Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH V3 0/6] Add support to carry forward the IMA measurement logs
@ 2020-07-20 15:23 Prakhar Srivastava
  2020-07-20 15:23 ` [PATCH V3 1/6] Refactoring powerpc code to be made available to other architectures Prakhar Srivastava
                   ` (5 more replies)
  0 siblings, 6 replies; 10+ messages in thread
From: Prakhar Srivastava @ 2020-07-20 15:23 UTC (permalink / raw)
  To: linux-integrity, linux-kernel, devicetree
  Cc: catalin.marinas, will, mpe, benh, paulus, robh+dt, frowand.list,
	zohar, dmitry.kasatkin, jmorris, serge, pasha.tatashin, allison,
	kstewart, takahiro.akashi, tglx, vincenzo.frascino, mark.rutland,
	masahiroy, james.morse, bhsharma, mbrugger, hsinyi, tao.li,
	christophe.leroy, gregkh, nramas, prsriva, tusharsu, balajib,
	bauerman, robh

Integrgity Measurement Architecture(IMA) during kexec(kexec file load)
verifies the kernel signature and measures the signature of the kernel.

The signature in the measuremnt logs is used to verfiy the 
authenticity of the kernel in the subsequent kexec'd session, however in
the current implementation IMA measurement logs are not carried over thus
remote attesation cannot verify the signature of the running kernel.

Adding support to arm64 to carry over the IMA measurement logs over kexec.

Add a new chosen node entry linux,ima-kexec-buffer to hold the address and
the size of the memory reserved to carry the IMA measurement log.
Refactor existing powerpc code to be used by amr64 as well.  

Changelog:

v3:
Breakup patches further into separate patches.
  - Refactoring non architecture specific code out of powerpc
  - Update powerpc related code to use fdt functions
  - Update IMA buffer read related code to use of functions
  - Add support to store the memory information of the IMA measurement logs 
    to be carried forward.
  - Update the property strings to align with documented nodes
    https://github.com/devicetree-org/dt-schema/pull/46

v2:
  Break patches into separate patches.
  - Powerpc related Refactoring
  - Updating the docuemntation for chosen node
  - Updating arm64 to support IMA buffer pass

v1:
  Refactoring carrying over IMA measuremnet logs over Kexec. This patch
    moves the non-architecture specific code out of powerpc and adds to
    security/ima.(Suggested by Thiago)
  Add Documentation regarding the ima-kexec-buffer node in the chosen
    node documentation

v0:
  Add a layer of abstraction to use the memory reserved by device tree
    for ima buffer pass.
  Add support for ima buffer pass using reserved memory for arm64 kexec.
    Update the arch sepcific code path in kexec file load to store the
    ima buffer in the reserved memory. The same reserved memory is read
    on kexec or cold boot.

Prakhar Srivastava (6):
  Refactoring powerpc code to be made available to other architectures
  Update remove_ima_buffer code to use functions from libfdt reducing
    wrappers functions.
  Update function do_get_kexec_buffer to use of_* functions, and
    reducing wrapper functions.
  Add support in arm64 to store the memory information of the IMA
    measurement log in the kimage used for kexec.
  Update the Kconfig to support carrying forward the IMA Measurement log
    and and update the setup_dtb call to add the linux,ima-kexec-buffer
    property to the DTB.
  Add the property used for carrying forward the IMA measurement logs
    and update the code to use the defined property string.

 arch/arm64/Kconfig                     |   1 +
 arch/arm64/include/asm/ima.h           |  17 ++++
 arch/arm64/include/asm/kexec.h         |   3 +
 arch/arm64/kernel/machine_kexec_file.c |  45 +++++++--
 arch/powerpc/include/asm/ima.h         |   3 -
 arch/powerpc/kexec/ima.c               | 123 ++++++-------------------
 security/integrity/ima/ima_kexec.c     |  81 ++++++++++++++++
 7 files changed, 168 insertions(+), 105 deletions(-)
 create mode 100644 arch/arm64/include/asm/ima.h

-- 
2.25.1


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH V3 1/6] Refactoring powerpc code to be made available to other architectures
  2020-07-20 15:23 [PATCH V3 0/6] Add support to carry forward the IMA measurement logs Prakhar Srivastava
@ 2020-07-20 15:23 ` Prakhar Srivastava
  2020-07-20 15:23 ` [PATCH V3 2/6] Update remove_ima_buffer code to use functions from libfdt reducing wrappers functions Prakhar Srivastava
                   ` (4 subsequent siblings)
  5 siblings, 0 replies; 10+ messages in thread
From: Prakhar Srivastava @ 2020-07-20 15:23 UTC (permalink / raw)
  To: linux-integrity, linux-kernel, devicetree
  Cc: catalin.marinas, will, mpe, benh, paulus, robh+dt, frowand.list,
	zohar, dmitry.kasatkin, jmorris, serge, pasha.tatashin, allison,
	kstewart, takahiro.akashi, tglx, vincenzo.frascino, mark.rutland,
	masahiroy, james.morse, bhsharma, mbrugger, hsinyi, tao.li,
	christophe.leroy, gregkh, nramas, prsriva, tusharsu, balajib,
	bauerman, robh

Existing code in arch/powerpc can be used for carrying forward the IMA measurement
logs by other architectures.

