Integrgity Measurement Architecture(IMA) during kexec(kexec file load)
verifies the kernel signature and measures the signature of the kernel.
The signature in the measuremnt logs is used to verfiy the
authenticity of the kernel in the subsequent kexec'd session, however in
the current implementation IMA measurement logs are not carried over thus
remote attesation cannot verify the signature of the running kernel.
Adding support to arm64 to carry over the IMA measurement logs over kexec.
Add a new chosen node entry linux,ima-kexec-buffer to hold the address and
the size of the memory reserved to carry the IMA measurement log.
Refactor existing powerpc code to be used by amr64 as well.
Changelog:
v3:
Breakup patches further into separate patches.
- Refactoring non architecture specific code out of powerpc
- Update powerpc related code to use fdt functions
- Update IMA buffer read related code to use of functions
- Add support to store the memory information of the IMA measurement logs
to be carried forward.
- Update the property strings to align with documented nodes
https://github.com/devicetree-org/dt-schema/pull/46
v2:
Break patches into separate patches.
- Powerpc related Refactoring
- Updating the docuemntation for chosen node
- Updating arm64 to support IMA buffer pass
v1:
Refactoring carrying over IMA measuremnet logs over Kexec. This patch
moves the non-architecture specific code out of powerpc and adds to
security/ima.(Suggested by Thiago)
Add Documentation regarding the ima-kexec-buffer node in the chosen
node documentation
v0:
Add a layer of abstraction to use the memory reserved by device tree
for ima buffer pass.
Add support for ima buffer pass using reserved memory for arm64 kexec.
Update the arch sepcific code path in kexec file load to store the
ima buffer in the reserved memory. The same reserved memory is read
on kexec or cold boot.
Prakhar Srivastava (6):
Refactoring powerpc code to be made available to other architectures
Update remove_ima_buffer code to use functions from libfdt reducing
wrappers functions.
Update function do_get_kexec_buffer to use of_* functions, and
reducing wrapper functions.
Add support in arm64 to store the memory information of the IMA
measurement log in the kimage used for kexec.
Update the Kconfig to support carrying forward the IMA Measurement log
and and update the setup_dtb call to add the linux,ima-kexec-buffer
property to the DTB.
Add the property used for carrying forward the IMA measurement logs
and update the code to use the defined property string.
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/ima.h | 17 ++++
arch/arm64/include/asm/kexec.h | 3 +
arch/arm64/kernel/machine_kexec_file.c | 45 +++++++--
arch/powerpc/include/asm/ima.h | 3 -
arch/powerpc/kexec/ima.c | 123 ++++++-------------------
security/integrity/ima/ima_kexec.c | 81 ++++++++++++++++
7 files changed, 168 insertions(+), 105 deletions(-)
create mode 100644 arch/arm64/include/asm/ima.h
--
2.25.1
Store the phyical address and size of the IMA measurement logs that get picked up
by the setup_dtb during kexec.
Signed-off-by: Prakhar Srivastava <[email protected]>
---
arch/arm64/include/asm/ima.h | 17 +++++++++++++++++
arch/arm64/include/asm/kexec.h | 3 +++
arch/arm64/kernel/machine_kexec_file.c | 17 +++++++++++++++++
3 files changed, 37 insertions(+)
create mode 100644 arch/arm64/include/asm/ima.h
diff --git a/arch/arm64/include/asm/ima.h b/arch/arm64/include/asm/ima.h
new file mode 100644
index 000000000000..70ac39b74607
--- /dev/null
+++ b/arch/arm64/include/asm/ima.h
@@ -0,0 +1,17 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_ARCH_IMA_H
+#define _ASM_ARCH_IMA_H
+
+struct kimage;
+
+#ifdef CONFIG_IMA_KEXEC
+int arch_ima_add_kexec_buffer(struct kimage *image, unsigned long load_addr,
+ size_t size);
+#else
+static inline int arch_ima_add_kexec_buffer(struct kimage *image,
+ unsigned long load_addr, size_t size)
+{
+ return 0;
+}
+#endif /* CONFIG_IMA_KEXEC */
+#endif /* _ASM_ARCH_IMA_H */
diff --git a/arch/arm64/include/asm/kexec.h b/arch/arm64/include/asm/kexec.h
index d24b527e8c00..7bd60c185ad3 100644
--- a/arch/arm64/include/asm/kexec.h
+++ b/arch/arm64/include/asm/kexec.h
@@ -100,6 +100,9 @@ struct kimage_arch {
void *elf_headers;
unsigned long elf_headers_mem;
unsigned long elf_headers_sz;
+
+ phys_addr_t ima_buffer_addr;
+ size_t ima_buffer_size;
};
extern const struct kexec_file_ops kexec_image_ops;
diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index 361a1143e09e..4c54723e7a04 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -38,6 +38,23 @@ const struct kexec_file_ops * const kexec_file_loaders[] = {
NULL
};
+/**
+ * arch_ima_add_kexec_buffer - do arch-specific steps to add the IMA buffer
+ *
+ * Architectures should use this function to pass on the IMA buffer
+ * information to the next kernel.
