buffer(), do_get_kexec_buffer(), and delete_fdt_mem_rsv() to drivers/of/fdt.c - Moved ima_dump_measurement_list() and ima_add_kexec_buffer() back to security/integrity/ima/ima_kexec.c v7: - Renamed remove_ima_buffer() to remove_ima_kexec_buffer() and moved this function definition to kernel. - Moved delete_fdt_mem_rsv() definition to kernel - Moved ima_dump_measurement_list() and ima_add_kexec_buffer() to a new file namely ima_kexec_fdt.c in IMA v6: - Remove any existing FDT_PROP_IMA_KEXEC_BUFFER property in the device tree and also its corresponding memory reservation in the currently running kernel. - Moved the function remove_ima_buffer() defined for powerpc to IMA and renamed the function to ima_remove_kexec_buffer(). Also, moved delete_fdt_mem_rsv() from powerpc to IMA. v5: - Merged get_addr_size_cells() and do_get_kexec_buffer() into a single function when moving the arch independent code from powerpc to IMA - Reverted the change to use FDT functions in powerpc code and added back the original code in get_addr_size_cells() and do_get_kexec_buffer() for powerpc. - Added fdt_add_mem_rsv() for ARM64 to reserve the memory for the IMA log buffer during kexec. - Fixed the warning reported by kernel test bot for ARM64 arch_ima_add_kexec_buffer() - moved this function to a new file namely arch/arm64/kernel/ima_kexec.c v4: - Submitting the patch series on behalf of the original author Prakhar Srivastava <prsriva@linux.microsoft.com> - Moved FDT_PROP_IMA_KEXEC_BUFFER ("linux,ima-kexec-buffer") to libfdt.h so that it can be shared by multiple platforms. v3: Breakup patches further into separate patches. - Refactoring non architecture specific code out of powerpc - Update powerpc related code to use fdt functions - Update IMA buffer read related code to use of functions - Add support to store the memory information of the IMA measurement logs to be carried forward. - Update the property strings to align with documented nodes https://github.com/devicetree-org/dt-schema/pull/46 v2: Break patches into separate patches. - Powerpc related Refactoring - Updating the docuemntation for chosen node - Updating arm64 to support IMA buffer pass v1: Refactoring carrying over IMA measuremnet logs over Kexec. This patch moves the non-architecture specific code out of powerpc and adds to security/ima.(Suggested by Thiago) Add Documentation regarding the ima-kexec-buffer node in the chosen node documentation v0: Add a layer of abstraction to use the memory reserved by device tree for ima buffer pass. Add support for ima buffer pass using reserved memory for arm64 kexec. Update the arch sepcific code path in kexec file load to store the ima buffer in the reserved memory. The same reserved memory is read on kexec or cold boot. Lakshmi Ramasubramanian (6): powerpc: Move ima buffer fields to struct kimage powerpc: Enable passing IMA log to next kernel on kexec powerpc: Move arch independent ima kexec functions to drivers/of/kexec.c kexec: Use fdt_appendprop_addrrange() to add ima buffer to FDT powerpc: Delete unused function delete_fdt_mem_rsv() arm64: Enable passing IMA log to next kernel on kexec Rob Herring (4): powerpc: Rename kexec elfcorehdr_addr to elf_headers_mem of: Add a common kexec FDT setup function arm64: Use common of_kexec_alloc_and_setup_fdt() powerpc: Use common of_kexec_alloc_and_setup_fdt() arch/arm64/Kconfig | 1 + arch/arm64/kernel/machine_kexec_file.c | 180 +--------- arch/powerpc/Kconfig | 2 +- arch/powerpc/include/asm/ima.h | 30 -- arch/powerpc/include/asm/kexec.h | 12 +- arch/powerpc/kexec/Makefile | 7 - arch/powerpc/kexec/elf_64.c | 29 +- arch/powerpc/kexec/file_load.c | 183 +--------- arch/powerpc/kexec/file_load_64.c | 11 +- arch/powerpc/kexec/ima.c | 219 ------------ drivers/of/Makefile | 6 + drivers/of/kexec.c | 473 +++++++++++++++++++++++++ include/linux/kexec.h | 3 + include/linux/of.h | 20 ++ security/integrity/ima/ima.h | 4 - security/integrity/ima/ima_kexec.c | 3 +- 16 files changed, 539 insertions(+), 644 deletions(-) delete mode 100644 arch/powerpc/include/asm/ima.h delete mode 100644 arch/powerpc/kexec/ima.c create mode 100644 drivers/of/kexec.c