Moving non architecture specific code to security/intergrity, to be made available
to other architectures

Signed-off-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
---
 arch/powerpc/include/asm/ima.h     |  3 -
 arch/powerpc/kexec/ima.c           | 54 ------------------
 security/integrity/ima/ima_kexec.c | 91 ++++++++++++++++++++++++++++++
 3 files changed, 91 insertions(+), 57 deletions(-)

diff --git a/arch/powerpc/include/asm/ima.h b/arch/powerpc/include/asm/ima.h
index ead488cf3981..bc27fd94de52 100644
--- a/arch/powerpc/include/asm/ima.h
+++ b/arch/powerpc/include/asm/ima.h
@@ -4,9 +4,6 @@
 
 struct kimage;
 
-int ima_get_kexec_buffer(void **addr, size_t *size);
-int ima_free_kexec_buffer(void);
-
 #ifdef CONFIG_IMA
 void remove_ima_buffer(void *fdt, int chosen_node);
 #else
diff --git a/arch/powerpc/kexec/ima.c b/arch/powerpc/kexec/ima.c
index 720e50e490b6..563313703756 100644
--- a/arch/powerpc/kexec/ima.c
+++ b/arch/powerpc/kexec/ima.c
@@ -46,60 +46,6 @@ static int do_get_kexec_buffer(const void *prop, int len, unsigned long *addr,
 	return 0;
 }
 
-/**
- * ima_get_kexec_buffer - get IMA buffer from the previous kernel
- * @addr:	On successful return, set to point to the buffer contents.
- * @size:	On successful return, set to the buffer size.
- *
- * Return: 0 on success, negative errno on error.
- */
-int ima_get_kexec_buffer(void **addr, size_t *size)
-{
-	int ret, len;
-	unsigned long tmp_addr;
-	size_t tmp_size;
-	const void *prop;
-
-	prop = of_get_property(of_chosen, "linux,ima-kexec-buffer", &len);
-	if (!prop)
-		return -ENOENT;
-
-	ret = do_get_kexec_buffer(prop, len, &tmp_addr, &tmp_size);
-	if (ret)
-		return ret;
-
-	*addr = __va(tmp_addr);
-	*size = tmp_size;
-
-	return 0;
-}
-
-/**
- * ima_free_kexec_buffer - free memory used by the IMA buffer
- */
-int ima_free_kexec_buffer(void)
-{
-	int ret;
-	unsigned long addr;
-	size_t size;
-	struct property *prop;
-
-	prop = of_find_property(of_chosen, "linux,ima-kexec-buffer", NULL);
-	if (!prop)
-		return -ENOENT;
-
-	ret = do_get_kexec_buffer(prop->value, prop->length, &addr, &size);
-	if (ret)
-		return ret;
-
-	ret = of_remove_property(of_chosen, prop);
-	if (ret)
-		return ret;
-
-	return memblock_free(addr, size);
-
-}
-
 /**
  * remove_ima_buffer - remove the IMA buffer property and reservation from @fdt
  *
diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
index 121de3e04af2..2fe2d3bf7bda 100644
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -10,8 +10,99 @@
 #include <linux/seq_file.h>
 #include <linux/vmalloc.h>
 #include <linux/kexec.h>
+#include <linux/of.h>
+#include <linux/memblock.h>
+#include <linux/libfdt.h>
 #include "ima.h"
 
+static int get_addr_size_cells(int *addr_cells, int *size_cells)
+{
+	struct device_node *root;
+
+	root = of_find_node_by_path("/");
+	if (!root)
+		return -EINVAL;
+
+	*addr_cells = of_n_addr_cells(root);
+	*size_cells = of_n_size_cells(root);
+
+	of_node_put(root);
+
+	return 0;
+}
+
+static int do_get_kexec_buffer(const void *prop, int len, unsigned long *addr,
+			       size_t *size)
+{
+	int ret, addr_cells, size_cells;
+
+	ret = get_addr_size_cells(&addr_cells, &size_cells);
+	if (ret)
+		return ret;
+
+	if (len < 4 * (addr_cells + size_cells))
+		return -ENOENT;
+
+	*addr = of_read_number(prop, addr_cells);
+	*size = of_read_number(prop + 4 * addr_cells, size_cells);
+
+	return 0;
+}
+
+/**
+ * ima_get_kexec_buffer - get IMA buffer from the previous kernel
+ * @addr:	On successful return, set to point to the buffer contents.
+ * @size:	On successful return, set to the buffer size.
+ *
+ * Return: 0 on success, negative errno on error.
+ */
+int ima_get_kexec_buffer(void **addr, size_t *size)
+{
+	int ret, len;
+	unsigned long tmp_addr;
+	size_t tmp_size;
+	const void *prop;
+
+	prop = of_get_property(of_chosen, "linux,ima-kexec-buffer", &len);
+	if (!prop)
+		return -ENOENT;
+
+	ret = do_get_kexec_buffer(prop, len, &tmp_addr, &tmp_size);
+	if (ret)
+		return ret;
+
+	*addr = __va(tmp_addr);
+	*size = tmp_size;
+
+	return 0;
+}
+
+/**
+ * ima_free_kexec_buffer - free memory used by the IMA buffer
+ */
+int ima_free_kexec_buffer(void)
+{
+	int ret;
+	unsigned long addr;
+	size_t size;
+	struct property *prop;
+
+	prop = of_find_property(of_chosen, "linux,ima-kexec-buffer", NULL);
+	if (!prop)
+		return -ENOENT;
+
+	ret = do_get_kexec_buffer(prop->value, prop->length, &addr, &size);
+	if (ret)
+		return ret;
+
+	ret = of_remove_property(of_chosen, prop);
+	if (ret)
+		return ret;
+
+	return memblock_free(addr, size);
+
+}
+
 #ifdef CONFIG_IMA_KEXEC
 static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer,
 				     unsigned long segment_size)
-- 
2.25.1


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH V3 2/6] Update remove_ima_buffer code to use functions from libfdt reducing wrappers functions.
  2020-07-20 15:23 [PATCH V3 0/6] Add support to carry forward the IMA measurement logs Prakhar Srivastava
  2020-07-20 15:23 ` [PATCH V3 1/6] Refactoring powerpc code to be made available to other architectures Prakhar Srivastava
@ 2020-07-20 15:23 ` Prakhar Srivastava
  2020-07-20 15:32   ` Greg KH
  2020-07-20 15:23 ` [PATCH V3 3/6] Update function do_get_kexec_buffer to use of_* functions, and reducing wrapper functions Prakhar Srivastava
                   ` (3 subsequent siblings)
  5 siblings, 1 reply; 10+ messages in thread
From: Prakhar Srivastava @ 2020-07-20 15:23 UTC (permalink / raw)
  To: linux-integrity, linux-kernel, devicetree
  Cc: catalin.marinas, will, mpe, benh, paulus, robh+dt, frowand.list,
	zohar, dmitry.kasatkin, jmorris, serge, pasha.tatashin, allison,
	kstewart, takahiro.akashi, tglx, vincenzo.frascino, mark.rutland,
	masahiroy, james.morse, bhsharma, mbrugger, hsinyi, tao.li,
	christophe.leroy, gregkh, nramas, prsriva, tusharsu, balajib,
	bauerman, robh

Signed-off-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
---
 arch/powerpc/kexec/ima.c | 63 ++++++++++++++++------------------------
 1 file changed, 25 insertions(+), 38 deletions(-)

diff --git a/arch/powerpc/kexec/ima.c b/arch/powerpc/kexec/ima.c
index 563313703756..a9e4e9f04273 100644
--- a/arch/powerpc/kexec/ima.c
+++ b/arch/powerpc/kexec/ima.c
@@ -12,40 +12,6 @@
 #include <linux/memblock.h>
 #include <linux/libfdt.h>
 
-static int get_addr_size_cells(int *addr_cells, int *size_cells)
-{
-	struct device_node *root;
-
-	root = of_find_node_by_path("/");
-	if (!root)
-		return -EINVAL;
-
-	*addr_cells = of_n_addr_cells(root);
-	*size_cells = of_n_size_cells(root);
-
-	of_node_put(root);
-
-	return 0;
-}
-
-static int do_get_kexec_buffer(const void *prop, int len, unsigned long *addr,
-			       size_t *size)
-{
-	int ret, addr_cells, size_cells;
-
-	ret = get_addr_size_cells(&addr_cells, &size_cells);
-	if (ret)
-		return ret;
-
-	if (len < 4 * (addr_cells + size_cells))
-		return -ENOENT;
-
-	*addr = of_read_number(prop, addr_cells);
-	*size = of_read_number(prop + 4 * addr_cells, size_cells);
-
-	return 0;
-}
-
 /**
  * remove_ima_buffer - remove the IMA buffer property and reservation from @fdt
  *
@@ -54,7 +20,7 @@ static int do_get_kexec_buffer(const void *prop, int len, unsigned long *addr,
  */
 void remove_ima_buffer(void *fdt, int chosen_node)
 {
-	int ret, len;
+	int ret, len, addr_cells, size_cells;
 	unsigned long addr;
 	size_t size;
 	const void *prop;
@@ -63,7 +29,22 @@ void remove_ima_buffer(void *fdt, int chosen_node)
 	if (!prop)
 		return;
 
-	ret = do_get_kexec_buffer(prop, len, &addr, &size);
+	ret = fdt_address_cells(fdt, chosen_node);
+	if (ret < 0)
+		return;
+	addr_cells = ret;
+
+	ret = fdt_size_cells(fdt, chosen_node);
+	if (ret < 0)
+		return;
+	size_cells = ret;
+
+	if (len < 4 * (addr_cells + size_cells))
+		return;
+
+	addr = of_read_number(prop, addr_cells);
+	size = of_read_number(prop + 4 * addr_cells, size_cells);
+
 	fdt_delprop(fdt, chosen_node, "linux,ima-kexec-buffer");
 	if (ret)
 		return;
@@ -129,9 +110,15 @@ int setup_ima_buffer(const struct kimage *image, void *fdt, int chosen_node)
 	if (!image->arch.ima_buffer_size)
 		return 0;
 
-	ret = get_addr_size_cells(&addr_cells, &size_cells);
-	if (ret)
+	ret = fdt_address_cells(fdt, chosen_node);
+	if (ret < 0)
+		return ret;
+	addr_cells = ret;
+
+	ret = fdt_size_cells(fdt, chosen_node);
+	if (ret < 0)
 		return ret;
+	size_cells = ret;
 
 	entry_size = 4 * (addr_cells + size_cells);
 
-- 
2.25.1


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH V3 3/6] Update function do_get_kexec_buffer to use of_* functions, and reducing wrapper functions.
  2020-07-20 15:23 [PATCH V3 0/6] Add support to carry forward the IMA measurement logs Prakhar Srivastava
  2020-07-20 15:23 ` [PATCH V3 1/6] Refactoring powerpc code to be made available to other architectures Prakhar Srivastava
  2020-07-20 15:23 ` [PATCH V3 2/6] Update remove_ima_buffer code to use functions from libfdt reducing wrappers functions Prakhar Srivastava
@ 2020-07-20 15:23 ` Prakhar Srivastava
  2020-07-20 15:23 ` [PATCH V3 4/6] Add support in arm64 to store the memory information of the IMA measurement log in the kimage used for kexec Prakhar Srivastava
                   ` (2 subsequent siblings)
  5 siblings, 0 replies; 10+ messages in thread
From: Prakhar Srivastava @ 2020-07-20 15:23 UTC (permalink / raw)
  To: linux-integrity, linux-kernel, devicetree
  Cc: catalin.marinas, will, mpe, benh, paulus, robh+dt, frowand.list,
	zohar, dmitry.kasatkin, jmorris, serge, pasha.tatashin, allison,
	kstewart, takahiro.akashi, tglx, vincenzo.frascino, mark.rutland,
	masahiroy, james.morse, bhsharma, mbrugger, hsinyi, tao.li,
	christophe.leroy, gregkh, nramas, prsriva, tusharsu, balajib,
	bauerman, robh

Signed-off-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
---
 security/integrity/ima/ima_kexec.c | 20 +++++---------------
 1 file changed, 5 insertions(+), 15 deletions(-)

diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
index 2fe2d3bf7bda..e47982e9bb67 100644
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -15,31 +15,21 @@
 #include <linux/libfdt.h>
 #include "ima.h"
 
-static int get_addr_size_cells(int *addr_cells, int *size_cells)
+static int do_get_kexec_buffer(const void *prop, int len, unsigned long *addr,
+			       size_t *size)
 {
+	int addr_cells, size_cells;
 	struct device_node *root;
 
 	root = of_find_node_by_path("/");
 	if (!root)
 		return -EINVAL;
 
-	*addr_cells = of_n_addr_cells(root);
-	*size_cells = of_n_size_cells(root);
+	addr_cells = of_n_addr_cells(root);
+	size_cells = of_n_size_cells(root);
 
 	of_node_put(root);
 
-	return 0;
-}
-
-static int do_get_kexec_buffer(const void *prop, int len, unsigned long *addr,
-			       size_t *size)
-{
-	int ret, addr_cells, size_cells;
-
-	ret = get_addr_size_cells(&addr_cells, &size_cells);
-	if (ret)
-		return ret;
-
 	if (len < 4 * (addr_cells + size_cells))
 		return -ENOENT;
 
-- 
2.25.1


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH V3 4/6] Add support in arm64 to store the memory information of the IMA measurement log in the kimage used for kexec.
  2020-07-20 15:23 [PATCH V3 0/6] Add support to carry forward the IMA measurement logs Prakhar Srivastava
                   ` (2 preceding siblings ...)
  2020-07-20 15:23 ` [PATCH V3 3/6] Update function do_get_kexec_buffer to use of_* functions, and reducing wrapper functions Prakhar Srivastava
@ 2020-07-20 15:23 ` Prakhar Srivastava
  2020-07-20 15:23 ` [PATCH V3 5/6] Update the Kconfig to support carrying forward the IMA Measurement log and and update the setup_dtb call to add the linux,ima-kexec-buffer property to the DTB Prakhar Srivastava
  2020-07-20 15:23 ` [PATCH V3 6/6] Add the property used for carrying forward the IMA measurement logs and update the code to use the defined property string Prakhar Srivastava
  5 siblings, 0 replies; 10+ messages in thread
From: Prakhar Srivastava @ 2020-07-20 15:23 UTC (permalink / raw)
  To: linux-integrity, linux-kernel, devicetree
  Cc: catalin.marinas, will, mpe, benh, paulus, robh+dt, frowand.list,
	zohar, dmitry.kasatkin, jmorris, serge, pasha.tatashin, allison,
	kstewart, takahiro.akashi, tglx, vincenzo.frascino, mark.rutland,
	masahiroy, james.morse, bhsharma, mbrugger, hsinyi, tao.li,
	christophe.leroy, gregkh, nramas, prsriva, tusharsu, balajib,
	bauerman, robh

Store the phyical address and size of the IMA measurement logs that get picked up
by the setup_dtb during kexec.