+ *
+ * Return: 0 on success, negative errno on error.
+ */
+int arch_ima_add_kexec_buffer(struct kimage *image, unsigned long load_addr,
+ size_t size)
+{
+ image->arch.ima_buffer_addr = load_addr;
+ image->arch.ima_buffer_size = size;
+ return 0;
+}
+
+
int arch_kimage_file_post_load_cleanup(struct kimage *image)
{
vfree(image->arch.dtb);
--
2.25.1
Signed-off-by: Prakhar Srivastava <[email protected]>
---
arch/arm64/kernel/machine_kexec_file.c | 19 ++++++++++---------
arch/powerpc/kexec/ima.c | 8 +++++---
2 files changed, 15 insertions(+), 12 deletions(-)
diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index 066670c43626..59058901e641 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -24,14 +24,15 @@
#include <asm/byteorder.h>
/* relevant device tree properties */
-#define FDT_PROP_KEXEC_ELFHDR "linux,elfcorehdr"
-#define FDT_PROP_MEM_RANGE "linux,usable-memory-range"
-#define FDT_PROP_INITRD_START "linux,initrd-start"
-#define FDT_PROP_INITRD_END "linux,initrd-end"
-#define FDT_PROP_BOOTARGS "bootargs"
-#define FDT_PROP_KASLR_SEED "kaslr-seed"
-#define FDT_PROP_RNG_SEED "rng-seed"
-#define RNG_SEED_SIZE 128
+#define FDT_PROP_KEXEC_ELFHDR "linux,elfcorehdr"
+#define FDT_PROP_MEM_RANGE "linux,usable-memory-range"
+#define FDT_PROP_INITRD_START "linux,initrd-start"
+#define FDT_PROP_INITRD_END "linux,initrd-end"
+#define FDT_PROP_BOOTARGS "bootargs"
+#define FDT_PROP_KASLR_SEED "kaslr-seed"
+#define FDT_PROP_RNG_SEED "rng-seed"
+#define FDT_PROP_IMA_KEXEC_BUFFER "linux,ima-kexec-buffer"
+#define RNG_SEED_SIZE 128
const struct kexec_file_ops * const kexec_file_loaders[] = {
&kexec_image_ops,
@@ -157,7 +158,7 @@ static int setup_dtb(struct kimage *image,
if (image->arch.ima_buffer_size > 0) {
ret = fdt_appendprop_addrrange(dtb, 0, off,
- "linux,ima-kexec-buffer",
+ FDT_PROP_IMA_KEXEC_BUFFER,
image->arch.ima_buffer_addr,
image->arch.ima_buffer_size);
if (ret)
diff --git a/arch/powerpc/kexec/ima.c b/arch/powerpc/kexec/ima.c
index a9e4e9f04273..7d6c43b2eacb 100644
--- a/arch/powerpc/kexec/ima.c
+++ b/arch/powerpc/kexec/ima.c
@@ -12,6 +12,8 @@
#include <linux/memblock.h>
#include <linux/libfdt.h>
+#define FDT_PROP_IMA_KEXEC_BUFFER "linux,ima-kexec-buffer"
+
/**
* remove_ima_buffer - remove the IMA buffer property and reservation from @fdt
*
@@ -25,7 +27,7 @@ void remove_ima_buffer(void *fdt, int chosen_node)
size_t size;
const void *prop;
- prop = fdt_getprop(fdt, chosen_node, "linux,ima-kexec-buffer", &len);
+ prop = fdt_getprop(fdt, chosen_node, FDT_PROP_IMA_KEXEC_BUFFER, &len);
if (!prop)
return;
@@ -45,7 +47,7 @@ void remove_ima_buffer(void *fdt, int chosen_node)
addr = of_read_number(prop, addr_cells);
size = of_read_number(prop + 4 * addr_cells, size_cells);
