Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp4628053ybi;
        Tue, 11 Jun 2019 09:41:23 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyDryIaJJOyjbY19yQ+PH7k0hPlBSq4tEUiwcrb5fgB0LDXbZg8KNQbGiA7bx/CaAxzuqyE
X-Received: by 2002:a17:902:1e6:: with SMTP id b93mr33462921plb.295.1560271283483;
        Tue, 11 Jun 2019 09:41:23 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1560271283; cv=none;
        d=google.com; s=arc-20160816;
        b=xrKw+E59n+LS0hb1YcFFF96l0MPiWeS1YRDvwXLTPUellEjQ1VdfTgnfaBqLeyA0/s
         4AJTAqpMsREWhIARlLALC2yReJLROv91SQVu/2g2UA+TlGH/g9ud6Bil2KmPm3LldGWa
         1zwn51A0jyi7PF3GTo6Xd2KbVlV0TvPRWvDojMdQLGC4uBpQHgJo3BGRCwAsZCDXhfj2
         oG2Oexq2C7wgqt5J4CEXAowbZcvHxr/37qTIKcpNEIyhecAeQhLvGogw8nRoLmSrZt4X
         PuFM2L/uamfLyMKNXBRTnme320bPvCsSow0dZp+BqBRCmGtStYsxACmmk+Ocxf2IFUUb
         aMmw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:content-transfer-encoding
         :mime-version:references:in-reply-to:date:cc:to:from:subject;
        bh=q7vZTxtkC639W/RDAgbRIrR8QX6dm5B4cgFQOjwgnzU=;
        b=H/ZVxRDq0M56ymJD/F57SSkK6K1Bq11NULueoyyxuXsODL3ZR6wlWB/FB6dDguGK4G
         caW/hbLY6gi2p/hMAB8K2P7j5TMtNQlmM0HSzBed74O78emBuDegTPEWvDs6dqw2W1nt
         oTIbubWeFyrwYsR3iif+IIYAQRlqzQhOKQGm3XSFskmg5OnWmPCh9rk4wybOIkNWZX3b
         EUDbeSp4GZFCEwxAkOBQubbGF8aplGYp2raFS7oh73QUvt7S09CRb2kKny5xCabpbYV8
         F9MeOJ7eRHRUu2BMMvdPvdDrCrst2R4G1dXuqPs5mwReg1U5/2n9sdOgCgCMBjCoTu4j
         hPYw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id g21si11361499plo.306.2019.06.11.09.41.07;
        Tue, 11 Jun 2019 09:41:23 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2405151AbfFKPhZ (ORCPT <rfc822;fezhang.suse@gmail.com>
        + 99 others); Tue, 11 Jun 2019 11:37:25 -0400
Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:51392 "EHLO
        mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL)
        by vger.kernel.org with ESMTP id S2388819AbfFKPhZ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 11 Jun 2019 11:37:25 -0400
Received: from pps.filterd (m0098421.ppops.net [127.0.0.1])
        by mx0a-001b2d01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x5BFWQit115453
        for <linux-kernel@vger.kernel.org>; Tue, 11 Jun 2019 11:37:23 -0400
Received: from e06smtp04.uk.ibm.com (e06smtp04.uk.ibm.com [195.75.94.100])
        by mx0a-001b2d01.pphosted.com with ESMTP id 2t2ena9m9d-1
        (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT)
        for <linux-kernel@vger.kernel.org>; Tue, 11 Jun 2019 11:37:23 -0400
Received: from localhost
        by e06smtp04.uk.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted
        for <linux-kernel@vger.kernel.org> from <zohar@linux.ibm.com>;
        Tue, 11 Jun 2019 16:37:21 +0100
Received: from b06cxnps3074.portsmouth.uk.ibm.com (9.149.109.194)
        by e06smtp04.uk.ibm.com (192.168.101.134) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted;
        (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256)
        Tue, 11 Jun 2019 16:37:19 +0100
Received: from d06av23.portsmouth.uk.ibm.com (d06av23.portsmouth.uk.ibm.com [9.149.105.59])
        by b06cxnps3074.portsmouth.uk.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id x5BFbId730212220
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
        Tue, 11 Jun 2019 15:37:18 GMT
Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id A18B6A4051;
        Tue, 11 Jun 2019 15:37:18 +0000 (GMT)
Received: from d06av23.portsmouth.uk.ibm.com (unknown [127.0.0.1])
        by IMSVA (Postfix) with ESMTP id CCB81A405E;
        Tue, 11 Jun 2019 15:37:17 +0000 (GMT)
Received: from localhost.localdomain (unknown [9.80.81.78])
        by d06av23.portsmouth.uk.ibm.com (Postfix) with ESMTP;
        Tue, 11 Jun 2019 15:37:17 +0000 (GMT)
Subject: Re: [PATCH v7 0/3] add new ima hook ima_kexec_cmdline to measure
 kexec boot cmdline args
From:   Mimi Zohar <zohar@linux.ibm.com>
To:     Prakhar Srivastava <prsriva02@gmail.com>,
        linux-integrity@vger.kernel.org,
        linux-security-module@vger.kernel.org, linux-kernel@vger.kernel.org
Cc:     roberto.sassu@huawei.com, vgoyal@redhat.com
Date:   Tue, 11 Jun 2019 11:37:06 -0400
In-Reply-To: <20190607002330.2999-1-prsriva02@gmail.com>
References: <20190607002330.2999-1-prsriva02@gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.20.5 (3.20.5-1.fc24) 
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-TM-AS-GCONF: 00
x-cbid: 19061115-0016-0000-0000-000002882983
X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused
x-cbparentid: 19061115-0017-0000-0000-000032E558E5
Message-Id: <1560267426.4464.173.camel@linux.ibm.com>
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2019-06-11_07:,,
 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501
 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0
 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0
 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.0.1-1810050000 definitions=main-1906110101
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi Prakhar,