Signed-off-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
---
 arch/arm64/include/asm/ima.h           | 17 +++++++++++++++++
 arch/arm64/include/asm/kexec.h         |  3 +++
 arch/arm64/kernel/machine_kexec_file.c | 17 +++++++++++++++++
 3 files changed, 37 insertions(+)
 create mode 100644 arch/arm64/include/asm/ima.h

diff --git a/arch/arm64/include/asm/ima.h b/arch/arm64/include/asm/ima.h
new file mode 100644
index 000000000000..70ac39b74607
--- /dev/null
+++ b/arch/arm64/include/asm/ima.h
@@ -0,0 +1,17 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_ARCH_IMA_H
+#define _ASM_ARCH_IMA_H
+
+struct kimage;
+
+#ifdef CONFIG_IMA_KEXEC
+int arch_ima_add_kexec_buffer(struct kimage *image, unsigned long load_addr,
+			      size_t size);
+#else
+static inline int arch_ima_add_kexec_buffer(struct kimage *image,
+			unsigned long load_addr, size_t size)
+{
+	return 0;
+}
+#endif /* CONFIG_IMA_KEXEC */
+#endif /* _ASM_ARCH_IMA_H */
diff --git a/arch/arm64/include/asm/kexec.h b/arch/arm64/include/asm/kexec.h
index d24b527e8c00..7bd60c185ad3 100644
--- a/arch/arm64/include/asm/kexec.h
+++ b/arch/arm64/include/asm/kexec.h
@@ -100,6 +100,9 @@ struct kimage_arch {
 	void *elf_headers;
 	unsigned long elf_headers_mem;
 	unsigned long elf_headers_sz;
+
+	phys_addr_t ima_buffer_addr;
+	size_t ima_buffer_size;
 };
 
 extern const struct kexec_file_ops kexec_image_ops;
diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index 361a1143e09e..4c54723e7a04 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -38,6 +38,23 @@ const struct kexec_file_ops * const kexec_file_loaders[] = {
 	NULL
 };
 
+/**
+ * arch_ima_add_kexec_buffer - do arch-specific steps to add the IMA buffer
+ *
+ * Architectures should use this function to pass on the IMA buffer
+ * information to the next kernel.
+ *
+ * Return: 0 on success, negative errno on error.
+ */
+int arch_ima_add_kexec_buffer(struct kimage *image, unsigned long load_addr,
+			      size_t size)
+{
+	image->arch.ima_buffer_addr = load_addr;
+	image->arch.ima_buffer_size = size;
+	return 0;
+}
+
+
 int arch_kimage_file_post_load_cleanup(struct kimage *image)
 {
 	vfree(image->arch.dtb);
-- 
2.25.1


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH V3 5/6] Update the Kconfig to support carrying forward the IMA Measurement log and and update the setup_dtb call to add the linux,ima-kexec-buffer property to the DTB.
  2020-07-20 15:23 [PATCH V3 0/6] Add support to carry forward the IMA measurement logs Prakhar Srivastava
                   ` (3 preceding siblings ...)
  2020-07-20 15:23 ` [PATCH V3 4/6] Add support in arm64 to store the memory information of the IMA measurement log in the kimage used for kexec Prakhar Srivastava
@ 2020-07-20 15:23 ` Prakhar Srivastava
  2020-07-20 15:32   ` Greg KH
  2020-07-20 15:23 ` [PATCH V3 6/6] Add the property used for carrying forward the IMA measurement logs and update the code to use the defined property string Prakhar Srivastava
  5 siblings, 1 reply; 10+ messages in thread
From: Prakhar Srivastava @ 2020-07-20 15:23 UTC (permalink / raw)
  To: linux-integrity, linux-kernel, devicetree
  Cc: catalin.marinas, will, mpe, benh, paulus, robh+dt, frowand.list,
	zohar, dmitry.kasatkin, jmorris, serge, pasha.tatashin, allison,
	kstewart, takahiro.akashi, tglx, vincenzo.frascino, mark.rutland,
	masahiroy, james.morse, bhsharma, mbrugger, hsinyi, tao.li,
	christophe.leroy, gregkh, nramas, prsriva, tusharsu, balajib,
	bauerman, robh

