From: Sasha Levin <sashal@kernel.org>
To: Prakhar Srivastava <prsriva@linux.microsoft.com>
Cc: mark.rutland@arm.com, jean-philippe@linaro.org, arnd@arndb.de,
takahiro.akashi@linaro.org, sboyd@kernel.org,
catalin.marinas@arm.com, kexec@lists.infradead.org,
linux-kernel@vger.kernel.org, zohar@linux.ibm.com,
bauerman@linux.ibm.com, yamada.masahiro@socionext.com,
kristina.martsenko@arm.org, duwe@lst.de, allison@lohutok.net,
james.morse@arm.org, linux-integrity@vger.kernel.org,
tglx@linutronix.de, linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v2 1/2] Add support for arm64 to carry ima measurement log in kexec_file_load
Date: Tue, 8 Oct 2019 17:22:24 -0400 [thread overview]
Message-ID: <20191008212224.GC1396@sasha-vm> (raw)
In-Reply-To: <20191007185943.1828-2-prsriva@linux.microsoft.com>
On Mon, Oct 07, 2019 at 11:59:42AM -0700, Prakhar Srivastava wrote:
>During kexec_file_load, carrying forward the ima measurement log allows
>a verifying party to get the entire runtime event log since the last
>full reboot since that is when PCRs were last reset.
>
>Signed-off-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
>---
> arch/Kconfig | 6 +-
> arch/arm64/include/asm/ima.h | 24 +++
> arch/arm64/include/asm/kexec.h | 5 +
> arch/arm64/kernel/Makefile | 3 +-
> arch/arm64/kernel/ima_kexec.c | 78 ++++++++++
> arch/arm64/kernel/machine_kexec_file.c | 6 +
> drivers/of/Kconfig | 6 +
> drivers/of/Makefile | 1 +
> drivers/of/of_ima.c | 204 +++++++++++++++++++++++++
> include/linux/of.h | 31 ++++
> 10 files changed, 362 insertions(+), 2 deletions(-)
> create mode 100644 arch/arm64/include/asm/ima.h
> create mode 100644 arch/arm64/kernel/ima_kexec.c
> create mode 100644 drivers/of/of_ima.c
>
>diff --git a/arch/Kconfig b/arch/Kconfig
>index a7b57dd42c26..d53e1596c5b1 100644
>--- a/arch/Kconfig
>+++ b/arch/Kconfig
>@@ -19,7 +19,11 @@ config KEXEC_CORE
> bool
>
> config HAVE_IMA_KEXEC
>- bool
>+ bool "Carry over IMA measurement log during kexec_file_load() syscall"
>+ depends on KEXEC_FILE
>+ help
>+ Select this option to carry over IMA measurement log during
>+ kexec_file_load.
This change looks very wrong: HAVE_* config symbols are used to indicate
the availability of certain arch specific capability, rather than act as
a config option. How does this work with CONFIG_IMA_KEXEC ?
Also, please, at the very least verify that basic functionality works on
the architectures we have access to. Trying it on x86:
$ make allmodconfig
scripts/kconfig/conf --allmodconfig Kconfig
#
# No change to .config
#
$ make
CALL scripts/checksyscalls.sh
CALL scripts/atomic/check-atomics.sh
DESCEND objtool
CC security/integrity/ima/ima_fs.o
In file included from security/integrity/ima/ima_fs.c:26:
security/integrity/ima/ima.h:28:10: fatal error: asm/ima.h: No such file or directory
#include <asm/ima.h>
^~~~~~~~~~~
compilation terminated.
make[3]: *** [scripts/Makefile.build:266: security/integrity/ima/ima_fs.o] Error 1
make[2]: *** [scripts/Makefile.build:509: security/integrity/ima] Error 2
make[1]: *** [scripts/Makefile.build:509: security/integrity] Error 2
make: *** [Makefile:1649: security] Error 2
--
Thanks,
Sasha
_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: Prakhar Srivastava <prsriva@linux.microsoft.com>
Cc: linux-kernel@vger.kernel.org,
linux-arm-kernel@lists.infradead.org,
linux-integrity@vger.kernel.org, kexec@lists.infradead.org,
arnd@arndb.de, jean-philippe@linaro.org, allison@lohutok.net,
kristina.martsenko@arm.org, yamada.masahiro@socionext.com,
duwe@lst.de, mark.rutland@arm.com, tglx@linutronix.de,
takahiro.akashi@linaro.org, james.morse@arm.org,
catalin.marinas@arm.com, sboyd@kernel.org,
bauerman@linux.ibm.com, zohar@linux.ibm.com
Subject: Re: [PATCH v2 1/2] Add support for arm64 to carry ima measurement log in kexec_file_load
Date: Tue, 8 Oct 2019 17:22:24 -0400 [thread overview]
Message-ID: <20191008212224.GC1396@sasha-vm> (raw)
In-Reply-To: <20191007185943.1828-2-prsriva@linux.microsoft.com>
On Mon, Oct 07, 2019 at 11:59:42AM -0700, Prakhar Srivastava wrote:
>During kexec_file_load, carrying forward the ima measurement log allows
>a verifying party to get the entire runtime event log since the last
>full reboot since that is when PCRs were last reset.
