The MBM and MBA resctrl selftests run a benchmark during which
it takes measurements of read memory bandwidth via perf.
Code exists to support measurements of write memory bandwidth
but there exists no path with which this code can execute.
While code exists for write memory bandwidth measurement
The MBM and MBA resctrl selftests run a benchmark during which
it takes measurements of read memory bandwidth via perf.
Code exists to support measurements of write memory bandwidth
but there exists no path with which this code can execute.
While code exists for write memory bandwidth measurement
can execute.
>
> While code exists for write memory bandwidth measurement
> there has not yet been a use case for it. Remove this unused code.
> Rename relevant functions to include "read" so that it is clear
> that it relates only to memory bandwidth reads, while renaming
&g
The MBM and MBA resctrl selftests run a benchmark during which
it takes measurements of read memory bandwidth via perf.
Code exists to support measurements of write memory bandwidth
but there exists no path with which this code can execute.
While code exists for write memory bandwidth measurement
Run the IPI test
+# $1 run for baseline - busy cpu or regular environment
+# $2 destination cpu
+ipi_test_once() {
+dest_cpu=$2
+if [ "$1" = "baseline" ]; then
+# Keep the CPU busy
+ taskset -c "$dest_cpu" cat /dev/random >/dev/null &
ncryption.rst
> b/Documentation/virt/kvm/amd-memory-encryption.rst
> index 469a6308765b..34ce2d1fcb89 100644
> --- a/Documentation/virt/kvm/amd-memory-encryption.rst
> +++ b/Documentation/virt/kvm/amd-memory-encryption.rst
> @@ -148,6 +148,9 @@ measurement. Since the guest owner knows the in
/Documentation/virt/kvm/amd-memory-encryption.rst
+++ b/Documentation/virt/kvm/amd-memory-encryption.rst
@@ -148,6 +148,9 @@ measurement. Since the guest owner knows the initial
contents of the guest at
boot, the measurement can be verified by comparing it to what the guest owner
expects.
+If len is zero
Also use CLOCK_MONOTONIC flag to get time in kvm_page_table_test.c,
since that's what all the kvm/selftests do currently. And this will
be consistent with function timespec_elapsed() in test_util.c.
Signed-off-by: Yanan Wang
---
tools/testing/selftests/kvm/kvm_page_table_test.c | 8
1 f
kill $task_pid
+ wait $task_pid 2>/dev/null
+ fi
+}
+
+# Incrementally Enable idle states one by one and compute the latency
+run_ipi_tests()
+{
+ extract_latency
+ # Disable idle states for CPUs
+ op_cpuidle $DISABLE
+
+ declare -a avg_arr
+
Currently, IMA adds a measurement entry and an audit log even if access
to the file will be denied when appraisal is in enforce mode. This gives
the false indication to a verifier analyzing the data that file access
occurred. It also has the undesirable effect of unnecessarily revoking
access to
# Disable idle states for CPUs
+ op_cpuidle $DISABLE
+
+ declare -a avg_arr
+ echo -e "--IPI Latency Test---" | tee -a $LOG
+
+ echo -e "--Baseline IPI Latency measurement: CPU Busy--" >> $LOG
+ printf "%s %10s %12s\n" "SRC_CPU"
Hello Doug,
Thanks for your review.
On 02/04/21 4:57 am, Doug Smythies wrote:
Hi Pratik,
On Thu, Apr 1, 2021 at 4:45 AM Pratik Rajesh Sampat
wrote:
...
To run this test specifically:
$ make -C tools/testing/selftests TARGETS="cpuidle" run_tests
I have not become any smarter than I was with
Hi Pratik,
On Thu, Apr 1, 2021 at 4:45 AM Pratik Rajesh Sampat
wrote:
>
...
> To run this test specifically:
> $ make -C tools/testing/selftests TARGETS="cpuidle" run_tests
I have not become any smarter than I was with version 1,
and still assumed that the "$" meant regular user.
Please put it
rnel/debug/latency_test/ipi_cpu_src)
+ if [ "$1" = "baseline" ]; then
+ kill $task_pid
+ wait $task_pid 2>/dev/null
+ fi
+}
+
+# Incrementally Enable idle states one by one and compute the latency
+run_ipi_tests()
+{
+ extract_l
nux/tools/testing/selftests/cpuidle$ cat
cpuidle.log.v3-1
--IPI Latency Test---
--Baseline IPI Latency measurement: CPU Busy--
SRC_CPU DEST_CPU IPI_Latency(ns)
00 140
01 632
02 675
03 671
04
r tasks scheduled from time to time on an otherwise idle core.