Signed-off-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
---
 arch/arm64/Kconfig                     |  1 +
 arch/arm64/kernel/machine_kexec_file.c | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 66dc41fd49f2..ece34b8ca648 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1077,6 +1077,7 @@ config KEXEC
 config KEXEC_FILE
 	bool "kexec file based system call"
 	select KEXEC_CORE
+	select HAVE_IMA_KEXEC
 	help
 	  This is new version of kexec system call. This system call is
 	  file based and takes file descriptors as system call argument
diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index 4c54723e7a04..066670c43626 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -153,6 +153,17 @@ static int setup_dtb(struct kimage *image,
 				FDT_PROP_KASLR_SEED);
 	}
 
+	/* add ima-kexec-buffer */
+	if (image->arch.ima_buffer_size > 0) {
+
+		ret = fdt_appendprop_addrrange(dtb, 0, off,
+				"linux,ima-kexec-buffer",
+				image->arch.ima_buffer_addr,
+				image->arch.ima_buffer_size);
+		if (ret)
+			return (ret == -FDT_ERR_NOSPACE ? -ENOMEM : -EINVAL);
+	}
+
 	/* add rng-seed */
 	if (rng_is_initialized()) {
 		void *rng_seed;
-- 
2.25.1


^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH V3 6/6] Add the property used for carrying forward the IMA measurement logs and update the code to use the defined property string.
  2020-07-20 15:23 [PATCH V3 0/6] Add support to carry forward the IMA measurement logs Prakhar Srivastava
                   ` (4 preceding siblings ...)
  2020-07-20 15:23 ` [PATCH V3 5/6] Update the Kconfig to support carrying forward the IMA Measurement log and and update the setup_dtb call to add the linux,ima-kexec-buffer property to the DTB Prakhar Srivastava
@ 2020-07-20 15:23 ` Prakhar Srivastava
  2020-07-20 15:34   ` Greg KH
  5 siblings, 1 reply; 10+ messages in thread
From: Prakhar Srivastava @ 2020-07-20 15:23 UTC (permalink / raw)
  To: linux-integrity, linux-kernel, devicetree
  Cc: catalin.marinas, will, mpe, benh, paulus, robh+dt, frowand.list,
	zohar, dmitry.kasatkin, jmorris, serge, pasha.tatashin, allison,
	kstewart, takahiro.akashi, tglx, vincenzo.frascino, mark.rutland,
	masahiroy, james.morse, bhsharma, mbrugger, hsinyi, tao.li,
	christophe.leroy, gregkh, nramas, prsriva, tusharsu, balajib,
	bauerman, robh

Signed-off-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
---
 arch/arm64/kernel/machine_kexec_file.c | 19 ++++++++++---------
 arch/powerpc/kexec/ima.c               |  8 +++++---
 2 files changed, 15 insertions(+), 12 deletions(-)

diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index 066670c43626..59058901e641 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -24,14 +24,15 @@
 #include <asm/byteorder.h>
 
 /* relevant device tree properties */
-#define FDT_PROP_KEXEC_ELFHDR	"linux,elfcorehdr"
-#define FDT_PROP_MEM_RANGE	"linux,usable-memory-range"
-#define FDT_PROP_INITRD_START	"linux,initrd-start"
-#define FDT_PROP_INITRD_END	"linux,initrd-end"
-#define FDT_PROP_BOOTARGS	"bootargs"
-#define FDT_PROP_KASLR_SEED	"kaslr-seed"
-#define FDT_PROP_RNG_SEED	"rng-seed"
-#define RNG_SEED_SIZE		128
+#define FDT_PROP_KEXEC_ELFHDR		"linux,elfcorehdr"
+#define FDT_PROP_MEM_RANGE		"linux,usable-memory-range"
+#define FDT_PROP_INITRD_START		"linux,initrd-start"
+#define FDT_PROP_INITRD_END		"linux,initrd-end"
+#define FDT_PROP_BOOTARGS		"bootargs"
+#define FDT_PROP_KASLR_SEED		"kaslr-seed"
+#define FDT_PROP_RNG_SEED		"rng-seed"
+#define FDT_PROP_IMA_KEXEC_BUFFER	"linux,ima-kexec-buffer"
+#define RNG_SEED_SIZE			128
 
 const struct kexec_file_ops * const kexec_file_loaders[] = {
 	&kexec_image_ops,
@@ -157,7 +158,7 @@ static int setup_dtb(struct kimage *image,
 	if (image->arch.ima_buffer_size > 0) {
 
 		ret = fdt_appendprop_addrrange(dtb, 0, off,
-				"linux,ima-kexec-buffer",
+				FDT_PROP_IMA_KEXEC_BUFFER,
 				image->arch.ima_buffer_addr,
 				image->arch.ima_buffer_size);
 		if (ret)
diff --git a/arch/powerpc/kexec/ima.c b/arch/powerpc/kexec/ima.c
index a9e4e9f04273..7d6c43b2eacb 100644
--- a/arch/powerpc/kexec/ima.c
+++ b/arch/powerpc/kexec/ima.c
@@ -12,6 +12,8 @@
 #include <linux/memblock.h>
 #include <linux/libfdt.h>
 