The patch/patch set title in the Subject line should not explain "how"
you add a new feature.  In this case an appropriate patch set title
would be, "Add support for measuring the boot command line".
 Similarly, the first patch in this patch set could be named "Define a
new IMA hook to measure the boot command line arguments".

On Thu, 2019-06-06 at 17:23 -0700, Prakhar Srivastava wrote:
> The motive behind the patch series is to measure the boot cmdline args
> used for soft reboot/kexec case.

When mentoring, I suggest starting out with a simple status statement
(eg. "The kexec boot command line arguments are not currently being
measured."), followed by the problem statement in the first paragraph.

> 
> For secure boot attestation, it is necessary to measure the kernel

Secure boot enforces local file data integrity.  The term here should
be "trusted boot attestation".

> command line and the kernel version. 

The original version of this patch set included the kernel version.  
This version is just measuring the boot command line arguments.

> For cold boot, the boot loader
> can be enhanced to measure these parameters.
> (https://mjg59.dreamwidth.org/48897.html)
> However, for attestation across soft reboot boundary, these values 
> also need to be measured during kexec_file_load.
> 
> Currently for Kexec(kexec_file_load)/soft reboot scenario the boot cmdline
> args for the next kernel are not measured. For 
> normal case of boot/hardreboot the cmdline args are measured into the TPM.
> The hash of boot command line is calculated and added to the current 
> running kernel's measurement list.
> On a soft reboot like kexec, no cmdline arguments measurement takes place.
> 
> To achive the above the patch series does the following
>   -adds a new ima hook: ima_kexec_cmdline which measures the cmdline args
>    into the ima log, behind a new ima policy entry KEXEC_CMDLINE.
>   -since the cmldine args cannot be appraised, a new template field(buf) is
>    added. The template field contains the buffer passed(cmldine args), which
>    can be used to appraise/attest at a later stage.
>   -call the ima_kexec_cmdline(...) hook from kexec_file_load call.
> 
> The ima logs need to be carried over to the next kernel, which will be followed
> up by other patchsets for x86_64 and arm64.
> 
> The kexec cmdline hash

