[PATCH] ima: Kdump kernel doesn't need IMA to do integrity measurement

[PATCH] ima: Kdump kernel doesn't need IMA to do integrity measurement

[steven chen]

From: Steven Chen <chenste@linux.microsoft.com>

Kdump kernel doesn't need IMA to do integrity measurement.
Hence the measurement list in 1st kernel doesn't need to be copied to
kdump kenrel.

Here skip allocating buffer for measurement list copying if loading
kdump kernel. Then there won't be the later handling related to
ima_kexec_buffer.

Signed-off-by: Steven Chen <chenste@linux.microsoft.com>
---
 security/integrity/ima/ima_kexec.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
index 38cb2500f4c3..7362f68f2d8b 100644
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -146,6 +146,9 @@ void ima_add_kexec_buffer(struct kimage *image)
 	void *kexec_buffer = NULL;
 	int ret;
 
+	if (image->type == KEXEC_TYPE_CRASH)
+		return;
+
 	/*
 	 * Reserve extra memory for measurements added during kexec.
 	 */
-- 
2.43.0

Re: [PATCH] ima: Kdump kernel doesn't need IMA to do integrity measurement

[steven chen]

On 5/2/2025 1:03 PM, steven chen wrote:
> From: Steven Chen <chenste@linux.microsoft.com>
>
> Kdump kernel doesn't need IMA to do integrity measurement.
> Hence the measurement list in 1st kernel doesn't need to be copied to
> kdump kenrel.
>
> Here skip allocating buffer for measurement list copying if loading
> kdump kernel. Then there won't be the later handling related to
> ima_kexec_buffer.
>
> Signed-off-by: Steven Chen <chenste@linux.microsoft.com>
> ---
>   security/integrity/ima/ima_kexec.c | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
> index 38cb2500f4c3..7362f68f2d8b 100644
> --- a/security/integrity/ima/ima_kexec.c
> +++ b/security/integrity/ima/ima_kexec.c
> @@ -146,6 +146,9 @@ void ima_add_kexec_buffer(struct kimage *image)
>   	void *kexec_buffer = NULL;
>   	int ret;
>   
> +	if (image->type == KEXEC_TYPE_CRASH)
> +		return;
> +
>   	/*
>   	 * Reserve extra memory for measurements added during kexec.
>   	 */

Hi Baoquan,

Could you tell me when will you have time to validate kdump scenario 
using this patch?

This patch is based on the next-integrity branch of 
https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/

Thanks,

Steven

Re: [PATCH] ima: Kdump kernel doesn't need IMA to do integrity measurement

[Baoquan He]

On 05/02/25 at 01:03pm, steven chen wrote:
> From: Steven Chen <chenste@linux.microsoft.com>
> 
> Kdump kernel doesn't need IMA to do integrity measurement.
> Hence the measurement list in 1st kernel doesn't need to be copied to
> kdump kenrel.
> 
> Here skip allocating buffer for measurement list copying if loading
> kdump kernel. Then there won't be the later handling related to
> ima_kexec_buffer.
> 
> Signed-off-by: Steven Chen <chenste@linux.microsoft.com>
> ---
>  security/integrity/ima/ima_kexec.c | 3 +++
>  1 file changed, 3 insertions(+)

I applied this patch on top of below IMA patchset, and did a test.
[PATCH v13 0/9] ima: kexec: measure events between kexec load and execute

When I loaded kdump kernel as below with '-d' specified:

/sbin/kexec -s -d -p --command-line=BOOT_IMAGE=(hd0,gpt2)/vmlinuz-6.15.0-rc6+ ro console=ttyS0,115200N81 irqpoll nr_cpus=1 reset_devices cgroup_disable=memory mce=off numa=off udev.children-max=2 panic=10 acpi_no_memhotplug transparent_hugepage=never nokaslr hest_disable novmcoredd cma=0 hugetlb_cma=0 pcie_ports=compat disable_cpu_apicid=0 --initrd=/boot/initramfs-6.15.0-rc6+kdump.img /boot/vmlinuz-6.15.0-rc6+

I can see that this patch works to skip copying measurement list to kdump
kernel as expected..

=====Without this patch===
[48522.060422] kexec_file: kernel: 000000006fbcb87f kernel_size: 0xe99200
[48522.067742] PEFILE: Unsigned PE binary
[48522.094849] ima: kexec measurement buffer for the loaded kernel at 0x6efff000.
[48522.102982] crash_core: Crash PT_LOAD ELF header. phdr=00000000cae5d7e6 vaddr=0xffff8da640100000, paddr=0x100000, sz=0x5af00000 e_phnum=67 p_offset=0x100000
......snip...
=====

=====With this patch applied====
[ 2101.704125] kexec_file: kernel: 0000000046d8985c kernel_size: 0xeab200
[ 2101.711436] PEFILE: Unsigned PE binary
[ 2101.734752] crash_core: Crash PT_LOAD ELF header. phdr=000000006fc83a51 vaddr=0xffff899480100000, paddr=0x100000, sz=0x5af00000 e_phnum=67 p_offset=0x100000
......snip...
=====> 

My only concern is the patch subject is not very sepcific, it better
relfect the exact action taken in this patch, like:

ima: do not copy measurement list to kdump kernel

Other than above concern, please feel free to add my:

Tested-by: Baoquan He <bhe@redhat.com>
Acked-by: Baoquan He <bhe@redhat.com>

> diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
> index 38cb2500f4c3..7362f68f2d8b 100644
> --- a/security/integrity/ima/ima_kexec.c
> +++ b/security/integrity/ima/ima_kexec.c
> @@ -146,6 +146,9 @@ void ima_add_kexec_buffer(struct kimage *image)
>  	void *kexec_buffer = NULL;
>  	int ret;
>  
> +	if (image->type == KEXEC_TYPE_CRASH)
> +		return;
> +
>  	/*
>  	 * Reserve extra memory for measurements added during kexec.
>  	 */
> -- 
> 2.43.0
> 

Re: [PATCH] ima: Kdump kernel doesn't need IMA to do integrity measurement

[Mimi Zohar]

Hi Steven,

On Fri, 2025-05-02 at 13:03 -0700, steven chen wrote:
> From: Steven Chen <chenste@linux.microsoft.com>
> 
> Kdump kernel doesn't need IMA to do integrity measurement.
> Hence the measurement list in 1st kernel doesn't need to be copied to
> kdump kenrel.