- fdt_delprop(fdt, chosen_node, "linux,ima-kexec-buffer");
+ fdt_delprop(fdt, chosen_node, FDT_PROP_IMA_KEXEC_BUFFER);
if (ret)
return;
@@ -134,7 +136,7 @@ int setup_ima_buffer(const struct kimage *image, void *fdt, int chosen_node)
if (ret)
return ret;
- ret = fdt_setprop(fdt, chosen_node, "linux,ima-kexec-buffer", value,
+ ret = fdt_setprop(fdt, chosen_node, FDT_PROP_IMA_KEXEC_BUFFER, value,
entry_size);
if (ret < 0)
return -EINVAL;
--
2.25.1
Signed-off-by: Prakhar Srivastava <[email protected]>
---
arch/arm64/Kconfig | 1 +
arch/arm64/kernel/machine_kexec_file.c | 11 +++++++++++
2 files changed, 12 insertions(+)
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 66dc41fd49f2..ece34b8ca648 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1077,6 +1077,7 @@ config KEXEC
config KEXEC_FILE
bool "kexec file based system call"
select KEXEC_CORE
+ select HAVE_IMA_KEXEC
help
This is new version of kexec system call. This system call is
file based and takes file descriptors as system call argument
diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index 4c54723e7a04..066670c43626 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -153,6 +153,17 @@ static int setup_dtb(struct kimage *image,
FDT_PROP_KASLR_SEED);
}
+ /* add ima-kexec-buffer */
+ if (image->arch.ima_buffer_size > 0) {
+
+ ret = fdt_appendprop_addrrange(dtb, 0, off,
+ "linux,ima-kexec-buffer",
+ image->arch.ima_buffer_addr,
+ image->arch.ima_buffer_size);
+ if (ret)
+ return (ret == -FDT_ERR_NOSPACE ? -ENOMEM : -EINVAL);
+ }
+
/* add rng-seed */
if (rng_is_initialized()) {
void *rng_seed;
--
2.25.1
Signed-off-by: Prakhar Srivastava <[email protected]>
---
arch/powerpc/kexec/ima.c | 63 ++++++++++++++++------------------------
1 file changed, 25 insertions(+), 38 deletions(-)
diff --git a/arch/powerpc/kexec/ima.c b/arch/powerpc/kexec/ima.c
index 563313703756..a9e4e9f04273 100644
--- a/arch/powerpc/kexec/ima.c
+++ b/arch/powerpc/kexec/ima.c
@@ -12,40 +12,6 @@
#include <linux/memblock.h>
#include <linux/libfdt.h>
-static int get_addr_size_cells(int *addr_cells, int *size_cells)
-{
- struct device_node *root;
-
- root = of_find_node_by_path("/");
- if (!root)
- return -EINVAL;
-
- *addr_cells = of_n_addr_cells(root);
- *size_cells = of_n_size_cells(root);
-
- of_node_put(root);
-
- return 0;
-}
-
-static int do_get_kexec_buffer(const void *prop, int len, unsigned long *addr,
- size_t *size)
-{
- int ret, addr_cells, size_cells;
-
- ret = get_addr_size_cells(&addr_cells, &size_cells);
- if (ret)
- return ret;
-
- if (len < 4 * (addr_cells + size_cells))
- return -ENOENT;
-
- *addr = of_read_number(prop, addr_cells);
- *size = of_read_number(prop + 4 * addr_cells, size_cells);
-
- return 0;
-}
-
/**