> In the full per-CPU logs at tools/testing/selftests/cpuidle/cpuidle.log can
> you
> spot any obvious outliers per-CPU state?
Yes.
I'll just paste in an example cpuidle.log file having used the -v option
below, along
Hi Doug,
Thanks for trying these patches out.
On 18/03/21 2:30 am, Doug Smythies wrote:
Hi Pratik,
It just so happens that I have been trying Artem's version this last
week, so I tried yours.
On Mon, Mar 15, 2021 at 4:49 AM Pratik Rajesh Sampat
wrote:
...
To run this test specifically:
$ mak
Hi Pratik,
It just so happens that I have been trying Artem's version this last
week, so I tried yours.
On Mon, Mar 15, 2021 at 4:49 AM Pratik Rajesh Sampat
wrote:
>
...
> To run this test specifically:
> $ make -C tools/testing/selftests TARGETS="cpuidle" run_tests
While I suppose it should ha
ntally Enable idle states one by one and compute the latency
+run_ipi_tests()
+{
+ extract_latency
+ disable_idle
+ declare -a avg_arr
+ echo -e "--IPI Latency Test---" | tee -a $LOG
+
+ echo -e "--Baseline IPI Latency measurement: CPU Busy--" >&g
On 3/2/21 7:06 AM, Rob Herring wrote:
On Sun, Feb 21, 2021 at 11:49 AM Lakshmi Ramasubramanian
wrote:
On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs, and measure
it. The command line parameters passed to the
On Sun, Feb 21, 2021 at 11:49 AM Lakshmi Ramasubramanian
wrote:
>
> On kexec file load Integrity Measurement Architecture (IMA) subsystem
> may verify the IMA signature of the kernel and initramfs, and measure
> it. The command line parameters passed to the kernel in the kexec call
&
From: Lakshmi Ramasubramanian
[ Upstream commit f31e3386a4e92ba6eda7328cb508462956c94c64 ]
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. This buffer is not freed
From: Lakshmi Ramasubramanian
[ Upstream commit 6d14c6517885fa68524238787420511b87d671df ]
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. In error code paths this
From: Lakshmi Ramasubramanian
[ Upstream commit f31e3386a4e92ba6eda7328cb508462956c94c64 ]
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. This buffer is not freed
From: Lakshmi Ramasubramanian
[ Upstream commit 6d14c6517885fa68524238787420511b87d671df ]
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. In error code paths this
From: Lakshmi Ramasubramanian
[ Upstream commit f31e3386a4e92ba6eda7328cb508462956c94c64 ]
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. This buffer is not freed
From: Lakshmi Ramasubramanian
[ Upstream commit 6d14c6517885fa68524238787420511b87d671df ]
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. In error code paths this
From: Lakshmi Ramasubramanian
[ Upstream commit f31e3386a4e92ba6eda7328cb508462956c94c64 ]
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. This buffer is not freed
From: Lakshmi Ramasubramanian
[ Upstream commit 6d14c6517885fa68524238787420511b87d671df ]
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. In error code paths this
From: Lakshmi Ramasubramanian
[ Upstream commit f31e3386a4e92ba6eda7328cb508462956c94c64 ]
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. This buffer is not freed
From: Lakshmi Ramasubramanian
[ Upstream commit 6d14c6517885fa68524238787420511b87d671df ]
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. In error code paths this
Hello Petr,
On 2021-02-23 4:18 p.m., Petr Vorel wrote:
Hi Tushar,
Change Log v3:
- Incorporated feedback from Mimi on v2.
- Updated patch title and description to make it generic.
- Changed config description word 'data' to 'records'.
- Tested use cases for boot param "ima_policy=tcb".
Hi Tushar,
> Change Log v3:
> - Incorporated feedback from Mimi on v2.
> - Updated patch title and description to make it generic.
> - Changed config description word 'data' to 'records'.
> - Tested use cases for boot param "ima_policy=tcb".
LGTM.
Reviewed-by: Petr Vorel
Kind regards,
Petr
Stable wasn't Cc'ed. Is it that you sent the patch
> > directly to Greg or added "Fixes"?
> I had not Cced stable, but had "Fixes" tag in the patch.
> Fixes: 7b8589cc29e7 ("ima: on soft reboot, save the measurement list")
> The problem i
gt;> Appreciate it.