+#define FDT_PROP_IMA_KEXEC_BUFFER	"linux,ima-kexec-buffer"
+
 /**
  * remove_ima_buffer - remove the IMA buffer property and reservation from @fdt
  *
@@ -25,7 +27,7 @@ void remove_ima_buffer(void *fdt, int chosen_node)
 	size_t size;
 	const void *prop;
 
-	prop = fdt_getprop(fdt, chosen_node, "linux,ima-kexec-buffer", &len);
+	prop = fdt_getprop(fdt, chosen_node, FDT_PROP_IMA_KEXEC_BUFFER, &len);
 	if (!prop)
 		return;
 
@@ -45,7 +47,7 @@ void remove_ima_buffer(void *fdt, int chosen_node)
 	addr = of_read_number(prop, addr_cells);
 	size = of_read_number(prop + 4 * addr_cells, size_cells);
 
-	fdt_delprop(fdt, chosen_node, "linux,ima-kexec-buffer");
+	fdt_delprop(fdt, chosen_node, FDT_PROP_IMA_KEXEC_BUFFER);
 	if (ret)
 		return;
 
@@ -134,7 +136,7 @@ int setup_ima_buffer(const struct kimage *image, void *fdt, int chosen_node)
 	if (ret)
 		return ret;
 
-	ret = fdt_setprop(fdt, chosen_node, "linux,ima-kexec-buffer", value,
+	ret = fdt_setprop(fdt, chosen_node, FDT_PROP_IMA_KEXEC_BUFFER, value,
 			  entry_size);
 	if (ret < 0)
 		return -EINVAL;
-- 
2.25.1


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH V3 2/6] Update remove_ima_buffer code to use functions from libfdt reducing wrappers functions.
  2020-07-20 15:23 ` [PATCH V3 2/6] Update remove_ima_buffer code to use functions from libfdt reducing wrappers functions Prakhar Srivastava
@ 2020-07-20 15:32   ` Greg KH
  0 siblings, 0 replies; 10+ messages in thread
From: Greg KH @ 2020-07-20 15:32 UTC (permalink / raw)
  To: Prakhar Srivastava
  Cc: linux-integrity, linux-kernel, devicetree, catalin.marinas, will,
	mpe, benh, paulus, robh+dt, frowand.list, zohar, dmitry.kasatkin,
	jmorris, serge, pasha.tatashin, allison, kstewart,
	takahiro.akashi, tglx, vincenzo.frascino, mark.rutland,
	masahiroy, james.morse, bhsharma, mbrugger, hsinyi, tao.li,
	christophe.leroy, nramas, tusharsu, balajib, bauerman, robh

On Mon, Jul 20, 2020 at 08:23:38AM -0700, Prakhar Srivastava wrote:
> Signed-off-by: Prakhar Srivastava <prsriva@linux.microsoft.com>

I know I refuse patches without any changelog texts, perhaps other
maintainers are more lax...

ALso, your subject lines are really odd, look at how almost all other
patches do it, we have hundreds of thousands of examples to choose from
:)

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH V3 5/6] Update the Kconfig to support carrying forward the IMA Measurement log and and update the setup_dtb call to add the linux,ima-kexec-buffer property to the DTB.
  2020-07-20 15:23 ` [PATCH V3 5/6] Update the Kconfig to support carrying forward the IMA Measurement log and and update the setup_dtb call to add the linux,ima-kexec-buffer property to the DTB Prakhar Srivastava
@ 2020-07-20 15:32   ` Greg KH
  0 siblings, 0 replies; 10+ messages in thread
From: Greg KH @ 2020-07-20 15:32 UTC (permalink / raw)
  To: Prakhar Srivastava
  Cc: linux-integrity, linux-kernel, devicetree, catalin.marinas, will,
	mpe, benh, paulus, robh+dt, frowand.list, zohar, dmitry.kasatkin,
	jmorris, serge, pasha.tatashin, allison, kstewart,
	takahiro.akashi, tglx, vincenzo.frascino, mark.rutland,
	masahiroy, james.morse, bhsharma, mbrugger, hsinyi, tao.li,
	christophe.leroy, nramas, tusharsu, balajib, bauerman, robh

On Mon, Jul 20, 2020 at 08:23:41AM -0700, Prakhar Srivastava wrote:
> Signed-off-by: Prakhar Srivastava <prsriva@linux.microsoft.com>

Your subject line is whack.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH V3 6/6] Add the property used for carrying forward the IMA measurement logs and update the code to use the defined property string.
  2020-07-20 15:23 ` [PATCH V3 6/6] Add the property used for carrying forward the IMA measurement logs and update the code to use the defined property string Prakhar Srivastava
@ 2020-07-20 15:34   ` Greg KH
  0 siblings, 0 replies; 10+ messages in thread
From: Greg KH @ 2020-07-20 15:34 UTC (permalink / raw)
  To: Prakhar Srivastava
  Cc: linux-integrity, linux-kernel, devicetree, catalin.marinas, will,
	mpe, benh, paulus, robh+dt, frowand.list, zohar, dmitry.kasatkin,
	jmorris, serge, pasha.tatashin, allison, kstewart,
	takahiro.akashi, tglx, vincenzo.frascino, mark.rutland,
	masahiroy, james.morse, bhsharma, mbrugger, hsinyi, tao.li,
	christophe.leroy, nramas, tusharsu, balajib, bauerman, robh