^stored in the "d-ng" field of the template data

> can be verified using

> sudo cat /sys/kernel/security/integrity/ima/ascii_runtime_measurements | 
>   grep  kexec-cmdline | cut -d' ' -f 6 | xxd -r -p | sha256sum

Until per policy template field rule support is added, a template name
needs to be defined.  Please define "ima-buf" as:
{.name = "ima-buf", .fmt = "d-ng|n-ng|buf"}

I'm still seeing some scripts/checkpatch "WARNING: line over 80
characters".  scripts/Lindent should provide the correct way of
formatting these lines.

Some people feel that references to Lindent should be removed, but I
tend to agree with the Documentation/hwmon/submitting-patches.rst
comment pertaining to scripts/Lindent.

"* Running your patch or driver file(s) through checkpatch does not
mean its formatting is clean. If unsure about formatting in your new
driver, run it through Lindent. Lindent is not perfect, and you may
have to do some minor cleanup, but it is a good start."

Examples of where the line formatting is off is the call to
ima_get_action() in process_buffer_measurement() and the call to
process_buffer_measurement() in ima_kexec_cmdline().

thanks,

Mimi

> 
> Changelog:
> V7:
>   - rebased to next-queued-testing
>   https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/log/?h=next-queued-testing
> 
> V6:
>   -add a new ima hook and policy to measure the cmdline
>     args(ima_kexec_cmdline)
>   -add a new template field buf to contain the buffer measured.
>   [suggested by Mimi Zohar]
>    add new fields to ima_event_data to store/read buffer data.
>   [suggested by Roberto]
>   -call ima_kexec_cmdline from kexec_file_load path
> 
> v5:
>   -add a new ima hook and policy to measure the cmdline
>     args(ima_kexec_cmdline)
>   -add a new template field buf to contain the buffer measured.
>     [suggested by Mimi Zohar]
>   -call ima_kexec_cmdline from kexec_file_load path
> 
> v4:
>   - per feedback from LSM community, removed the LSM hook and renamed the
>     IMA policy to KEXEC_CMDLINE
> 
> v3: (rebase changes to next-general)
>   - Add policy checks for buffer[suggested by Mimi Zohar]
>   - use the IMA_XATTR to add buffer
>   - Add kexec_cmdline used for kexec file load
>   - Add an LSM hook to allow usage by other LSM.[suggestd by Mimi Zohar]
> 
> v2:
>   - Add policy checks for buffer[suggested by Mimi Zohar]
>   - Add an LSM hook to allow usage by other LSM.[suggestd by Mimi Zohar]
>   - use the IMA_XATTR to add buffer instead of sig template
> 
> v1:
>   -Add kconfigs to control the ima_buffer_check
>   -measure the cmdline args suffixed with the kernel file name
>   -add the buffer to the template sig field.
> 
> Prakhar Srivastava (3):
>   Add a new ima hook ima_kexec_cmdline to measure cmdline args
>   add a new ima template field buf
>   call ima_kexec_cmdline to measure the cmdline args
> 
>  Documentation/ABI/testing/ima_policy      |  1 +
>  Documentation/security/IMA-templates.rst  |  2 +-
>  include/linux/ima.h                       |  2 +
>  kernel/kexec_file.c                       |  8 ++-
>  security/integrity/ima/ima.h              |  3 +
>  security/integrity/ima/ima_api.c          |  5 +-
>  security/integrity/ima/ima_init.c         |  2 +-
>  security/integrity/ima/ima_main.c         | 80 +++++++++++++++++++++++
>  security/integrity/ima/ima_policy.c       |  9 +++
>  security/integrity/ima/ima_template.c     |  2 +
>  security/integrity/ima/ima_template_lib.c | 20 ++++++
>  security/integrity/ima/ima_template_lib.h |  4 ++
>  12 files changed, 131 insertions(+), 7 deletions(-)
>