public inbox for kexec@lists.infradead.org
 help / color / mirror / Atom feed
From: Tushar Sugandhi <tusharsu@linux.microsoft.com>
To: zohar@linux.ibm.com, noodles@fb.com, bauermann@kolabnow.com,
	ebiederm@xmission.com, bhe@redhat.com, vgoyal@redhat.com,
	dyoung@redhat.com, peterhuewe@gmx.de, jarkko@kernel.org,
	jgg@ziepe.ca, kexec@lists.infradead.org,
	linux-integrity@vger.kernel.org
Cc: code@tyhicks.com, nramas@linux.microsoft.com, paul@paul-moore.com
Subject: [PATCH 6/6] kexec: measure TPM update counter in ima log at kexec load
Date: Tue,  1 Aug 2023 11:19:17 -0700	[thread overview]
Message-ID: <20230801181917.8535-7-tusharsu@linux.microsoft.com> (raw)
In-Reply-To: <20230801181917.8535-1-tusharsu@linux.microsoft.com>

IMA measurements snapshot occurs at kexec 'load', but any additional
measurements between 'load' and kexec 'execute' aren't carried over
post kexec soft-reboot.[1] This may lead to TPM PCRs extending with
events that are not reflected in the new Kernel's IMA log.  By measuring
the TPM update counter at kexec 'load' and at ima_init after the kexec
soft-reboot, the remote attestation service can identify potentially
lost events by comparing the log event count with the counter difference.

Measure the TPM update counter at kexec image load.

[1] https://lore.kernel.org/all/20230703215709.1195644-1-tusharsu@linux.microsoft.com/
    ima: measure events between kexec load and execute

Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
---
 kernel/kexec_file.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index f1a0e4e3fb5c..4b6391b02c5a 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -246,6 +246,9 @@ kimage_file_prepare_segments(struct kimage *image, int kernel_fd, int initrd_fd,
 				  image->cmdline_buf_len - 1);
 	}
 
+	/* Measures TPM update counter at kexec load. */
+	ima_measure_update_counter("kexec_load_tpm_update_counter");
+
 	/* IMA needs to pass the measurement list to the next kernel. */
 	ima_add_kexec_buffer(image);
 
-- 
2.25.1


_______________________________________________
kexec mailing list
kexec@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/kexec

  parent reply	other threads:[~2023-08-01 18:19 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-01 18:19 [PATCH 0/6] Measuring TPM update counter in IMA Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 1/6] tpm: implement TPM2 function to get update counter Tushar Sugandhi
2023-08-01 19:02   ` Jarkko Sakkinen
2023-08-01 21:01     ` Tushar Sugandhi
2023-08-02  3:58       ` Jarkko Sakkinen
2023-08-02 21:04         ` Tushar Sugandhi
2023-08-03  8:43           ` Jarkko Sakkinen
2023-08-03 19:30             ` Tushar Sugandhi
2023-08-03  1:22         ` Mimi Zohar
2023-08-03  8:57           ` Jarkko Sakkinen
2023-08-03 19:33             ` Tushar Sugandhi
2023-08-03 19:31           ` Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 2/6] tpm: provide functionality " Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 3/6] ima: get TPM " Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 4/6] ima: implement functionality to measure " Tushar Sugandhi
2023-08-03 21:42   ` Mimi Zohar
2023-08-03 23:01     ` Tushar Sugandhi
2023-08-04  1:22       ` Mimi Zohar
2023-08-04 17:13         ` Tushar Sugandhi
2023-08-01 18:19 ` [PATCH 5/6] ima: measure TPM update counter at ima_init Tushar Sugandhi
2023-08-03 22:15   ` Mimi Zohar
2023-08-03 23:34     ` Tushar Sugandhi
2023-08-04  1:18       ` Mimi Zohar
2023-08-04 17:11         ` Tushar Sugandhi
2023-08-01 18:19 ` Tushar Sugandhi [this message]
2023-08-03 13:37 ` [PATCH 0/6] Measuring TPM update counter in IMA Stefan Berger
2023-08-03 21:45   ` Tushar Sugandhi
     [not found]   ` <cb2029b8-d585-1c06-a0ac-15624cf70e28@linux.microsoft.com>
2023-08-03 22:09     ` Stefan Berger
2023-08-03 22:36       ` Mimi Zohar
2023-08-03 22:55         ` Stefan Berger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230801181917.8535-7-tusharsu@linux.microsoft.com \
    --to=tusharsu@linux.microsoft.com \
    --cc=bauermann@kolabnow.com \
    --cc=bhe@redhat.com \
    --cc=code@tyhicks.com \
    --cc=dyoung@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=jarkko@kernel.org \
    --cc=jgg@ziepe.ca \
    --cc=kexec@lists.infradead.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=noodles@fb.com \
    --cc=nramas@linux.microsoft.com \
    --cc=paul@paul-moore.com \
    --cc=peterhuewe@gmx.de \
    --cc=vgoyal@redhat.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox