Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp1416317ybp; Wed, 9 Oct 2019 13:51:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqxsRxQnD+DvcbcGk6rCH5t4bCxmvCLTUtrSYdcrvrVkxLVBcNCi7jaQtmVj9YkpQPKg8etS X-Received: by 2002:a17:906:e89:: with SMTP id p9mr4660089ejf.95.1570654267452; Wed, 09 Oct 2019 13:51:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570654267; cv=none; d=google.com; s=arc-20160816; b=lGXIbmLkr3OFx2SPeQKHOm1sqimZvlXmNL/S1UNwWSmG8LXDmdL8mQ84+Kqvv8BT16 j2GhWUgUrMR1/AlW1qWVSa+wkkFzrNiVy5aiVq+sv1haAzyjrJnk0GMGYUoSBR7INszb Lx2qg1ngawLSURxPI7hFj4kKyfgknM3nLfg1jVQyYrD+09DDhHESg9RWh8JyCzd1YDJ3 yt2hGkPwUlQh3HHqZCEYnilirmFsXFaZRJDSaig0b7Y6wtokT7j48286CON7hw90vUgQ FwfXTV7QCNbSs3pIyakAcPlajeS4iM1cCRH6TJqGwm1+C5uENOb0WXiAlNKpekzv66TY iAqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature:dkim-filter; bh=R1XYwLvD2iwGBu/tSvMiVcIj6u8j47QQ6okMOZpNB7U=; b=VP6aQRWzhJe7YXMsglw/9pVaffyrZl1dRSJ/eHh+I117n6LCtiU0EGbitaMfY+L/Lw VoYaRIea2QcPyisqWX7CGD0mPLpQePy/dVEm3upexmHHlMrgpMe0fktPly5+6iUBsws5 wyHZlv2NYxC4xKYsup/UqDcbfaBZ5sWCLCuNtG7xWt0hfysRnU5K8u1QRSooPwuUnM0M 4rabKpz3yLk9ti2rbWbOBZbrMkj2b+ftk/QA7biXiR4xPcGOqVXj4b53oDMDdHNjgore JHfD1n6uZY0J851oCTnb1FKnMx9T5bVO4IARnu1p1u/F8RPSPH7G4/a5Sr6u6ieQctDD V1sg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=DKXLDx2T; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a53si2167404edc.175.2019.10.09.13.50.43; Wed, 09 Oct 2019 13:51:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=DKXLDx2T; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731908AbfJIUtL (ORCPT + 99 others); Wed, 9 Oct 2019 16:49:11 -0400 Received: from linux.microsoft.com ([13.77.154.182]:53156 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728804AbfJIUtK (ORCPT ); Wed, 9 Oct 2019 16:49:10 -0400 Received: from [10.200.156.146] (unknown [167.220.2.18]) by linux.microsoft.com (Postfix) with ESMTPSA id 9792520B71C6; Wed, 9 Oct 2019 13:49:09 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 9792520B71C6 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1570654149; bh=R1XYwLvD2iwGBu/tSvMiVcIj6u8j47QQ6okMOZpNB7U=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=DKXLDx2TpAjvOkCcLD+fMOQ+UmAKk9f0J4PKC6kqYILap7MQfAxBIF2iiDgV4XJLq GWrcnyuAANdZF6aJ12FQZieemm+kz1XCRB86ccPD2aAux00sIXbYcxnvl7Jf912bkQ R+9ELrLAIdqH9L7Ny8K/E71UScCwE4MURLnjvU3Y= Subject: Re: [PATCH v2 1/2] Add support for arm64 to carry ima measurement log in kexec_file_load To: Sasha Levin Cc: linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-integrity@vger.kernel.org, kexec@lists.infradead.org, arnd@arndb.de, jean-philippe@linaro.org, allison@lohutok.net, kristina.martsenko@arm.org, yamada.masahiro@socionext.com, duwe@lst.de, mark.rutland@arm.com, tglx@linutronix.de, takahiro.akashi@linaro.org, james.morse@arm.org, catalin.marinas@arm.com, sboyd@kernel.org, bauerman@linux.ibm.com, zohar@linux.ibm.com References: <20191007185943.1828-1-prsriva@linux.microsoft.com> <20191007185943.1828-2-prsriva@linux.microsoft.com> <20191008212224.GC1396@sasha-vm> From: prsriva Message-ID: Date: Wed, 9 Oct 2019 13:49:09 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <20191008212224.GC1396@sasha-vm> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 10/8/19 2:22 PM, Sasha Levin wrote: > On Mon, Oct 07, 2019 at 11:59:42AM -0700, Prakhar Srivastava wrote: >> During kexec_file_load, carrying forward the ima measurement log allows >> a verifying party to get the entire runtime event log since the last >> full reboot since that is when PCRs were last reset. >> >> Signed-off-by: Prakhar Srivastava >> --- >> arch/Kconfig                           |   6 +- >> arch/arm64/include/asm/ima.h           |  24 +++ >> arch/arm64/include/asm/kexec.h         |   5 + >> arch/arm64/kernel/Makefile             |   3 +- >> arch/arm64/kernel/ima_kexec.c          |  78 ++++++++++ >> arch/arm64/kernel/machine_kexec_file.c |   6 + >> drivers/of/Kconfig                     |   6 + >> drivers/of/Makefile                    |   1 + >> drivers/of/of_ima.c                    | 204 +++++++++++++++++++++++++ >> include/linux/of.h                     |  31 ++++ >> 10 files changed, 362 insertions(+), 2 deletions(-) >> create mode 100644 arch/arm64/include/asm/ima.h >> create mode 100644 arch/arm64/kernel/ima_kexec.c >> create mode 100644 drivers/of/of_ima.c >> >> diff --git a/arch/Kconfig b/arch/Kconfig >> index a7b57dd42c26..d53e1596c5b1 100644 >> --- a/arch/Kconfig >> +++ b/arch/Kconfig >> @@ -19,7 +19,11 @@ config KEXEC_CORE >>     bool >> >> config HAVE_IMA_KEXEC >> -    bool >> +    bool "Carry over IMA measurement log during kexec_file_load() >> syscall" >> +    depends on KEXEC_FILE >> +    help >> +      Select this option to carry over IMA measurement log during >> +      kexec_file_load. > > This change looks very wrong: HAVE_* config symbols are used to indicate > the availability of certain arch specific capability, rather than act as > a config option. How does this work with CONFIG_IMA_KEXEC ? > Thanks for pointing this out. My attempt was to move this out of arch dependent config. I will fix the CONFIG. > Also, please, at the very least verify that basic functionality works on > the architectures we have access to. Trying it on x86: > Let me fix the build issues for other archs. I have tested these changes for arm64. > $ make allmodconfig > scripts/kconfig/conf  --allmodconfig Kconfig > # > # No change to .config > # > $ make >  CALL    scripts/checksyscalls.sh >  CALL    scripts/atomic/check-atomics.sh >  DESCEND  objtool >  CC      security/integrity/ima/ima_fs.o > In file included from security/integrity/ima/ima_fs.c:26: > security/integrity/ima/ima.h:28:10: fatal error: asm/ima.h: No such file > or directory > #include >          ^~~~~~~~~~~ > compilation terminated. > make[3]: *** [scripts/Makefile.build:266: > security/integrity/ima/ima_fs.o] Error 1 > make[2]: *** [scripts/Makefile.build:509: security/integrity/ima] Error 2 > make[1]: *** [scripts/Makefile.build:509: security/integrity] Error 2 > make: *** [Makefile:1649: security] Error 2 > > -- > Thanks, > Sasha