> >>>
> >>> On 2021-02-17 7:03 a.m., Mimi Zohar wrote:
> >>>> Hi Tushar,
> >>>>
> >>>> The Subject line could be improved. Perhaps something like - "IMA:
> >>>> support for duplicate mea
On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs, and measure
it. The command line parameters passed to the kernel in the kexec call
may also be measured by IMA. A remote attestation service can verify
a TPM quote
IMA does not include duplicate file, buffer, or critical data
measurement records since TPM extend is a very expensive
operation. However, in some cases, the measurement of duplicate
records is necessary to accurately determine the current state of the
system. For instance - the file, buffer, or
improved. Perhaps something like - "IMA:
support for duplicate measurement records"
Will do.
On Tue, 2021-02-16 at 18:46 -0800, Tushar Sugandhi wrote:
IMA does not measure duplicate data since TPM extend is a very
expensive
operation. However, in some cases, the measurement of duplica
On Sat, Feb 13, 2021 at 08:10:38AM -0800, Lakshmi Ramasubramanian wrote:
> On kexec file load Integrity Measurement Architecture (IMA) subsystem
> may verify the IMA signature of the kernel and initramfs, and measure
> it. The command line parameters passed to the kernel in the kexec c
t for duplicate measurement records"
Will do.
On Tue, 2021-02-16 at 18:46 -0800, Tushar Sugandhi wrote:
IMA does not measure duplicate data since TPM extend is a very expensive
operation. However, in some cases, the measurement of duplicate data
is necessary to accurately determine the current st
On Wed, 2021-02-17 at 10:53 -0800, Tushar Sugandhi wrote:
> Thanks for the feedback Mimi.
> Appreciate it.
>
> On 2021-02-17 7:03 a.m., Mimi Zohar wrote:
> > Hi Tushar,
> >
> > The Subject line could be improved. Perhaps something like - "IMA:
> >
Thanks for the feedback Mimi.
Appreciate it.
On 2021-02-17 7:03 a.m., Mimi Zohar wrote:
Hi Tushar,
The Subject line could be improved. Perhaps something like - "IMA:
support for duplicate measurement records"
Will do.
On Tue, 2021-02-16 at 18:46 -0800, Tushar Sugandhi wrote:
IM
Hi Tushar,
The Subject line could be improved. Perhaps something like - "IMA:
support for duplicate measurement records"
On Tue, 2021-02-16 at 18:46 -0800, Tushar Sugandhi wrote:
> IMA does not measure duplicate data since TPM extend is a very expensive
> operation. However, in
IMA does not measure duplicate data since TPM extend is a very expensive
operation. However, in some cases, the measurement of duplicate data
is necessary to accurately determine the current state of the system.
Eg, SELinux state changing from 'audit', to 'enforcing', and b
On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs, and measure
it. The command line parameters passed to the kernel in the kexec call
may also be measured by IMA. A remote attestation service can verify
a TPM quote
On 2/10/21 1:39 PM, Mimi Zohar wrote:
On Wed, 2021-02-10 at 15:55 -0500, Mimi Zohar wrote:
On Wed, 2021-02-10 at 14:42 -0600, Rob Herring wrote:
On Wed, Feb 10, 2021 at 11:33 AM Lakshmi Ramasubramanian
Ideally, we don't apply the same patch in 2 branches. It looks like
there's a conflict but
On Wed, 2021-02-10 at 15:55 -0500, Mimi Zohar wrote:
> On Wed, 2021-02-10 at 14:42 -0600, Rob Herring wrote:
> > On Wed, Feb 10, 2021 at 11:33 AM Lakshmi Ramasubramanian
>
> > Ideally, we don't apply the same patch in 2 branches. It looks like
> > there's a conflict but no real dependence on the a
On Wed, 2021-02-10 at 14:42 -0600, Rob Herring wrote:
> On Wed, Feb 10, 2021 at 11:33 AM Lakshmi Ramasubramanian
> wrote:
> >
> > On 2/10/21 9:15 AM, Rob Herring wrote:
> > > On Tue, Feb 09, 2021 at 10:21:50AM -0800, Lakshmi Ramasubramanian wrote:
> > >> O
On Wed, Feb 10, 2021 at 11:33 AM Lakshmi Ramasubramanian
wrote:
>
> On 2/10/21 9:15 AM, Rob Herring wrote:
