The IMA log is currently copied to the new kernel during kexec 'load'
using ima_dump_measurement_list(). However, the log copied at kexec
'load' may result in loss of IMA measurements that only occurred after
kexec "load'. Therefore, the log needs to be copied during kexec
'execute'. Setup the
On Fri, 2025-02-28 at 13:03 +0800, Baoquan He wrote:
> On 02/27/25 at 10:41am, Mimi Zohar wrote:
> > [Cc'ing Mike Rapoport]
> >
> > On Mon, 2025-02-24 at 14:14 +0800, Baoquan He wrote:
> > > Hi Steve, Mimi,
> > >
> > > On 02/18/25 at 02:54pm, steven chen wrote:
> > > > Currently, the mechanism to
On Tue, 4 Mar 2025 15:53:27 -0800 Andrew Morton
wrote:
> Yan, please go back through the discussion and incorporate reviewer
> feedback into the changelogs: describe the possible issues which people
> have raised and your responses to those. Then resend and then let us
> restart the review proc
On 3/4/2025 2:23 PM, Jarkko Sakkinen wrote:
On Tue, Mar 04, 2025 at 11:03:46AM -0800, steven chen wrote:
The content of memory segments carried over to the new kernel during the
kexec systemcall can be changed at kexec 'execute' stage, but the size of
the memory segments cannot be changed at kex
On 3/4/2025 4:25 PM, Mimi Zohar wrote:
Hi Steven,
On Tue, 2025-03-04 at 11:03 -0800, steven chen wrote:
+void ima_measure_kexec_event(const char *event_name)
+{
+ char ima_kexec_event[IMA_KEXEC_EVENT_LEN];
+ size_t buf_size = 0;
+ long len;
+
+ buf_size = ima_get_binary_
On Mon, 13 Jan 2025 19:12:27 +0800 Baoquan He wrote:
> On 01/13/25 at 12:01pm, Kirill A. Shutemov wrote:
> > On Fri, Dec 13, 2024 at 05:49:30PM +0800, Yan Zhao wrote:
> > > Hi Eric,
> > >
> > > This is a repost of the patch "kexec_core: Accept unaccepted kexec
> > > destination addresses" [1], r
On Tue, 4 Mar 2025 15:43:53 -0800 Andrew Morton
wrote:
> On Mon, 13 Jan 2025 19:12:27 +0800 Baoquan He wrote:
>
> > On 01/13/25 at 12:01pm, Kirill A. Shutemov wrote:
> > > On Fri, Dec 13, 2024 at 05:49:30PM +0800, Yan Zhao wrote:
> > > > Hi Eric,
> > > >
> > > > This is a repost of the patch
Hi Steven,
On Tue, 2025-03-04 at 11:03 -0800, steven chen wrote:
> +void ima_measure_kexec_event(const char *event_name)
> +{
> + char ima_kexec_event[IMA_KEXEC_EVENT_LEN];
> + size_t buf_size = 0;
> + long len;
> +
> + buf_size = ima_get_binary_runtime_size();
> + len = atomic
On Fri, Feb 14, 2025 at 08:20:07AM -0800, Dave Hansen wrote:
> On 2/14/25 05:46, Kirill A. Shutemov wrote:
> >> It sounds like you're advocating for the "slow guest boot" option.
> >> Kirill, can you remind us how fast a guest boots to the shell for
> >> modestly-sized (say 256GB) memory with "acce
On Tue, Mar 04, 2025 at 11:03:46AM -0800, steven chen wrote:
> The content of memory segments carried over to the new kernel during the
> kexec systemcall can be changed at kexec 'execute' stage, but the size of
> the memory segments cannot be changed at kexec 'execute' stage.
>
> To copy IMA mea
The kexec_calculate_store_digests() function calculates and stores the
digest of the segment during the kexec_file_load syscall, where the
IMA segment is also allocated.
With this series, the IMA segment will be updated with the measurement
log at the kexec execute stage when a soft reboot is in
ima_dump_measurement_list() is called during kexec 'load', which may
result in loss of IMA measurements during kexec soft reboot. Due to
missed measurements that only occurred after kexec 'load', this function
needs to be called during kexec 'execute'.
This patch includes the following changes:
The current kernel behavior is IMA measurements snapshot is taken at
kexec 'load' and not at kexec 'execute'. IMA log is then carried
over to the new kernel after kexec 'execute'.
New events can be measured during/after the IMA log snapshot at kexec
'load' and before the system boots to the new
The amount of memory allocated at kexec load, even with the extra memory
allocated, might not be large enough for the entire measurement list. The
indeterminate interval between kexec 'load' and 'execute' could exacerbate
this problem.
Define two new IMA events, 'kexec_load' and 'kexec_execute',
The extra memory allocated for carrying the IMA measurement list across
kexec is hard-coded as half a PAGE. Make it configurable.
Define a Kconfig option, IMA_KEXEC_EXTRA_MEMORY_KB, to configure the
extra memory (in kb) to be allocated for IMA measurements added during
kexec soft reboot. Ensure
The content of memory segments carried over to the new kernel during the
kexec systemcall can be changed at kexec 'execute' stage, but the size of
the memory segments cannot be changed at kexec 'execute' stage.
To copy IMA measurement logs during the kexec operation, IMA needs to
allocate memory
Carrying the IMA measurement list across kexec requires allocating a
buffer and copying the measurement records. Separate allocating the
buffer and copying the measurement records into separate functions in
order to allocate the buffer at kexec 'load' and copy the measurements
at kexec 'execute'.
"Kirill A. Shutemov" writes:
> On Fri, Feb 14, 2025 at 08:20:07AM -0800, Dave Hansen wrote:
>> On 2/14/25 05:46, Kirill A. Shutemov wrote:
>> >> It sounds like you're advocating for the "slow guest boot" option.
>> >> Kirill, can you remind us how fast a guest boots to the shell for
>> >> modestl
On 3/4/25 10:49, Eric W. Biederman wrote:
> How goes the work to fix this horrifically slow firmware interface?
The firmware interface isn't actually all that slow.
The fundamental requirement is that confidential computing environments
need to be handed memory in a known-benign state. For AMD SE
On Tue, 2025-03-04 at 11:03 -0800, steven chen wrote:
>
> - Compared the memory size allocated with memory size of the entire
>measurement record. Copy only complete measurement records if there
>is enough memory. If there is not enough memory, it will not copy
>any IMA measurement
20 matches
Mail list logo
