[PATCH v2] ima: silence measurement list hexdump during kexec

[PATCH v2] ima: silence measurement list hexdump during kexec

[Bruno Meneguele]

The measurement list is dumped during a soft reset (kexec) through the call
to print_hex_dump(KERN_DEBUG, ...), printing to the system log ignoring both
DEBUG build flag and CONFIG_DYNAMIC_DEBUG option.

To honor the above conditions the macro print_hex_dump_debug() should be
used instead, thus depending on the enabled option/flag the output is given
by a different function call or even silenced.

Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
---
 security/integrity/ima/ima_kexec.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
index f799cc278a9a..13753136f03f 100644
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -61,9 +61,9 @@ static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer,
 	}
 	memcpy(file.buf, &khdr, sizeof(khdr));
 
-	print_hex_dump(KERN_DEBUG, "ima dump: ", DUMP_PREFIX_NONE,
-			16, 1, file.buf,
-			file.count < 100 ? file.count : 100, true);
+	print_hex_dump_debug("ima dump: ", DUMP_PREFIX_NONE, 16, 1,
+			     file.buf, file.count < 100 ? file.count : 100,
+			     true);
 
 	*buffer_size = file.count;
 	*buffer = file.buf;
-- 
2.33.1

Re: [PATCH v2] ima: silence measurement list hexdump during kexec

[Mimi Zohar]

Hi Bruno,

On Fri, 2021-12-24 at 10:14 -0300, Bruno Meneguele wrote:
> The measurement list is dumped during a soft reset (kexec) through the call
> to print_hex_dump(KERN_DEBUG, ...), printing to the system log ignoring both
> DEBUG build flag and CONFIG_DYNAMIC_DEBUG option.

Before upstreaming this patch, the reason for the config options "being
ignored", if that is really what is happening, needs to be understood
and documented here in the patch description.

thanks,

Mimi

> 
> To honor the above conditions the macro print_hex_dump_debug() should be
> used instead, thus depending on the enabled option/flag the output is given
> by a different function call or even silenced.
> 
> Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>

Re: [PATCH v2] ima: silence measurement list hexdump during kexec

[Bruno Meneguele]

[-- Attachment #1: Type: text/plain, Size: 1246 bytes --]

Hi Mimi,

On Fri, Dec 24, 2021 at 08:28:01AM -0500, Mimi Zohar wrote:
> Hi Bruno,
> 
> On Fri, 2021-12-24 at 10:14 -0300, Bruno Meneguele wrote:
> > The measurement list is dumped during a soft reset (kexec) through the call
> > to print_hex_dump(KERN_DEBUG, ...), printing to the system log ignoring both
> > DEBUG build flag and CONFIG_DYNAMIC_DEBUG option.
> 
> Before upstreaming this patch, the reason for the config options "being
> ignored", if that is really what is happening, needs to be understood
> and documented here in the patch description.

I don't see why the code would intentionally ignore the option,
considering that CONFIG_DYNAMIC_DEBUG basically give the user the
ability to enable/disable pr_debug/printk(KERN_DEBUG) calls during
runtime. Maybe I shouldn't use the word "ignoring" in the description,
would it make things clearer?

> 
> thanks,
> 
> Mimi
> 
> > 
> > To honor the above conditions the macro print_hex_dump_debug() should be
> > used instead, thus depending on the enabled option/flag the output is given
> > by a different function call or even silenced.
> > 
> > Signed-off-by: Bruno Meneguele <bmeneg@redhat.com>
> 

-- 
bmeneg 
PGP Key: http://bmeneg.com/pubkey.txt

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]