On Mon, Jul 20, 2020 at 08:23:42AM -0700, Prakhar Srivastava wrote:
> Signed-off-by: Prakhar Srivastava <prsriva@linux.microsoft.com>

Again, subject line, no changelog :(

> ---
>  arch/arm64/kernel/machine_kexec_file.c | 19 ++++++++++---------
>  arch/powerpc/kexec/ima.c               |  8 +++++---
>  2 files changed, 15 insertions(+), 12 deletions(-)
> 
> diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
> index 066670c43626..59058901e641 100644
> --- a/arch/arm64/kernel/machine_kexec_file.c
> +++ b/arch/arm64/kernel/machine_kexec_file.c
> @@ -24,14 +24,15 @@
>  #include <asm/byteorder.h>
>  
>  /* relevant device tree properties */
> -#define FDT_PROP_KEXEC_ELFHDR	"linux,elfcorehdr"
> -#define FDT_PROP_MEM_RANGE	"linux,usable-memory-range"
> -#define FDT_PROP_INITRD_START	"linux,initrd-start"
> -#define FDT_PROP_INITRD_END	"linux,initrd-end"
> -#define FDT_PROP_BOOTARGS	"bootargs"
> -#define FDT_PROP_KASLR_SEED	"kaslr-seed"
> -#define FDT_PROP_RNG_SEED	"rng-seed"
> -#define RNG_SEED_SIZE		128
> +#define FDT_PROP_KEXEC_ELFHDR		"linux,elfcorehdr"
> +#define FDT_PROP_MEM_RANGE		"linux,usable-memory-range"
> +#define FDT_PROP_INITRD_START		"linux,initrd-start"
> +#define FDT_PROP_INITRD_END		"linux,initrd-end"
> +#define FDT_PROP_BOOTARGS		"bootargs"
> +#define FDT_PROP_KASLR_SEED		"kaslr-seed"
> +#define FDT_PROP_RNG_SEED		"rng-seed"
> +#define FDT_PROP_IMA_KEXEC_BUFFER	"linux,ima-kexec-buffer"
> +#define RNG_SEED_SIZE			128

Why did you reformat all of these?

>  
>  const struct kexec_file_ops * const kexec_file_loaders[] = {
>  	&kexec_image_ops,
> @@ -157,7 +158,7 @@ static int setup_dtb(struct kimage *image,
>  	if (image->arch.ima_buffer_size > 0) {
>  
>  		ret = fdt_appendprop_addrrange(dtb, 0, off,
> -				"linux,ima-kexec-buffer",
> +				FDT_PROP_IMA_KEXEC_BUFFER,
>  				image->arch.ima_buffer_addr,
>  				image->arch.ima_buffer_size);
>  		if (ret)
> diff --git a/arch/powerpc/kexec/ima.c b/arch/powerpc/kexec/ima.c
> index a9e4e9f04273..7d6c43b2eacb 100644
> --- a/arch/powerpc/kexec/ima.c
> +++ b/arch/powerpc/kexec/ima.c
> @@ -12,6 +12,8 @@
>  #include <linux/memblock.h>
>  #include <linux/libfdt.h>
>  
> +#define FDT_PROP_IMA_KEXEC_BUFFER	"linux,ima-kexec-buffer"
> +

Why are you mixing arm64 and powerpc patches together that do not do the
same thing???

Shouldn't there be a common place for these strings and not spread out
all over the kernel in random places?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, back to index

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-20 15:23 [PATCH V3 0/6] Add support to carry forward the IMA measurement logs Prakhar Srivastava
2020-07-20 15:23 ` [PATCH V3 1/6] Refactoring powerpc code to be made available to other architectures Prakhar Srivastava
2020-07-20 15:23 ` [PATCH V3 2/6] Update remove_ima_buffer code to use functions from libfdt reducing wrappers functions Prakhar Srivastava
2020-07-20 15:32   ` Greg KH
2020-07-20 15:23 ` [PATCH V3 3/6] Update function do_get_kexec_buffer to use of_* functions, and reducing wrapper functions Prakhar Srivastava
2020-07-20 15:23 ` [PATCH V3 4/6] Add support in arm64 to store the memory information of the IMA measurement log in the kimage used for kexec Prakhar Srivastava
2020-07-20 15:23 ` [PATCH V3 5/6] Update the Kconfig to support carrying forward the IMA Measurement log and and update the setup_dtb call to add the linux,ima-kexec-buffer property to the DTB Prakhar Srivastava
2020-07-20 15:32   ` Greg KH
2020-07-20 15:23 ` [PATCH V3 6/6] Add the property used for carrying forward the IMA measurement logs and update the code to use the defined property string Prakhar Srivastava
2020-07-20 15:34   ` Greg KH

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org
	public-inbox-index linux-integrity

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git