* remove_ima_buffer - remove the IMA buffer property and reservation from @fdt
*
@@ -54,7 +20,7 @@ static int do_get_kexec_buffer(const void *prop, int len, unsigned long *addr,
*/
void remove_ima_buffer(void *fdt, int chosen_node)
{
- int ret, len;
+ int ret, len, addr_cells, size_cells;
unsigned long addr;
size_t size;
const void *prop;
@@ -63,7 +29,22 @@ void remove_ima_buffer(void *fdt, int chosen_node)
if (!prop)
return;
- ret = do_get_kexec_buffer(prop, len, &addr, &size);
+ ret = fdt_address_cells(fdt, chosen_node);
+ if (ret < 0)
+ return;
+ addr_cells = ret;
+
+ ret = fdt_size_cells(fdt, chosen_node);
+ if (ret < 0)
+ return;
+ size_cells = ret;
+
+ if (len < 4 * (addr_cells + size_cells))
+ return;
+
+ addr = of_read_number(prop, addr_cells);
+ size = of_read_number(prop + 4 * addr_cells, size_cells);
+
fdt_delprop(fdt, chosen_node, "linux,ima-kexec-buffer");
if (ret)
return;
@@ -129,9 +110,15 @@ int setup_ima_buffer(const struct kimage *image, void *fdt, int chosen_node)
if (!image->arch.ima_buffer_size)
return 0;
- ret = get_addr_size_cells(&addr_cells, &size_cells);
- if (ret)
+ ret = fdt_address_cells(fdt, chosen_node);
+ if (ret < 0)
+ return ret;
+ addr_cells = ret;
+
+ ret = fdt_size_cells(fdt, chosen_node);
+ if (ret < 0)
return ret;
+ size_cells = ret;
entry_size = 4 * (addr_cells + size_cells);
--
2.25.1
Existing code in arch/powerpc can be used for carrying forward the IMA measurement
logs by other architectures.
Moving non architecture specific code to security/intergrity, to be made available
to other architectures
Signed-off-by: Prakhar Srivastava <[email protected]>
---
arch/powerpc/include/asm/ima.h | 3 -
arch/powerpc/kexec/ima.c | 54 ------------------
security/integrity/ima/ima_kexec.c | 91 ++++++++++++++++++++++++++++++
3 files changed, 91 insertions(+), 57 deletions(-)
diff --git a/arch/powerpc/include/asm/ima.h b/arch/powerpc/include/asm/ima.h
index ead488cf3981..bc27fd94de52 100644
--- a/arch/powerpc/include/asm/ima.h
+++ b/arch/powerpc/include/asm/ima.h
@@ -4,9 +4,6 @@
struct kimage;
-int ima_get_kexec_buffer(void **addr, size_t *size);
-int ima_free_kexec_buffer(void);
-
#ifdef CONFIG_IMA
void remove_ima_buffer(void *fdt, int chosen_node);
#else
diff --git a/arch/powerpc/kexec/ima.c b/arch/powerpc/kexec/ima.c
index 720e50e490b6..563313703756 100644
--- a/arch/powerpc/kexec/ima.c
+++ b/arch/powerpc/kexec/ima.c
@@ -46,60 +46,6 @@ static int do_get_kexec_buffer(const void *prop, int len, unsigned long *addr,
return 0;
}
-/**
- * ima_get_kexec_buffer - get IMA buffer from the previous kernel
- * @addr: On successful return, set to point to the buffer contents.
- * @size: On successful return, set to the buffer size.
- *
- * Return: 0 on success, negative errno on error.