>
>Signed-off-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
>---
> arch/Kconfig | 6 +-
> arch/arm64/include/asm/ima.h | 24 +++
> arch/arm64/include/asm/kexec.h | 5 +
> arch/arm64/kernel/Makefile | 3 +-
> arch/arm64/kernel/ima_kexec.c | 78 ++++++++++
> arch/arm64/kernel/machine_kexec_file.c | 6 +
> drivers/of/Kconfig | 6 +
> drivers/of/Makefile | 1 +
> drivers/of/of_ima.c | 204 +++++++++++++++++++++++++
> include/linux/of.h | 31 ++++
> 10 files changed, 362 insertions(+), 2 deletions(-)
> create mode 100644 arch/arm64/include/asm/ima.h
> create mode 100644 arch/arm64/kernel/ima_kexec.c
> create mode 100644 drivers/of/of_ima.c
>
>diff --git a/arch/Kconfig b/arch/Kconfig
>index a7b57dd42c26..d53e1596c5b1 100644
>--- a/arch/Kconfig
>+++ b/arch/Kconfig
>@@ -19,7 +19,11 @@ config KEXEC_CORE
> bool
>
> config HAVE_IMA_KEXEC
>- bool
>+ bool "Carry over IMA measurement log during kexec_file_load() syscall"
>+ depends on KEXEC_FILE
>+ help
>+ Select this option to carry over IMA measurement log during
>+ kexec_file_load.
This change looks very wrong: HAVE_* config symbols are used to indicate
the availability of certain arch specific capability, rather than act as
a config option. How does this work with CONFIG_IMA_KEXEC ?
Also, please, at the very least verify that basic functionality works on
the architectures we have access to. Trying it on x86:
$ make allmodconfig
scripts/kconfig/conf --allmodconfig Kconfig
#
# No change to .config
#
$ make
CALL scripts/checksyscalls.sh
CALL scripts/atomic/check-atomics.sh
DESCEND objtool
CC security/integrity/ima/ima_fs.o
In file included from security/integrity/ima/ima_fs.c:26:
security/integrity/ima/ima.h:28:10: fatal error: asm/ima.h: No such file or directory
#include <asm/ima.h>
^~~~~~~~~~~
compilation terminated.
make[3]: *** [scripts/Makefile.build:266: security/integrity/ima/ima_fs.o] Error 1
make[2]: *** [scripts/Makefile.build:509: security/integrity/ima] Error 2
make[1]: *** [scripts/Makefile.build:509: security/integrity] Error 2
make: *** [Makefile:1649: security] Error 2
--
Thanks,
Sasha
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org>
To: Prakhar Srivastava <prsriva@linux.microsoft.com>
Cc: mark.rutland@arm.com, jean-philippe@linaro.org, arnd@arndb.de,
takahiro.akashi@linaro.org, sboyd@kernel.org,
catalin.marinas@arm.com, kexec@lists.infradead.org,
linux-kernel@vger.kernel.org, zohar@linux.ibm.com,
bauerman@linux.ibm.com, yamada.masahiro@socionext.com,
kristina.martsenko@arm.org, duwe@lst.de, allison@lohutok.net,
james.morse@arm.org, linux-integrity@vger.kernel.org,
tglx@linutronix.de, linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v2 1/2] Add support for arm64 to carry ima measurement log in kexec_file_load
Date: Tue, 8 Oct 2019 17:22:24 -0400 [thread overview]
Message-ID: <20191008212224.GC1396@sasha-vm> (raw)
In-Reply-To: <20191007185943.1828-2-prsriva@linux.microsoft.com>
On Mon, Oct 07, 2019 at 11:59:42AM -0700, Prakhar Srivastava wrote:
>During kexec_file_load, carrying forward the ima measurement log allows
>a verifying party to get the entire runtime event log since the last
>full reboot since that is when PCRs were last reset.
