From: Mimi Zohar <zohar@linux.ibm.com>
To: Prakhar Srivastava <prsriva02@gmail.com>,
linux-integrity@vger.kernel.org,
linux-secuirty-module@vger.kernel.org,
linux-kernel@vger.kernel.org
Cc: ebiederm@xmission.com, vgoyal@redhat.com, nayna@linux.ibm.com,
nramas@microsoft.com, prsriva@microsoft.com
Subject: Re: [PATCH 0/5 v4] Kexec cmdline bufffer measure
Date: Mon, 06 May 2019 08:12:59 -0400 [thread overview]
Message-ID: <1557144779.14288.92.camel@linux.ibm.com> (raw)
In-Reply-To: <20190503222523.6294-1-prsriva02@gmail.com>
On Fri, 2019-05-03 at 15:25 -0700, Prakhar Srivastava wrote:
> From: Prakhar Srivastava <prsriva02@gmail.com>
>
> For Kexec scenario(kexec_file_load) cmdline args are passed to the
> next kerenel. These cmldine args used to load the next kernel can
> have undesired/unwanted configs. To guard against any unwanted cmdline
> args being passed to the next kernel. The current kernel should measure
> the cmdline args to the next kernel, the same takes place in the EFI
> bootloader. Thus on kexec the boot_aggregate does not change.
The boot command line is calculated and added to the current running
kernel's measurement list. On a soft reboot like kexec, the PCRs are
not reset to zero. Refer to commit 94c3aac567a9 ("ima: on soft
reboot, restore the measurement list") patch description.
> Currently the cmdline args are not measured, this changeset adds a new
> ima and LSM hook for buffer measure and calls into the same to measure
> the cmdline args passed to the next kernel.The cdmline args meassured
> can then be used as an attestation criteria.
Please update this paragraph to reflect the current patch set.
>
> The ima logs need to injected into the next kernel, which will be followed
> up by other patchsets.
The log isn't "injected" into the next kernel, but needs to be carried
over, as described in the above referenced commit.
Mimi
prev parent reply other threads:[~2019-05-06 12:13 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-03 22:25 [PATCH 0/5 v4] Kexec cmdline bufffer measure Prakhar Srivastava
2019-05-03 22:25 ` [PATCH 1/5 v4] added a new ima policy func buffer_check, and ima hook to measure the buffer hash into ima Prakhar Srivastava
2019-05-06 12:13 ` Mimi Zohar
2019-05-03 22:25 ` [PATCH 2/5 v4] add the buffer to the xattr Prakhar Srivastava
2019-05-06 12:13 ` Mimi Zohar
2019-05-03 22:25 ` [PATCH 3/5 v4] add kexec_cmdline used to ima Prakhar Srivastava
2019-05-03 22:25 ` [PATCH 4/5 v4] added LSM hook to call ima_buffer_check Prakhar Srivastava
2019-05-03 22:25 ` [PATCH 5/5 v4] removed the LSM hook made available, and renamed the ima_policy to be KEXEC_CMDLINE Prakhar Srivastava
2019-05-06 12:13 ` Mimi Zohar
2019-05-06 12:12 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1557144779.14288.92.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=ebiederm@xmission.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-secuirty-module@vger.kernel.org \
--cc=nayna@linux.ibm.com \
--cc=nramas@microsoft.com \
--cc=prsriva02@gmail.com \
--cc=prsriva@microsoft.com \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.