- */
-int ima_get_kexec_buffer(void **addr, size_t *size)
-{
- int ret, len;
- unsigned long tmp_addr;
- size_t tmp_size;
- const void *prop;
-
- prop = of_get_property(of_chosen, "linux,ima-kexec-buffer", &len);
- if (!prop)
- return -ENOENT;
-
- ret = do_get_kexec_buffer(prop, len, &tmp_addr, &tmp_size);
- if (ret)
- return ret;
-
- *addr = __va(tmp_addr);
- *size = tmp_size;
-
- return 0;
-}
-
-/**
- * ima_free_kexec_buffer - free memory used by the IMA buffer
- */
-int ima_free_kexec_buffer(void)
-{
- int ret;
- unsigned long addr;
- size_t size;
- struct property *prop;
-
- prop = of_find_property(of_chosen, "linux,ima-kexec-buffer", NULL);
- if (!prop)
- return -ENOENT;
-
- ret = do_get_kexec_buffer(prop->value, prop->length, &addr, &size);
- if (ret)
- return ret;
-
- ret = of_remove_property(of_chosen, prop);
- if (ret)
- return ret;
-
- return memblock_free(addr, size);
-
-}
-
/**
* remove_ima_buffer - remove the IMA buffer property and reservation from @fdt
*
diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
index 121de3e04af2..2fe2d3bf7bda 100644
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -10,8 +10,99 @@
#include <linux/seq_file.h>
#include <linux/vmalloc.h>
#include <linux/kexec.h>
+#include <linux/of.h>
+#include <linux/memblock.h>
+#include <linux/libfdt.h>
#include "ima.h"
+static int get_addr_size_cells(int *addr_cells, int *size_cells)
+{
+ struct device_node *root;
+
+ root = of_find_node_by_path("/");
+ if (!root)
+ return -EINVAL;
+
+ *addr_cells = of_n_addr_cells(root);
+ *size_cells = of_n_size_cells(root);
+
+ of_node_put(root);
+
+ return 0;
+}
+
+static int do_get_kexec_buffer(const void *prop, int len, unsigned long *addr,
+ size_t *size)
+{
+ int ret, addr_cells, size_cells;
+
+ ret = get_addr_size_cells(&addr_cells, &size_cells);
+ if (ret)
+ return ret;
+
+ if (len < 4 * (addr_cells + size_cells))
+ return -ENOENT;
+
+ *addr = of_read_number(prop, addr_cells);
+ *size = of_read_number(prop + 4 * addr_cells, size_cells);
+
+ return 0;
+}
+
+/**
+ * ima_get_kexec_buffer - get IMA buffer from the previous kernel
+ * @addr: On successful return, set to point to the buffer contents.
+ * @size: On successful return, set to the buffer size.
+ *
+ * Return: 0 on success, negative errno on error.
+ */
+int ima_get_kexec_buffer(void **addr, size_t *size)
+{
+ int ret, len;
+ unsigned long tmp_addr;
+ size_t tmp_size;
+ const void *prop;
+
+ prop = of_get_property(of_chosen, "linux,ima-kexec-buffer", &len);
+ if (!prop)
+ return -ENOENT;
+
+ ret = do_get_kexec_buffer(prop, len, &tmp_addr, &tmp_size);
+ if (ret)
+ return ret;
+
+ *addr = __va(tmp_addr);
+ *size = tmp_size;
+
+ return 0;
+}
+
+/**
+ * ima_free_kexec_buffer - free memory used by the IMA buffer
+ */
+int ima_free_kexec_buffer(void)
+{
+ int ret;
+ unsigned long addr;
+ size_t size;
+ struct property *prop;
+
+ prop = of_find_property(of_chosen, "linux,ima-kexec-buffer", NULL);
+ if (!prop)
+ return -ENOENT;
+
+ ret = do_get_kexec_buffer(prop->value, prop->length, &addr, &size);
+ if (ret)
+ return ret;
+
+ ret = of_remove_property(of_chosen, prop);
+ if (ret)
+ return ret;
+
+ return memblock_free(addr, size);
+
+}
+
#ifdef CONFIG_IMA_KEXEC
static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer,
unsigned long segment_size)
--
2.25.1
Signed-off-by: Prakhar Srivastava <[email protected]>
---
security/integrity/ima/ima_kexec.c | 20 +++++---------------
1 file changed, 5 insertions(+), 15 deletions(-)
diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
index 2fe2d3bf7bda..e47982e9bb67 100644
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -15,31 +15,21 @@
#include <linux/libfdt.h>
#include "ima.h"
-static int get_addr_size_cells(int *addr_cells, int *size_cells)
+static int do_get_kexec_buffer(const void *prop, int len, unsigned long *addr,
+ size_t *size)
{
+ int addr_cells, size_cells;
struct device_node *root;
root = of_find_node_by_path("/");
if (!root)
return -EINVAL;
- *addr_cells = of_n_addr_cells(root);
- *size_cells = of_n_size_cells(root);
+ addr_cells = of_n_addr_cells(root);
+ size_cells = of_n_size_cells(root);
of_node_put(root);
- return 0;
-}
-
-static int do_get_kexec_buffer(const void *prop, int len, unsigned long *addr,
- size_t *size)
-{
- int ret, addr_cells, size_cells;
-
- ret = get_addr_size_cells(&addr_cells, &size_cells);
- if (ret)
- return ret;
-
if (len < 4 * (addr_cells + size_cells))
return -ENOENT;
--
2.25.1
On Mon, Jul 20, 2020 at 08:23:38AM -0700, Prakhar Srivastava wrote:
> Signed-off-by: Prakhar Srivastava <[email protected]>
I know I refuse patches without any changelog texts, perhaps other
maintainers are more lax...