> > On Tue, Feb 09, 2021 at 10:21:50AM -0800, Lakshmi Ramasubramanian wrote:
> >> On kexec file load Integrity Measurement Architecture (IMA) subsystem
> >> m
On 2/10/21 9:15 AM, Rob Herring wrote:
On Tue, Feb 09, 2021 at 10:21:50AM -0800, Lakshmi Ramasubramanian wrote:
On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs, and measure
it. The command line parameters passed to
On Tue, Feb 09, 2021 at 10:21:50AM -0800, Lakshmi Ramasubramanian wrote:
> On kexec file load Integrity Measurement Architecture (IMA) subsystem
> may verify the IMA signature of the kernel and initramfs, and measure
> it. The command line parameters passed to the kernel in the kexec c
expensive operation. However, in some cases for integrity critical
data, the measurement of duplicate data is necessary to accurately
determine the current state of the system. Eg, SELinux state changing
from 'audit', to 'enforcing', and back to 'audit' again. In this
ex
expensive operation. However, in some cases for integrity critical
> >>> data, the measurement of duplicate data is necessary to accurately
> >>> determine the current state of the system. Eg, SELinux state changing
> >>> from 'audit', to 'enfo
operation. However, in some cases for integrity critical
data, the measurement of duplicate data is necessary to accurately
determine the current state of the system. Eg, SELinux state changing
from 'audit', to 'enforcing', and back to 'audit' again. In this
example, c
On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs, and measure
it. The command line parameters passed to the kernel in the kexec call
may also be measured by IMA. A remote attestation service can verify
a TPM quote
Hi Tushar,
On Mon, 2021-02-08 at 15:22 -0500, Mimi Zohar wrote:
> On Fri, 2021-01-29 at 16:45 -0800, Tushar Sugandhi wrote:
> > IMA does not measure duplicate buffer data since TPM extend is a very
> > expensive operation. However, in some cases for integrity critical
> >
Hi Tushar,
On Fri, 2021-01-29 at 16:45 -0800, Tushar Sugandhi wrote:
> IMA does not measure duplicate buffer data since TPM extend is a very
> expensive operation. However, in some cases for integrity critical
> data, the measurement of duplicate data is necessary to accurately
> d
On Thu, Feb 04, 2021 at 09:49:50AM -0800, Lakshmi Ramasubramanian wrote:
> IMA allocates kernel virtual memory to carry forward the measurement
> list, from the current kernel to the next kernel on kexec system call,
> in ima_add_kexec_buffer() function. In error code paths this memory
On Thu, Feb 04, 2021 at 09:49:51AM -0800, Lakshmi Ramasubramanian wrote:
> IMA allocates kernel virtual memory to carry forward the measurement
> list, from the current kernel to the next kernel on kexec system call,
> in ima_add_kexec_buffer() function. This buffer is not fre
On 2/5/21 2:05 AM, Greg KH wrote:
On Thu, Feb 04, 2021 at 09:49:50AM -0800, Lakshmi Ramasubramanian wrote:
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. In error
On 2/5/21 9:49 AM, Mimi Zohar wrote:
Hi Mimi,
On Fri, 2021-02-05 at 09:39 -0800, Lakshmi Ramasubramanian wrote:
On 2/5/21 2:05 AM, Greg KH wrote:
On Thu, Feb 04, 2021 at 09:49:50AM -0800, Lakshmi Ramasubramanian wrote:
IMA allocates kernel virtual memory to carry forward the measurement
On Fri, 2021-02-05 at 09:39 -0800, Lakshmi Ramasubramanian wrote:
> On 2/5/21 2:05 AM, Greg KH wrote:
> > On Thu, Feb 04, 2021 at 09:49:50AM -0800, Lakshmi Ramasubramanian wrote:
> >> IMA allocates kernel virtual memory to carry forward the measurement
> >> list, fro
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. In error code paths this memory
is not freed resulting in memory leak.
Free the memory allocated for the IMA measurement
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. This buffer is not freed before
completing the kexec system call resulting in memory leak.