>
>Signed-off-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
>---
> arch/Kconfig | 6 +-
> arch/arm64/include/asm/ima.h | 24 +++
> arch/arm64/include/asm/kexec.h | 5 +
> arch/arm64/kernel/Makefile | 3 +-
> arch/arm64/kernel/ima_kexec.c | 78 ++++++++++
> arch/arm64/kernel/machine_kexec_file.c | 6 +
> drivers/of/Kconfig | 6 +
> drivers/of/Makefile | 1 +
> drivers/of/of_ima.c | 204 +++++++++++++++++++++++++
> include/linux/of.h | 31 ++++
> 10 files changed, 362 insertions(+), 2 deletions(-)
> create mode 100644 arch/arm64/include/asm/ima.h
> create mode 100644 arch/arm64/kernel/ima_kexec.c
> create mode 100644 drivers/of/of_ima.c
>
>diff --git a/arch/Kconfig b/arch/Kconfig
>index a7b57dd42c26..d53e1596c5b1 100644
>--- a/arch/Kconfig
>+++ b/arch/Kconfig
>@@ -19,7 +19,11 @@ config KEXEC_CORE
> bool
>
> config HAVE_IMA_KEXEC
>- bool
>+ bool "Carry over IMA measurement log during kexec_file_load() syscall"
>+ depends on KEXEC_FILE
>+ help
>+ Select this option to carry over IMA measurement log during
>+ kexec_file_load.
This change looks very wrong: HAVE_* config symbols are used to indicate
the availability of certain arch specific capability, rather than act as
a config option. How does this work with CONFIG_IMA_KEXEC ?
Also, please, at the very least verify that basic functionality works on
the architectures we have access to. Trying it on x86:
$ make allmodconfig
scripts/kconfig/conf --allmodconfig Kconfig
#
# No change to .config
#
$ make
CALL scripts/checksyscalls.sh
CALL scripts/atomic/check-atomics.sh
DESCEND objtool
CC security/integrity/ima/ima_fs.o
In file included from security/integrity/ima/ima_fs.c:26:
security/integrity/ima/ima.h:28:10: fatal error: asm/ima.h: No such file or directory
#include <asm/ima.h>
^~~~~~~~~~~
compilation terminated.
make[3]: *** [scripts/Makefile.build:266: security/integrity/ima/ima_fs.o] Error 1
make[2]: *** [scripts/Makefile.build:509: security/integrity/ima] Error 2
make[1]: *** [scripts/Makefile.build:509: security/integrity] Error 2
make: *** [Makefile:1649: security] Error 2
--
Thanks,
Sasha
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-10-08 21:22 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-07 18:59 [PATCH v2 0/2] Add support to carry ima measurement log in kexec_file_load Prakhar Srivastava
2019-10-07 18:59 ` Prakhar Srivastava
2019-10-07 18:59 ` Prakhar Srivastava
2019-10-07 18:59 ` [PATCH v2 1/2] Add support for arm64 " Prakhar Srivastava
2019-10-07 18:59 ` Prakhar Srivastava
2019-10-07 18:59 ` Prakhar Srivastava
2019-10-08 21:22 ` Sasha Levin [this message]
2019-10-08 21:22 ` Sasha Levin
2019-10-08 21:22 ` Sasha Levin
2019-10-09 20:49 ` prsriva
2019-10-09 20:49 ` prsriva
2019-10-09 20:49 ` prsriva
2019-10-07 18:59 ` [PATCH v2 2/2] update powerpc implementation to call into of_ima* Prakhar Srivastava
2019-10-07 18:59 ` Prakhar Srivastava
2019-10-07 18:59 ` Prakhar Srivastava
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191008212224.GC1396@sasha-vm \
--to=sashal@kernel.org \
--cc=allison@lohutok.net \
--cc=arnd@arndb.de \
--cc=bauerman@linux.ibm.com \
--cc=catalin.marinas@arm.com \
--cc=duwe@lst.de \
--cc=james.morse@arm.org \
--cc=jean-philippe@linaro.org \
--cc=kexec@lists.infradead.org \
--cc=kristina.martsenko@arm.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=prsriva@linux.microsoft.com \
--cc=sboyd@kernel.org \
--cc=takahiro.akashi@linaro.org \
--cc=tglx@linutronix.de \
--cc=yamada.masahiro@socionext.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.