ALso, your subject lines are really odd, look at how almost all other
patches do it, we have hundreds of thousands of examples to choose from
:)
thanks,
greg k-h
On Mon, Jul 20, 2020 at 08:23:41AM -0700, Prakhar Srivastava wrote:
> Signed-off-by: Prakhar Srivastava <[email protected]>
Your subject line is whack.
On Mon, Jul 20, 2020 at 08:23:42AM -0700, Prakhar Srivastava wrote:
> Signed-off-by: Prakhar Srivastava <[email protected]>
Again, subject line, no changelog :(
> ---
> arch/arm64/kernel/machine_kexec_file.c | 19 ++++++++++---------
> arch/powerpc/kexec/ima.c | 8 +++++---
> 2 files changed, 15 insertions(+), 12 deletions(-)
>
> diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
> index 066670c43626..59058901e641 100644
> --- a/arch/arm64/kernel/machine_kexec_file.c
> +++ b/arch/arm64/kernel/machine_kexec_file.c
> @@ -24,14 +24,15 @@
> #include <asm/byteorder.h>
>
> /* relevant device tree properties */
> -#define FDT_PROP_KEXEC_ELFHDR "linux,elfcorehdr"
> -#define FDT_PROP_MEM_RANGE "linux,usable-memory-range"
> -#define FDT_PROP_INITRD_START "linux,initrd-start"
> -#define FDT_PROP_INITRD_END "linux,initrd-end"
> -#define FDT_PROP_BOOTARGS "bootargs"
> -#define FDT_PROP_KASLR_SEED "kaslr-seed"
> -#define FDT_PROP_RNG_SEED "rng-seed"
> -#define RNG_SEED_SIZE 128
> +#define FDT_PROP_KEXEC_ELFHDR "linux,elfcorehdr"
> +#define FDT_PROP_MEM_RANGE "linux,usable-memory-range"
> +#define FDT_PROP_INITRD_START "linux,initrd-start"
> +#define FDT_PROP_INITRD_END "linux,initrd-end"
> +#define FDT_PROP_BOOTARGS "bootargs"
> +#define FDT_PROP_KASLR_SEED "kaslr-seed"
> +#define FDT_PROP_RNG_SEED "rng-seed"
> +#define FDT_PROP_IMA_KEXEC_BUFFER "linux,ima-kexec-buffer"
> +#define RNG_SEED_SIZE 128
Why did you reformat all of these?
>
> const struct kexec_file_ops * const kexec_file_loaders[] = {
> &kexec_image_ops,
> @@ -157,7 +158,7 @@ static int setup_dtb(struct kimage *image,
> if (image->arch.ima_buffer_size > 0) {
>
> ret = fdt_appendprop_addrrange(dtb, 0, off,
> - "linux,ima-kexec-buffer",
> + FDT_PROP_IMA_KEXEC_BUFFER,
> image->arch.ima_buffer_addr,
> image->arch.ima_buffer_size);
> if (ret)
> diff --git a/arch/powerpc/kexec/ima.c b/arch/powerpc/kexec/ima.c
> index a9e4e9f04273..7d6c43b2eacb 100644
> --- a/arch/powerpc/kexec/ima.c
> +++ b/arch/powerpc/kexec/ima.c
> @@ -12,6 +12,8 @@
> #include <linux/memblock.h>
> #include <linux/libfdt.h>
>
> +#define FDT_PROP_IMA_KEXEC_BUFFER "linux,ima-kexec-buffer"
> +
Why are you mixing arm64 and powerpc patches together that do not do the
same thing???
