On 05/02/25 at 01:03pm, steven chen wrote: > From: Steven Chen <chen...@linux.microsoft.com> > > Kdump kernel doesn't need IMA to do integrity measurement. > Hence the measurement list in 1st kernel doesn't need to be copied to > kdump kenrel. > > Here skip allocating buffer for measurement list copying if loading > kdump kernel. Then there won't be the later handling related to > ima_kexec_buffer. > > Signed-off-by: Steven Chen <chen...@linux.microsoft.com> > --- > security/integrity/ima/ima_kexec.c | 3 +++ > 1 file changed, 3 insertions(+)
I applied this patch on top of below IMA patchset, and did a test. [PATCH v13 0/9] ima: kexec: measure events between kexec load and execute When I loaded kdump kernel as below with '-d' specified: /sbin/kexec -s -d -p --command-line=BOOT_IMAGE=(hd0,gpt2)/vmlinuz-6.15.0-rc6+ ro console=ttyS0,115200N81 irqpoll nr_cpus=1 reset_devices cgroup_disable=memory mce=off numa=off udev.children-max=2 panic=10 acpi_no_memhotplug transparent_hugepage=never nokaslr hest_disable novmcoredd cma=0 hugetlb_cma=0 pcie_ports=compat disable_cpu_apicid=0 --initrd=/boot/initramfs-6.15.0-rc6+kdump.img /boot/vmlinuz-6.15.0-rc6+ I can see that this patch works to skip copying measurement list to kdump kernel as expected.. =====Without this patch=== [48522.060422] kexec_file: kernel: 000000006fbcb87f kernel_size: 0xe99200 [48522.067742] PEFILE: Unsigned PE binary [48522.094849] ima: kexec measurement buffer for the loaded kernel at 0x6efff000. [48522.102982] crash_core: Crash PT_LOAD ELF header. phdr=00000000cae5d7e6 vaddr=0xffff8da640100000, paddr=0x100000, sz=0x5af00000 e_phnum=67 p_offset=0x100000 ......snip... ===== =====With this patch applied==== [ 2101.704125] kexec_file: kernel: 0000000046d8985c kernel_size: 0xeab200 [ 2101.711436] PEFILE: Unsigned PE binary [ 2101.734752] crash_core: Crash PT_LOAD ELF header. phdr=000000006fc83a51 vaddr=0xffff899480100000, paddr=0x100000, sz=0x5af00000 e_phnum=67 p_offset=0x100000 ......snip... =====> My only concern is the patch subject is not very sepcific, it better relfect the exact action taken in this patch, like: ima: do not copy measurement list to kdump kernel Other than above concern, please feel free to add my: Tested-by: Baoquan He <b...@redhat.com> Acked-by: Baoquan He <b...@redhat.com> > diff --git a/security/integrity/ima/ima_kexec.c > b/security/integrity/ima/ima_kexec.c > index 38cb2500f4c3..7362f68f2d8b 100644 > --- a/security/integrity/ima/ima_kexec.c > +++ b/security/integrity/ima/ima_kexec.c > @@ -146,6 +146,9 @@ void ima_add_kexec_buffer(struct kimage *image) > void *kexec_buffer = NULL; > int ret; > > + if (image->type == KEXEC_TYPE_CRASH) > + return; > + > /* > * Reserve extra memory for measurements added during kexec. > */ > -- > 2.43.0 >
