Re: [PATCH v13 9/9] ima: measure kexec load and exec events as critical data

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Stefan Berger <stefanb@linux.ibm.com>
To: steven chen <chenste@linux.microsoft.com>,
	zohar@linux.ibm.com, roberto.sassu@huaweicloud.com,
	roberto.sassu@huawei.com, eric.snowberg@oracle.com,
	ebiederm@xmission.com, paul@paul-moore.com, code@tyhicks.com,
	bauermann@kolabnow.com, linux-integrity@vger.kernel.org,
	kexec@lists.infradead.org, linux-security-module@vger.kernel.org,
	linux-kernel@vger.kernel.org
Cc: madvenka@linux.microsoft.com, nramas@linux.microsoft.com,
	James.Bottomley@HansenPartnership.com, bhe@redhat.com,
	vgoyal@redhat.com, dyoung@redhat.com
Subject: Re: [PATCH v13 9/9] ima: measure kexec load and exec events as critical data
Date: Tue, 29 Apr 2025 14:18:39 -0400	[thread overview]
Message-ID: <678c762f-e1f9-4a35-a9c3-c88b662001a4@linux.ibm.com> (raw)
In-Reply-To: <20250421222516.9830-10-chenste@linux.microsoft.com>



On 4/21/25 6:25 PM, steven chen wrote:
> From: Steven Chen <chenste@linux.microsoft.com>
> 
> The amount of memory allocated at kexec load, even with the extra memory
> allocated, might not be large enough for the entire measurement list.  The
> indeterminate interval between kexec 'load' and 'execute' could exacerbate
> this problem.
> 
> Define two new IMA events, 'kexec_load' and 'kexec_execute', to be
> measured as critical data at kexec 'load' and 'execute' respectively.
> Report the allocated kexec segment size, IMA binary log size and the
> runtime measurements count as part of those events.
> 
> These events, and the values reported through them, serve as markers in
> the IMA log to verify the IMA events are captured during kexec soft
> reboot.  The presence of a 'kexec_load' event in between the last two
> 'boot_aggregate' events in the IMA log implies this is a kexec soft
> reboot, and not a cold-boot. And the absence of 'kexec_execute' event
> after kexec soft reboot implies missing events in that window which
> results in inconsistency with TPM PCR quotes, necessitating a cold boot
> for a successful remote attestation.
> 
> These critical data events are displayed as hex encoded ascii in the
> ascii_runtime_measurement_list.  Verifying the critical data hash requires
> calculating the hash of the decoded ascii string.
> 
> For example, to verify the 'kexec_load' data hash:
> 
> sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements
> | grep  kexec_load | cut -d' ' -f 6 | xxd -r -p | sha256sum
> 
> 
> To verify the 'kexec_execute' data hash:
> 
> sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements
> | grep kexec_execute | cut -d' ' -f 6 | xxd -r -p | sha256sum
> 
> Co-developed-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
> Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
> Signed-off-by: Steven Chen <chenste@linux.microsoft.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> Acked-by: Baoquan He <bhe@redhat.com>
 > --->   security/integrity/ima/ima.h       |  6 ++++++
>   security/integrity/ima/ima_kexec.c | 21 +++++++++++++++++++++
>   security/integrity/ima/ima_queue.c |  5 +++++
>   3 files changed, 32 insertions(+)
> 
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index 24d09ea91b87..34815baf5e21 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -240,6 +240,12 @@ void ima_post_key_create_or_update(struct key *keyring, struct key *key,
>   				   unsigned long flags, bool create);
>   #endif
>   
> +#ifdef CONFIG_IMA_KEXEC
> +void ima_measure_kexec_event(const char *event_name);
> +#else
> +static inline void ima_measure_kexec_event(const char *event_name) {}
> +#endif
> +
>   /*
>    * The default binary_runtime_measurements list format is defined as the
>    * platform native format.  The canonical format is defined as little-endian.
> diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
> index d1c9d369ba08..38cb2500f4c3 100644
> --- a/security/integrity/ima/ima_kexec.c
> +++ b/security/integrity/ima/ima_kexec.c
> @@ -17,6 +17,8 @@
>   #include "ima.h"
>   
>   #ifdef CONFIG_IMA_KEXEC
> +#define IMA_KEXEC_EVENT_LEN 256
> +
>   static bool ima_kexec_update_registered;
>   static struct seq_file ima_kexec_file;
>   static size_t kexec_segment_size;
> @@ -31,6 +33,24 @@ static void ima_free_kexec_file_buf(struct seq_file *sf)
>   	sf->count = 0;
>   }
>   
> +void ima_measure_kexec_event(const char *event_name)
> +{
> +	char ima_kexec_event[IMA_KEXEC_EVENT_LEN];
> +	size_t buf_size = 0;
> +	long len;
> +	int n;
> +
> +	buf_size = ima_get_binary_runtime_size();
> +	len = atomic_long_read(&ima_htable.len);
> +
> +	n = scnprintf(ima_kexec_event, IMA_KEXEC_EVENT_LEN,
> +		      "kexec_segment_size=%lu;ima_binary_runtime_size=%lu;"
> +		      "ima_runtime_measurements_count=%ld;",
> +		      kexec_segment_size, buf_size, len);
> +
> +	ima_measure_critical_data("ima_kexec", event_name, ima_kexec_event, n, false, NULL, 0);
> +}
> +
>   static int ima_alloc_kexec_file_buf(size_t segment_size)
>   {
>   	/*
> @@ -53,6 +73,7 @@ static int ima_alloc_kexec_file_buf(size_t segment_size)
>   out:
>   	ima_kexec_file.read_pos = 0;
>   	ima_kexec_file.count = sizeof(struct ima_kexec_hdr);	/* reserved space */
> +	ima_measure_kexec_event("kexec_load");
>   
>   	return 0;
>   }
> diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/ima_queue.c
> index 83d53824aa98..590637e81ad1 100644
> --- a/security/integrity/ima/ima_queue.c
> +++ b/security/integrity/ima/ima_queue.c
> @@ -241,6 +241,11 @@ static int ima_reboot_notifier(struct notifier_block *nb,
>   			       unsigned long action,
>   			       void *data)
>   {
> +#ifdef CONFIG_IMA_KEXEC
> +	if (action == SYS_RESTART && data && !strcmp(data, "kexec reboot"))
> +		ima_measure_kexec_event("kexec_execute");
> +#endif
> +
>   	ima_measurements_suspend();
>   
>   	return NOTIFY_DONE;

Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>

next prev parent reply	other threads:[~2025-04-29 18:19 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-21 22:25 [PATCH v13 0/9] ima: kexec: measure events between kexec load and execute steven chen
2025-04-21 22:25 ` [PATCH v13 1/9] ima: rename variable the seq_file "file" to "ima_kexec_file" steven chen
2025-04-21 22:25 ` [PATCH v13 2/9] ima: define and call ima_alloc_kexec_file_buf() steven chen
2025-04-29 18:30   ` Stefan Berger
2025-04-21 22:25 ` [PATCH v13 3/9] kexec: define functions to map and unmap segments steven chen
2025-04-23  0:29   ` Mimi Zohar
2025-04-23 15:29     ` steven chen
2025-04-23 18:21       ` Mimi Zohar
2025-04-21 22:25 ` [PATCH v13 4/9] ima: kexec: skip IMA segment validation after kexec soft reboot steven chen
2025-04-21 22:25 ` [PATCH v13 5/9] ima: kexec: define functions to copy IMA log at soft boot steven chen
2025-04-29 16:50   ` Stefan Berger
2025-04-21 22:25 ` [PATCH v13 6/9] ima: kexec: move IMA log copy from kexec load to execute steven chen
2025-04-21 22:25 ` [PATCH v13 7/9] ima: verify if the segment size has changed steven chen
2025-04-29 18:19   ` Stefan Berger
2025-04-21 22:25 ` [PATCH v13 8/9] ima: make the kexec extra memory configurable steven chen
2025-04-29 19:06   ` Stefan Berger
2025-04-29 22:00     ` steven chen
2025-04-21 22:25 ` [PATCH v13 9/9] ima: measure kexec load and exec events as critical data steven chen
2025-04-29 18:18   ` Stefan Berger [this message]
2025-04-24 14:37 ` [PATCH v13 0/9] ima: kexec: measure events between kexec load and execute Baoquan He
2025-04-24 19:26   ` steven chen
2025-05-02 16:25   ` steven chen
2025-05-06  5:49     ` Baoquan He

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=678c762f-e1f9-4a35-a9c3-c88b662001a4@linux.ibm.com \
    --to=stefanb@linux.ibm.com \
    --cc=James.Bottomley@HansenPartnership.com \
    --cc=bauermann@kolabnow.com \
    --cc=bhe@redhat.com \
    --cc=chenste@linux.microsoft.com \
    --cc=code@tyhicks.com \
    --cc=dyoung@redhat.com \
    --cc=ebiederm@xmission.com \
    --cc=eric.snowberg@oracle.com \
    --cc=kexec@lists.infradead.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=madvenka@linux.microsoft.com \
    --cc=nramas@linux.microsoft.com \
    --cc=paul@paul-moore.com \
    --cc=roberto.sassu@huawei.com \
    --cc=roberto.sassu@huaweicloud.com \
    --cc=vgoyal@redhat.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).