From: Tushar Sugandhi <tusharsu@linux.microsoft.com>
To: zohar@linux.ibm.com, roberto.sassu@huaweicloud.com,
roberto.sassu@huawei.com, eric.snowberg@oracle.com,
stefanb@linux.ibm.com, ebiederm@xmission.com, noodles@fb.com,
bauermann@kolabnow.com, linux-integrity@vger.kernel.org,
kexec@lists.infradead.org
Cc: code@tyhicks.com, nramas@linux.microsoft.com, paul@paul-moore.com
Subject: [PATCH v4 7/7] ima: measure kexec load and exec events as critical data
Date: Mon, 22 Jan 2024 10:38:04 -0800 [thread overview]
Message-ID: <20240122183804.3293904-8-tusharsu@linux.microsoft.com> (raw)
In-Reply-To: <20240122183804.3293904-1-tusharsu@linux.microsoft.com>
There could be a potential mismatch between IMA measurements and TPM PCR
quotes caused by the indeterminate interval between kexec 'load' and
'execute'. The extra memory allocated at kexec 'load' for IMA log buffer
may run out. It can lead to missing events in the IMA log after a soft
reboot to the new Kernel, resulting in TPM PCR quotes mismatch and remote
attestation failures.
Define two new IMA events, 'kexec_load' and 'kexec_execute', to be
measured as critical data at kexec 'load' and 'execute' respectively.
Report the allocated kexec segment size, IMA binary log size and the
runtime measurements count as part of those events.
These events, and the values reported through them, serve as markers in
the IMA log to verify the IMA events are captured during kexec soft
reboot. The presence of a 'kexec_load' event in between the last two
'boot_aggregate' events in the IMA log implies this is a kexec soft
reboot, and not a cold-boot. And the absence of 'kexec_execute' event
after kexec soft reboot implies missing events in that window which
results in inconsistency with TPM PCR quotes, necessitating a cold boot
for a successful remote attestation.
Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
---
security/integrity/ima/ima_kexec.c | 34 +++++++++++++++++++++++++++++-
1 file changed, 33 insertions(+), 1 deletion(-)
diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
index c126aa6494e9..1f8b697f4ed0 100644
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -17,6 +17,8 @@
#include "ima.h"
#ifdef CONFIG_IMA_KEXEC
+#define IMA_KEXEC_EVENT_LEN 128
+
static struct seq_file ima_kexec_file;
static void *ima_kexec_buffer;
static size_t kexec_segment_size;
@@ -33,6 +35,10 @@ static void ima_free_kexec_file_buf(struct seq_file *sf)
static int ima_alloc_kexec_file_buf(size_t segment_size)
{
+ char ima_kexec_event[IMA_KEXEC_EVENT_LEN];
+ size_t buf_size;
+ long len;
+
/*
* kexec 'load' may be called multiple times.