^kernel

Please use "scripts/checkpatch.pl --codespell" to check for typos.

Mimi

> 
> Here skip allocating buffer for measurement list copying if loading
> kdump kernel. Then there won't be the later handling related to
> ima_kexec_buffer.
> 
> Signed-off-by: Steven Chen <chenste@linux.microsoft.com>

Re: [PATCH] ima: Kdump kernel doesn't need IMA to do integrity measurement

[steven chen]

On 5/12/2025 7:25 PM, Baoquan He wrote:
> On 05/02/25 at 01:03pm, steven chen wrote:
>> From: Steven Chen <chenste@linux.microsoft.com>
>>
>> Kdump kernel doesn't need IMA to do integrity measurement.
>> Hence the measurement list in 1st kernel doesn't need to be copied to
>> kdump kenrel.
>>
>> Here skip allocating buffer for measurement list copying if loading
>> kdump kernel. Then there won't be the later handling related to
>> ima_kexec_buffer.
>>
>> Signed-off-by: Steven Chen <chenste@linux.microsoft.com>
>> ---
>>   security/integrity/ima/ima_kexec.c | 3 +++
>>   1 file changed, 3 insertions(+)
> I applied this patch on top of below IMA patchset, and did a test.
> [PATCH v13 0/9] ima: kexec: measure events between kexec load and execute
>
> When I loaded kdump kernel as below with '-d' specified:
>
> /sbin/kexec -s -d -p --command-line=BOOT_IMAGE=(hd0,gpt2)/vmlinuz-6.15.0-rc6+ ro console=ttyS0,115200N81 irqpoll nr_cpus=1 reset_devices cgroup_disable=memory mce=off numa=off udev.children-max=2 panic=10 acpi_no_memhotplug transparent_hugepage=never nokaslr hest_disable novmcoredd cma=0 hugetlb_cma=0 pcie_ports=compat disable_cpu_apicid=0 --initrd=/boot/initramfs-6.15.0-rc6+kdump.img /boot/vmlinuz-6.15.0-rc6+
>
> I can see that this patch works to skip copying measurement list to kdump
> kernel as expected..
>
> =====Without this patch===
> [48522.060422] kexec_file: kernel: 000000006fbcb87f kernel_size: 0xe99200
> [48522.067742] PEFILE: Unsigned PE binary
> [48522.094849] ima: kexec measurement buffer for the loaded kernel at 0x6efff000.
> [48522.102982] crash_core: Crash PT_LOAD ELF header. phdr=00000000cae5d7e6 vaddr=0xffff8da640100000, paddr=0x100000, sz=0x5af00000 e_phnum=67 p_offset=0x100000
> ......snip...
> =====
>
> =====With this patch applied====
> [ 2101.704125] kexec_file: kernel: 0000000046d8985c kernel_size: 0xeab200
> [ 2101.711436] PEFILE: Unsigned PE binary
> [ 2101.734752] crash_core: Crash PT_LOAD ELF header. phdr=000000006fc83a51 vaddr=0xffff899480100000, paddr=0x100000, sz=0x5af00000 e_phnum=67 p_offset=0x100000
> ......snip...
> =====>
>
> My only concern is the patch subject is not very sepcific, it better
> relfect the exact action taken in this patch, like:
>
> ima: do not copy measurement list to kdump kernel
>
> Other than above concern, please feel free to add my:
>
> Tested-by: Baoquan He <bhe@redhat.com>
> Acked-by: Baoquan He <bhe@redhat.com>
Thanks!
>> diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
>> index 38cb2500f4c3..7362f68f2d8b 100644
>> --- a/security/integrity/ima/ima_kexec.c
>> +++ b/security/integrity/ima/ima_kexec.c
>> @@ -146,6 +146,9 @@ void ima_add_kexec_buffer(struct kimage *image)
>>   	void *kexec_buffer = NULL;
>>   	int ret;
>>   
>> +	if (image->type == KEXEC_TYPE_CRASH)
>> +		return;
>> +
>>   	/*
>>   	 * Reserve extra memory for measurements added during kexec.
>>   	 */
>> -- 
>> 2.43.0
>>

Re: [PATCH] ima: Kdump kernel doesn't need IMA to do integrity measurement

[steven chen]

On 5/13/2025 4:41 AM, Mimi Zohar wrote:
> Hi Steven,
>
> On Fri, 2025-05-02 at 13:03 -0700, steven chen wrote:
>> From: Steven Chen <chenste@linux.microsoft.com>
>>
>> Kdump kernel doesn't need IMA to do integrity measurement.
>> Hence the measurement list in 1st kernel doesn't need to be copied to
>> kdump kenrel.
> ^kernel
>
> Please use "scripts/checkpatch.pl --codespell" to check for typos.
>
> Mimi
Will update. Thanks!
>> Here skip allocating buffer for measurement list copying if loading
>> kdump kernel. Then there won't be the later handling related to
>> ima_kexec_buffer.
>>
>> Signed-off-by: Steven Chen <chenste@linux.microsoft.com>