Re: [PATCH v14 0/6] Carry forward IMA measurement log on kexec on ARM64

From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: Rob Herring <robh@kernel.org>
Cc: zohar@linux.ibm.com, bauerman@linux.ibm.com,
	takahiro.akashi@linaro.org, gregkh@linuxfoundation.org,
	will@kernel.org, catalin.marinas@arm.com, mpe@ellerman.id.au,
	james.morse@arm.com, sashal@kernel.org, benh@kernel.crashing.org,
	paulus@samba.org, frowand.list@gmail.com,
	vincenzo.frascino@arm.com, mark.rutland@arm.com,
	dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com,
	pasha.tatashin@soleen.com, allison@lohutok.net,
	masahiroy@kernel.org, bhsharma@redhat.com, mbrugger@suse.com,
	hsinyi@chromium.org, tao.li@vivo.com, christophe.leroy@c-s.fr,
	prsriva@linux.microsoft.com, balajib@linux.microsoft.com,
	linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v14 0/6] Carry forward IMA measurement log on kexec on ARM64
Date: Tue, 12 Jan 2021 10:23:01 -0800	[thread overview]
Message-ID: <c661ce17-a5a6-0aa0-ed9d-eab99020d98a@linux.microsoft.com> (raw)
In-Reply-To: <20210112144248.GA256955@robh.at.kernel.org>

On 1/12/21 6:42 AM, Rob Herring wrote:
> On Mon, Jan 04, 2021 at 11:25:56AM -0800, Lakshmi Ramasubramanian wrote:
>> On kexec file load Integrity Measurement Architecture (IMA) subsystem
>> may verify the IMA signature of the kernel and initramfs, and measure
>> it. The command line parameters passed to the kernel in the kexec call
>> may also be measured by IMA. A remote attestation service can verify
>> a TPM quote based on the TPM event log, the IMA measurement list, and
>> the TPM PCR data. This can be achieved only if the IMA measurement log
>> is carried over from the current kernel to the next kernel across
>> the kexec call.
>>
>> powerpc already supports carrying forward the IMA measurement log on
>> kexec. This patch set adds support for carrying forward the IMA
>> measurement log on kexec on ARM64.
>>
>> This patch set moves the platform independent code defined for powerpc
>> such that it can be reused for other platforms as well. A chosen node
>> "linux,ima-kexec-buffer" is added to the DTB for ARM64 to hold
>> the address and the size of the memory reserved to carry
>> the IMA measurement log.
>>
>> This patch set has been tested for ARM64 platform using QEMU.
>> I would like help from the community for testing this change on powerpc.
>> Thanks.
>>
>> This patch set is based on
>> commit a29a64445089 ("powerpc: Use common of_kexec_setup_new_fdt()")
>> in https://git.kernel.org/pub/scm/linux/kernel/git/robh/linux.git
>> "dt/kexec" branch.
> 
> This all looks good to me. I'd suggest you send the above patches out as
> part of this series because I don't plan to do so.

Thanks for reviewing the patches Rob.

Sure - I'll add your patches to this series.

> I would like to also resolve the vmalloc vs. kmalloc difference for
> allocating the FDT. Then we can further consolidate the DT kexec code.

I think FDT allocation using vmalloc for ARM64 can be changed to 
kmalloc. What are the other changes you'd like me to do in arm64/powerpc 
DT kexec code in this patch series?

@AKASHI Takahiro - could you please let me know if the above sounds right?

> 
> It all needs some acks from arm64 and powerpc maintainers. As far as
> merging, I think via the integrity tree makes the most sense.

I'll create the patch series in "next-integrity" branch.

Thiago/Mimi have acked some of the patches. Please review the remaining 
patches in this version.

Could arm64 maintainers please review the patches and respond?

thanks,
  -lakshmi