Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp2704058yba; Fri, 10 May 2019 17:18:43 -0700 (PDT) X-Google-Smtp-Source: APXvYqyvU/3KA57tYycTnQVErE/pJ6BerRCCNG2n3UjFIxgUTRA8eCembESQdxUaH4oPUTTU7bXe X-Received: by 2002:a63:5110:: with SMTP id f16mr17174418pgb.107.1557533923469; Fri, 10 May 2019 17:18:43 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557533923; cv=none; d=google.com; s=arc-20160816; b=Ma8NiRQSP0PkQdx+Jen+0FgU8GY2rFg6kJUJjHMHD3RywQ6MSTR0lcSDB0tn//7Bbf hPxWUur/JEe9kG4O+VLpcLKH6yDvLIQYOrTI8i6r1/us4hsOVD+WtGD031oA310kF48W 0lru+lJ1e2FZnPHVSRerlVDEhA9WILbQYjIiPbenugEJACihyPJSX/J01nh9t1ktDK98 QOscPbCEvaN8Kw/j+/B6UdLeakeRVP6xJY3di4EYyTORltoMNxDGn9YHTuyG/6Zp/cjU KXX5EAAY5XKpVQTr4+ZHRrW0zVQDOom6tjATFN2wBNzaHhm7WsRUEtedJHQhoLzjYay6 ZjRQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:cc:to:subject :message-id:date:from:mime-version:dkim-signature; bh=5x2tWauOasbmQygmVEvJr0U0PUarRPwShg51MdnJLjQ=; b=yOrJNj4evKyzM+EbBjm8s/fJcl8IAwONYpCsNzL9dbP+xxVJGyQXnDi25QbsmLMdMM xb3Id906E290hYlD1qthgBpKwV8Xj0bwLmZAXbRpE0yswViVhybWyBmA9FS2Ioew5tND e1PUuW5ktzIpYv+6lHLyr+5gNotkOyW1j3ZWa4HvvCgUEfB0LUPjzcXnkMqZXODZU7HO 6qoqdDYgsDMY1zMxsRWmlwEj1VMtmM0tHDF9C/XeomY7Nc+JyDKwsufUm2ZMJRNrWiaX uIeRFbH/jcvSQkrbVPJKRYxFndjAcszRzpDecCxlzNlhhO/akVTJcztrWzThcT6Ym9jj dSew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=NYKrGaSy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v22si9680208pgi.577.2019.05.10.17.18.15; Fri, 10 May 2019 17:18:43 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=NYKrGaSy; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728091AbfEKAQ2 (ORCPT + 99 others); Fri, 10 May 2019 20:16:28 -0400 Received: from mail-pf1-f195.google.com ([209.85.210.195]:35063 "EHLO mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728049AbfEKAQ2 (ORCPT ); Fri, 10 May 2019 20:16:28 -0400 Received: by mail-pf1-f195.google.com with SMTP id t87so4042678pfa.2; Fri, 10 May 2019 17:16:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc :content-transfer-encoding; bh=5x2tWauOasbmQygmVEvJr0U0PUarRPwShg51MdnJLjQ=; b=NYKrGaSy3oF5JiFyyguay0cqndzovy1Tn3SS3vaNjZwpXKRuQy0zWkWUd9u/d/HN6U 5CMUK0MO/TDYq2oNKHyk8qs+w2PeD9GHwj3oa7nQ/WP3u6dY+axSPxqLmsCM+oSqz4Gu FdZJNC8E4a/27AHMcIVtRU7hPnoexyVQGJwC0+ILnA4VFpmrNR9JMVguBX6jUFOZ60gt rIOhzvyZlierHLXSR/qV7I9o4Vn5JUWaQqjyKazH+1/g6JEiDBI+CHocGIpZRfjDUHUe jmpP+Ol2NQHqb9A4AjGpq1Rq3dvzMi3GYCvUP0v7MbB8EjkmetHpjN4kGhb4MqkZn3g8 cmjw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc :content-transfer-encoding; bh=5x2tWauOasbmQygmVEvJr0U0PUarRPwShg51MdnJLjQ=; b=dndPiIzNyQSRVYhsXbcxrwJAbEdHoeyMokkfPFU28zj+JwurDQB89/to93OWeSBYnH 67CuPdHojxROF/e1oxxzUy0alzzRwWUVIykozvaKRjTqrD6F8+DSxcjtF4W80cobVsg8 BwJf1LGYm29pgFCsGwWjeGN6O/EJCLpghwyDaBG5myw34b1YHtEAmC/wNXPRNLfelXvg IcBB+o/Bb0g7Hz5gN5LZgWa+/LXwZddBX5G481vuS16sFLCr/HPXJBikhC1InGupwSCx zVVYzlgCRH5Y/ISXL9J7YJnbFvgdIjf8k+um5Czt0TbXMprHtnjdctQEG2hQUBIAMq2J o8+w== X-Gm-Message-State: APjAAAU7TgSfFA5MoTtSkqmzAd7hwmsWRI9oQUG+GIdLKStI2aEIb0J3 LoqQb+7TFP4+s6yKNyTFX6kJU9kjughTkbCEBF7KLLOyol0= X-Received: by 2002:aa7:8acb:: with SMTP id b11mr17929164pfd.115.1557533787604; Fri, 10 May 2019 17:16:27 -0700 (PDT) MIME-Version: 1.0 From: prakhar srivastava Date: Fri, 10 May 2019 17:16:16 -0700 Message-ID: Subject: Carrying over the ima log during kexec_file_load To: linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, kexec@lists.infradead.org Cc: jmorris@namei.org, Mimi Zohar , dyoung@redhat.com, bhe@redhat.com, vgoyal@redhat.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, I am currently looking at carrying over the ima log from the current kernel to the next kernel during soft reboot(kexec_file_load) for arm64 and x86_64. During soft reboot(kexec_file_load) TPM boot PCR=E2=80=99s(PCRs 0 through 7= ) are not reset or extended and thus the boot aggregate does not change, leaving the new kernel with a sense of secure boot. During kexec_file_load the kernel file signature is validated through PE file signature validation. The boot cmdline args will also be measured with =E2=80=9Ckexec cmdline buffer measure=E2=80=9D change which is in progress. https://lkml.org/lkml/2019/5/10/728 Looking at the powerpc implementation of kexec_file_load, making change to the kimage_arch as below seems most reasonable. Struct kimage_arch { =E2=80=A6 ima_log_buffer ima_log_buffer_size }; Add respective entries in dtb/fdt and read the same in the next kernel. No changes to the purgatory should be needed since no kernel segments are changed. Is anyone already looking at this? If not, I want to understand what=E2=80=99s the best approach for this is? Thanks, Prakhar Srivastava