* Free and realloc the buffer only if the segment_size is
@@ -42,7 +48,7 @@ static int ima_alloc_kexec_file_buf(size_t segment_size)
ima_kexec_file.size == segment_size &&
ima_kexec_file.read_pos == 0 &&
ima_kexec_file.count == sizeof(struct ima_kexec_hdr))
- return 0;
+ goto out;
ima_free_kexec_file_buf(&ima_kexec_file);
@@ -55,6 +61,18 @@ static int ima_alloc_kexec_file_buf(size_t segment_size)
ima_kexec_file.read_pos = 0;
ima_kexec_file.count = sizeof(struct ima_kexec_hdr); /* reserved space */
+out:
+ buf_size = ima_get_binary_runtime_size();
+ len = atomic_long_read(&ima_htable.len);
+
+ scnprintf(ima_kexec_event, IMA_KEXEC_EVENT_LEN,
+ "kexec_segment_size=%lu;ima_binary_runtime_size=%lu;"
+ "ima_runtime_measurements_count=%ld;",
+ segment_size, buf_size, len);
+
+ ima_measure_critical_data("ima_kexec", "kexec_load", ima_kexec_event,
+ strlen(ima_kexec_event), false, NULL, 0);
+
return 0;
}
@@ -181,10 +199,12 @@ void ima_add_kexec_buffer(struct kimage *image)
static int ima_update_kexec_buffer(struct notifier_block *self,
unsigned long action, void *data)
{
+ char ima_kexec_event[IMA_KEXEC_EVENT_LEN];
void *buf = NULL;
size_t buf_size;
int ret = NOTIFY_OK;
bool resume = false;
+ long len;
if (!kexec_in_progress) {
pr_info("%s: No kexec in progress.\n", __func__);
@@ -196,6 +216,18 @@ static int ima_update_kexec_buffer(struct notifier_block *self,
return ret;
}
+ buf_size = ima_get_binary_runtime_size();
+ len = atomic_long_read(&ima_htable.len);
+
+ scnprintf(ima_kexec_event, IMA_KEXEC_EVENT_LEN,
+ "kexec_segment_size=%lu;ima_binary_runtime_size=%lu;"
+ "ima_runtime_measurements_count=%ld;",
+ kexec_segment_size, buf_size, len);
+
+ ima_measure_critical_data("ima_kexec", "kexec_execute",
+ ima_kexec_event, strlen(ima_kexec_event),
+ false, NULL, 0);
+
ima_measurements_suspend();
ret = ima_dump_measurement_list(&buf_size, &buf,
--
2.25.1
next prev parent reply other threads:[~2024-01-22 18:38 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-22 18:37 [PATCH v4 0/7] ima: kexec: measure events between kexec load and execute Tushar Sugandhi
2024-01-22 18:37 ` [PATCH v4 1/7] ima: define and call ima_alloc_kexec_file_buf Tushar Sugandhi
2024-01-24 2:54 ` Stefan Berger
2024-01-24 3:38 ` Stefan Berger
2024-01-26 22:14 ` Tushar Sugandhi
2024-01-24 13:33 ` Mimi Zohar
2024-01-25 19:03 ` Tushar Sugandhi
2024-01-22 18:37 ` [PATCH v4 2/7] kexec: define functions to map and unmap segments Tushar Sugandhi
2024-01-23 17:03 ` Stefan Berger
2024-01-23 20:39 ` Tushar Sugandhi
2024-01-22 18:38 ` [PATCH v4 3/7] ima: kexec: skip IMA segment validation after kexec soft reboot Tushar Sugandhi
2024-01-22 18:38 ` [PATCH v4 4/7] ima: kexec: move ima log copy from kexec load to execute Tushar Sugandhi
2024-01-24 16:11 ` Mimi Zohar
2024-01-25 19:06 ` Tushar Sugandhi
2024-01-22 18:38 ` [PATCH v4 5/7] ima: suspend measurements during buffer copy at kexec execute Tushar Sugandhi
2024-01-23 18:18 ` Stefan Berger
2024-01-23 20:55 ` Tushar Sugandhi
2024-01-22 18:38 ` [PATCH v4 6/7] ima: make the kexec extra memory configurable Tushar Sugandhi
2024-01-23 19:02 ` Stefan Berger
2024-01-23 21:19 ` Tushar Sugandhi
2024-01-24 1:48 ` Stefan Berger
2024-01-24 14:07 ` Mimi Zohar
2024-01-25 19:14 ` Tushar Sugandhi
2024-01-22 18:38 ` Tushar Sugandhi [this message]
2024-01-24 14:35 ` [PATCH v4 7/7] ima: measure kexec load and exec events as critical data Mimi Zohar
2024-01-25 19:16 ` Tushar Sugandhi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240122183804.3293904-8-tusharsu@linux.microsoft.com \
--to=tusharsu@linux.microsoft.com \
--cc=bauermann@kolabnow.com \
--cc=code@tyhicks.com \
--cc=ebiederm@xmission.com \
--cc=eric.snowberg@oracle.com \
--cc=kexec@lists.infradead.org \
--cc=linux-integrity@vger.kernel.org \
--cc=noodles@fb.com \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox