From: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> To: Dave Young <dyoung@redhat.com> Cc: linuxppc-dev@lists.ozlabs.org, kexec@lists.infradead.org, x86@kernel.org, linux-kernel@vger.kernel.org, Eric Biederman <ebiederm@xmission.com>, Michael Ellerman <mpe@ellerman.id.au>, Mimi Zohar <zohar@linux.vnet.ibm.com>, Eric Richter <erichte@linux.vnet.ibm.com> Subject: Re: [PATCH 0/6] kexec_file: Add buffer hand-over for the next kernel Date: Wed, 22 Jun 2016 13:34:36 -0300 [thread overview] Message-ID: <2989292.sja9PMOcvE@hactar> (raw) In-Reply-To: <20160622012046.GD2938@dhcp-128-65.nay.redhat.com> Hello Dave, Thanks for your considerations on this feature. Am Mittwoch, 22 Juni 2016, 09:20:46 schrieb Dave Young: > On 06/20/16 at 10:44pm, Thiago Jung Bauermann wrote: > > This feature was implemented because the Integrity Measurement > > Architecture subsystem needs to preserve its measurement list accross > > the kexec reboot. This is so that IMA can implement trusted boot > > support on the OpenPower platform, because on such systems an > > intermediary Linux instance running as part of the firmware is used to > > boot the target operating system via kexec. Using this mechanism, IMA > > on this intermediary instance can hand over to the target OS the > > measurements of the components that were used to boot it. > We have CONFIG_KEXEC_VERIFY_SIG, why not verifying the kernel to be > loaded instead? I feel IMA should rebuild its measurement instead of > passing it to another kernel. In trusted boot, each stage of the boot process (firmware, boot loader, target OS) measures the following stage before passing control to it, and records that measurement cumulatively so that the target OS can look back and see measurements of all the components that were used from the earliest boot stages until the target OS was loaded (including a measurement of the OS itself). If IMA had to rebuild the measurements, it would mean that one stage is measuring itself. This violates this design property of the trusted boot process (i.e., each boot stage is measured by the one before it) so it's not really an option. It has to receive the measurements from the boot stage that ran before it. > Kexec reboot is also a reboot. If we have > to preserve something get from firmware we can do it, but other than > that I think it sounds not a good idea. OpenPower uses a Linux kernel (and initrd with a tiny system image) as a boot loader, so in this platform a kexec reboot is not a reboot. It is part of the boot process itself as the way of passing control from the boot loader to the target OS. > > This series applies on top of v2 of the "kexec_file_load implementation > > > for PowerPC" patch series at: > The kexec_file_load patches should be addressed first, no? Yes. I posted this series for two reasons: 1. The PowerPC maintainer asked why he would want to have the kexec_file_load system call, and this feature is one of the reasons. I wanted to show that it is not an hypothetical feature, there is a functioning implementation. 2. I want to start discussion on this feature with the community early, so that I can incorporate feedback and have it ready to be accepted (or closer to ready at least) by the time the kexec_file_load patches are accepted. []'s Thiago Jung Bauermann IBM Linux Technology Center
WARNING: multiple messages have this Message-ID (diff)
From: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> To: Dave Young <dyoung@redhat.com> Cc: Michael Ellerman <mpe@ellerman.id.au>, x86@kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, Eric Biederman <ebiederm@xmission.com>, Mimi Zohar <zohar@linux.vnet.ibm.com>, linuxppc-dev@lists.ozlabs.org, Eric Richter <erichte@linux.vnet.ibm.com> Subject: Re: [PATCH 0/6] kexec_file: Add buffer hand-over for the next kernel Date: Wed, 22 Jun 2016 13:34:36 -0300 [thread overview] Message-ID: <2989292.sja9PMOcvE@hactar> (raw) In-Reply-To: <20160622012046.GD2938@dhcp-128-65.nay.redhat.com> Hello Dave, Thanks for your considerations on this feature. Am Mittwoch, 22 Juni 2016, 09:20:46 schrieb Dave Young: > On 06/20/16 at 10:44pm, Thiago Jung Bauermann wrote: > > This feature was implemented because the Integrity Measurement > > Architecture subsystem needs to preserve its measurement list accross > > the kexec reboot. This is so that IMA can implement trusted boot > > support on the OpenPower platform, because on such systems an > > intermediary Linux instance running as part of the firmware is used to > > boot the target operating system via kexec. Using this mechanism, IMA > > on this intermediary instance can hand over to the target OS the > > measurements of the components that were used to boot it. > We have CONFIG_KEXEC_VERIFY_SIG, why not verifying the kernel to be > loaded instead? I feel IMA should rebuild its measurement instead of > passing it to another kernel. In trusted boot, each stage of the boot process (firmware, boot loader, target OS) measures the following stage before passing control to it, and records that measurement cumulatively so that the target OS can look back and see measurements of all the components that were used from the earliest boot stages until the target OS was loaded (including a measurement of the OS itself). If IMA had to rebuild the measurements, it would mean that one stage is measuring itself. This violates this design property of the trusted boot process (i.e., each boot stage is measured by the one before it) so it's not really an option. It has to receive the measurements from the boot stage that ran before it. > Kexec reboot is also a reboot. If we have > to preserve something get from firmware we can do it, but other than > that I think it sounds not a good idea. OpenPower uses a Linux kernel (and initrd with a tiny system image) as a boot loader, so in this platform a kexec reboot is not a reboot. It is part of the boot process itself as the way of passing control from the boot loader to the target OS. > > This series applies on top of v2 of the "kexec_file_load implementation > > > for PowerPC" patch series at: > The kexec_file_load patches should be addressed first, no? Yes. I posted this series for two reasons: 1. The PowerPC maintainer asked why he would want to have the kexec_file_load system call, and this feature is one of the reasons. I wanted to show that it is not an hypothetical feature, there is a functioning implementation. 2. I want to start discussion on this feature with the community early, so that I can incorporate feedback and have it ready to be accepted (or closer to ready at least) by the time the kexec_file_load patches are accepted. []'s Thiago Jung Bauermann IBM Linux Technology Center _______________________________________________ kexec mailing list kexec@lists.infradead.org http://lists.infradead.org/mailman/listinfo/kexec
next prev parent reply other threads:[~2016-06-22 16:34 UTC|newest] Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-06-21 1:44 [PATCH 0/6] kexec_file: Add buffer hand-over for the next kernel Thiago Jung Bauermann 2016-06-21 1:44 ` Thiago Jung Bauermann 2016-06-21 1:44 ` [PATCH 1/6] kexec_file: Add buffer hand-over support " Thiago Jung Bauermann 2016-06-21 1:44 ` Thiago Jung Bauermann 2016-06-21 1:44 ` [PATCH 2/6] powerpc: " Thiago Jung Bauermann 2016-06-21 1:44 ` Thiago Jung Bauermann 2016-06-21 1:44 ` [PATCH 3/6] kexec_file: Allow skipping checksum calculation for some segments Thiago Jung Bauermann 2016-06-21 1:44 ` Thiago Jung Bauermann 2016-06-21 1:44 ` [PATCH 4/6] kexec_file: Add mechanism to update kexec segments Thiago Jung Bauermann 2016-06-21 1:44 ` Thiago Jung Bauermann 2016-06-21 1:44 ` [PATCH 5/6] kexec: Share logic to copy segment page contents Thiago Jung Bauermann 2016-06-21 1:44 ` Thiago Jung Bauermann 2016-06-21 1:44 ` [PATCH 6/6] IMA: Demonstration code for kexec buffer passing Thiago Jung Bauermann 2016-06-21 1:44 ` Thiago Jung Bauermann 2016-06-22 1:20 ` [PATCH 0/6] kexec_file: Add buffer hand-over for the next kernel Dave Young 2016-06-22 1:20 ` Dave Young 2016-06-22 13:19 ` Mimi Zohar 2016-06-22 13:19 ` Mimi Zohar 2016-06-22 16:34 ` Thiago Jung Bauermann [this message] 2016-06-22 16:34 ` Thiago Jung Bauermann
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=2989292.sja9PMOcvE@hactar \ --to=bauerman@linux.vnet.ibm.com \ --cc=dyoung@redhat.com \ --cc=ebiederm@xmission.com \ --cc=erichte@linux.vnet.ibm.com \ --cc=kexec@lists.infradead.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linuxppc-dev@lists.ozlabs.org \ --cc=mpe@ellerman.id.au \ --cc=x86@kernel.org \ --cc=zohar@linux.vnet.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.