Shouldn't there be a common place for these strings and not spread out
all over the kernel in random places?
thanks,
greg k-h
Hi Prakhar,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on arm64/for-next/core]
[also build test WARNING on powerpc/next integrity/next-integrity v5.8-rc6 next-20200720]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Prakhar-Srivastava/Add-support-to-carry-forward-the-IMA-measurement-logs/20200720-232521
base: https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-next/core
config: arm64-allyesconfig (attached as .config)
compiler: aarch64-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=arm64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
All warnings (new ones prefixed by >>):
>> arch/arm64/kernel/machine_kexec_file.c:49:5: warning: no previous prototype for 'arch_ima_add_kexec_buffer' [-Wmissing-prototypes]
49 | int arch_ima_add_kexec_buffer(struct kimage *image, unsigned long load_addr,
| ^~~~~~~~~~~~~~~~~~~~~~~~~
vim +/arch_ima_add_kexec_buffer +49 arch/arm64/kernel/machine_kexec_file.c
40
41 /**
42 * arch_ima_add_kexec_buffer - do arch-specific steps to add the IMA buffer
43 *
44 * Architectures should use this function to pass on the IMA buffer
45 * information to the next kernel.
46 *
47 * Return: 0 on success, negative errno on error.
48 */
> 49 int arch_ima_add_kexec_buffer(struct kimage *image, unsigned long load_addr,
50 size_t size)
51 {
52 image->arch.ima_buffer_addr = load_addr;
53 image->arch.ima_buffer_size = size;
54 return 0;
55 }
56
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]
Hi Prakhar,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on arm64/for-next/core]
[also build test WARNING on powerpc/next integrity/next-integrity v5.8-rc6 next-20200720]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Prakhar-Srivastava/Add-support-to-carry-forward-the-IMA-measurement-logs/20200720-232521
base: https://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-next/core
config: arm64-allyesconfig (attached as .config)
compiler: aarch64-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=arm64
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <[email protected]>
All warnings (new ones prefixed by >>):
>> security/integrity/ima/ima_kexec.c:49:5: warning: no previous prototype for 'ima_get_kexec_buffer' [-Wmissing-prototypes]
49 | int ima_get_kexec_buffer(void **addr, size_t *size)
| ^~~~~~~~~~~~~~~~~~~~
>> security/integrity/ima/ima_kexec.c:73:5: warning: no previous prototype for 'ima_free_kexec_buffer' [-Wmissing-prototypes]
73 | int ima_free_kexec_buffer(void)
| ^~~~~~~~~~~~~~~~~~~~~
security/integrity/ima/ima_kexec.c:161:6: warning: no previous prototype for 'ima_add_kexec_buffer' [-Wmissing-prototypes]
161 | void ima_add_kexec_buffer(struct kimage *image)
| ^~~~~~~~~~~~~~~~~~~~
vim +/ima_get_kexec_buffer +49 security/integrity/ima/ima_kexec.c
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 41
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 42 /**
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 43 * ima_get_kexec_buffer - get IMA buffer from the previous kernel
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 44 * @addr: On successful return, set to point to the buffer contents.
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 45 * @size: On successful return, set to the buffer size.
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 46 *
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 47 * Return: 0 on success, negative errno on error.
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 48 */
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 @49 int ima_get_kexec_buffer(void **addr, size_t *size)
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 50 {
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 51 int ret, len;
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 52 unsigned long tmp_addr;
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 53 size_t tmp_size;
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 54 const void *prop;
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 55
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 56 prop = of_get_property(of_chosen, "linux,ima-kexec-buffer", &len);
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 57 if (!prop)
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 58 return -ENOENT;
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 59
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 60 ret = do_get_kexec_buffer(prop, len, &tmp_addr, &tmp_size);
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 61 if (ret)
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 62 return ret;
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 63
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 64 *addr = __va(tmp_addr);
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 65 *size = tmp_size;
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 66
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 67 return 0;
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 68 }
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 69
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 70 /**
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 71 * ima_free_kexec_buffer - free memory used by the IMA buffer
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 72 */
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 @73 int ima_free_kexec_buffer(void)
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 74 {
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 75 int ret;
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 76 unsigned long addr;
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 77 size_t size;
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 78 struct property *prop;
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 79
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 80 prop = of_find_property(of_chosen, "linux,ima-kexec-buffer", NULL);
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 81 if (!prop)
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 82 return -ENOENT;
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 83
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 84 ret = do_get_kexec_buffer(prop->value, prop->length, &addr, &size);
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 85 if (ret)
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 86 return ret;
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 87
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 88 ret = of_remove_property(of_chosen, prop);
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 89 if (ret)
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 90 return ret;
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 91
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 92 return memblock_free(addr, size);
0cc3b50ba7b5c5 Prakhar Srivastava 2020-07-20 93
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/[email protected]