diff options
| author | Jonathan McDowell <noodles@fb.com> | 2022-06-30 08:36:12 +0000 |
|---|---|---|
| committer | Borislav Petkov <bp@suse.de> | 2022-07-01 15:22:16 +0200 |
| commit | b69a2afd5afce9bf6d56e349d6ab592c916e20f2 (patch) | |
| tree | 3406ca4a696ef1e6e3eab66a446ae5dfb56f1c73 /include | |
| parent | 03c765b0e3b4cb5063276b086c76f7a612856a9a (diff) | |
| download | linux-stable-b69a2afd5afce9bf6d56e349d6ab592c916e20f2.tar.gz linux-stable-b69a2afd5afce9bf6d56e349d6ab592c916e20f2.tar.bz2 linux-stable-b69a2afd5afce9bf6d56e349d6ab592c916e20f2.zip | |
x86/kexec: Carry forward IMA measurement log on kexec
On kexec file load, the Integrity Measurement Architecture (IMA)
subsystem may verify the IMA signature of the kernel and initramfs, and
measure it. The command line parameters passed to the kernel in the
kexec call may also be measured by IMA.
A remote attestation service can verify a TPM quote based on the TPM
event log, the IMA measurement list and the TPM PCR data. This can
be achieved only if the IMA measurement log is carried over from the
current kernel to the next kernel across the kexec call.
PowerPC and ARM64 both achieve this using device tree with a
"linux,ima-kexec-buffer" node. x86 platforms generally don't make use of
device tree, so use the setup_data mechanism to pass the IMA buffer to
the new kernel.
Signed-off-by: Jonathan McDowell <noodles@fb.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> # IMA function definitions
Link: https://lore.kernel.org/r/YmKyvlF3my1yWTvK@noodles-fedora-PC23Y6EG
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/ima.h | 5 | ||||
| -rw-r--r-- | include/linux/of.h | 2 |
2 files changed, 5 insertions, 2 deletions
diff --git a/include/linux/ima.h b/include/linux/ima.h index 426b1744215e..81708ca0ebc7 100644 --- a/include/linux/ima.h +++ b/include/linux/ima.h @@ -140,6 +140,11 @@ static inline int ima_measure_critical_data(const char *event_label, #endif /* CONFIG_IMA */ +#ifdef CONFIG_HAVE_IMA_KEXEC +int __init ima_free_kexec_buffer(void); +int __init ima_get_kexec_buffer(void **addr, size_t *size); +#endif + #ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT extern bool arch_ima_get_secureboot(void); extern const char * const *arch_get_ima_policy(void); diff --git a/include/linux/of.h b/include/linux/of.h index f0a5d6b10c5a..20a4e7cb7afe 100644 --- a/include/linux/of.h +++ b/include/linux/of.h @@ -441,8 +441,6 @@ void *of_kexec_alloc_and_setup_fdt(const struct kimage *image, unsigned long initrd_load_addr, unsigned long initrd_len, const char *cmdline, size_t extra_fdt_size); -int ima_get_kexec_buffer(void **addr, size_t *size); -int ima_free_kexec_buffer(void); #else /* CONFIG_OF */ static inline void of_core_init(void) |