From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933950AbcHDOBj (ORCPT ); Thu, 4 Aug 2016 10:01:39 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:63502 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933748AbcHDOBi (ORCPT ); Thu, 4 Aug 2016 10:01:38 -0400 X-IBM-Helo: d23dlp03.au.ibm.com X-IBM-MailFrom: zohar@linux.vnet.ibm.com X-IBM-RcptTo: linux-kernel@vger.kernel.org;linux-security-module@vger.kernel.org From: Mimi Zohar To: linux-security-module@vger.kernel.org Cc: Mimi Zohar , linux-ima-devel@lists.sourceforge.net, Dave Young , kexec@lists.infradead.org, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, Thiago Jung Bauermann Subject: [PATCH 0/7] ima: carry the measurement list across kexec Date: Thu, 4 Aug 2016 08:24:28 -0400 X-Mailer: git-send-email 2.1.0 X-TM-AS-MML: disable X-Content-Scanned: Fidelis XPS MAILER x-cbid: 16080412-0044-0000-0000-000001CA1888 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 16080412-0045-0000-0000-000005423B0E Message-Id: <1470313475-20090-1-git-send-email-zohar@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2016-08-04_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1604210000 definitions=main-1608040136 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The TPM PCRs are only reset on a hard reboot. In order to validate a TPM's quote after a soft reboot (eg. kexec -e), the IMA measurement list of the running kernel must be saved and then restored on the subsequent boot. The existing securityfs binary_runtime_measurements file conveniently provides a serialized format of the IMA measurement list. This patch set serializes the measurement list in this format and restores it. This patch set pre-req's Thiago Bauermann's "kexec_file: Add buffer hand-over for the next kernel" patch set* for actually carrying the serialized measurement list across the kexec. Mimi *https://lists.infradead.org/pipermail/kexec/2016-June/016157.html Mimi Zohar (6): ima: on soft reboot, restore the measurement list ima: permit duplicate measurement list entries ima: maintain memory size needed for serializing the measurement list ima: serialize the binary_runtime_measurements ima: store the builtin/custom template definitions in a list ima: support restoring multiple template formats Thiago Jung Bauermann (1): ima: on soft reboot, save the measurement list include/linux/ima.h | 15 ++ kernel/kexec_file.c | 3 + security/integrity/ima/Kconfig | 12 ++ security/integrity/ima/Makefile | 1 + security/integrity/ima/ima.h | 14 ++ security/integrity/ima/ima_fs.c | 2 +- security/integrity/ima/ima_init.c | 2 + security/integrity/ima/ima_kexec.c | 189 ++++++++++++++++++++++++ security/integrity/ima/ima_main.c | 1 + security/integrity/ima/ima_queue.c | 72 +++++++++- security/integrity/ima/ima_template.c | 262 ++++++++++++++++++++++++++++++++-- 11 files changed, 556 insertions(+), 17 deletions(-) create mode 100644 security/integrity/ima/ima_kexec.c -- 2.1.0