Add ima_buffer field in
On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs, and measure
it. The command line parameters passed to the kernel in the kexec call
may also be measured by IMA. A remote attestation service can verify
a TPM quote
On 1/22/21 2:30 PM, Thiago Jung Bauermann wrote:
Hi Lakshmi,
Lakshmi Ramasubramanian writes:
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. In error code paths
On 1/22/21 2:31 PM, Thiago Jung Bauermann wrote:
Lakshmi Ramasubramanian writes:
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. This buffer is not freed before
IMA does not measure duplicate buffer data since TPM extend is a very
expensive operation. However, in some cases for integrity critical
data, the measurement of duplicate data is necessary to accurately
determine the current state of the system. Eg, SELinux state changing
from 'audit
Hi Lakshmi,
Lakshmi Ramasubramanian writes:
> IMA allocates kernel virtual memory to carry forward the measurement
> list, from the current kernel to the next kernel on kexec system call,
> in ima_add_kexec_buffer() function. In error code paths this memory
> is not freed resulti
Lakshmi Ramasubramanian writes:
> IMA allocates kernel virtual memory to carry forward the measurement
> list, from the current kernel to the next kernel on kexec system call,
> in ima_add_kexec_buffer() function. This buffer is not freed before
> completing the kexec system call
On 2021-01-21 09:30:03, Lakshmi Ramasubramanian wrote:
> IMA allocates kernel virtual memory to carry forward the measurement
> list, from the current kernel to the next kernel on kexec system call,
> in ima_add_kexec_buffer() function. This buffer is not freed before
> completi
On 2021-01-21 09:30:02, Lakshmi Ramasubramanian wrote:
> IMA allocates kernel virtual memory to carry forward the measurement
> list, from the current kernel to the next kernel on kexec system call,
> in ima_add_kexec_buffer() function. In error code paths this memory
> is not freed
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. This buffer is not freed before
completing the kexec system call resulting in memory leak.
Add ima_buffer field in
IMA allocates kernel virtual memory to carry forward the measurement
list, from the current kernel to the next kernel on kexec system call,
in ima_add_kexec_buffer() function. In error code paths this memory
is not freed resulting in memory leak.
Free the memory allocated for the IMA measurement
On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs, and measure
it. The command line parameters passed to the kernel in the kexec call
may also be measured by IMA. A remote attestation service can verify
a TPM quote
. Limiting and
grouping critical data based on a label would make it flexible and
configurable to measure.
Define "label:=", a new IMA policy condition, for the IMA func
CRITICAL_DATA to allow grouping and limiting measurement of integrity
critical data.
Limit the measurement to the label
ritical data based on a label would make it flexible and
> configurable to measure.
>
> Define "label:=", a new IMA policy condition, for the IMA func
> CRITICAL_DATA to allow grouping and limiting measurement of integrity
> critical data.
>
> Limit the measurement
Mimi Zohar writes:
> On Tue, 2021-01-12 at 08:42 -0600, Rob Herring wrote:
>> On Mon, Jan 04, 2021 at 11:25:56AM -0800, Lakshmi Ramasubramanian wrote:
>> > On kexec file load Integrity Measurement Architecture (IMA) subsystem
>> > may verify the IMA signature of th
On 1/12/21 10:05 AM, Mimi Zohar wrote:
On Tue, 2021-01-12 at 08:42 -0600, Rob Herring wrote:
On Mon, Jan 04, 2021 at 11:25:56AM -0800, Lakshmi Ramasubramanian wrote:
On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs
On 1/12/21 6:42 AM, Rob Herring wrote:
On Mon, Jan 04, 2021 at 11:25:56AM -0800, Lakshmi Ramasubramanian wrote:
On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs, and measure
it. The command line parameters passed to
On Tue, 2021-01-12 at 08:42 -0600, Rob Herring wrote:
> On Mon, Jan 04, 2021 at 11:25:56AM -0800, Lakshmi Ramasubramanian wrote:
> > On kexec file load Integrity Measurement Architecture (IMA) subsystem
> > may verify the IMA signature of the kernel and initramfs, and measure
>
On Mon, Jan 04, 2021 at 11:25:56AM -0800, Lakshmi Ramasubramanian wrote:
> On kexec file load Integrity Measurement Architecture (IMA) subsystem
> may verify the IMA signature of the kernel and initramfs, and measure
> it. The command line parameters passed to the kernel in the kexec c
.
Define "label:=", a new IMA policy condition, for the IMA func
CRITICAL_DATA to allow grouping and limiting measurement of integrity
critical data.
Limit the measurement to the labels that are specified in the IMA
policy - CRITICAL_DATA+"label:=". If "label:="
From: Lakshmi Ramasubramanian
Define a new critical data builtin policy to allow measuring
early kernel integrity critical data before a custom IMA policy
is loaded.
Update the documentation on kernel parameters to document
the new critical data builtin policy.
Signed-off-by: Lakshmi Ramasubram
The IMA hook ima_measure_critical_data() does not support a way to
specify the source of the critical data provider. Thus, the data
measurement cannot be constrained based on the data source label
in the IMA policy.
Extend the IMA hook ima_measure_critical_data() to support passing
the data
specific measurement constructs to be generic and
reusable in other measurement scenarios.
Signed-off-by: Tushar Sugandhi
Reviewed-by: Tyler Hicks
---
security/integrity/ima/ima.h| 6 ++--
security/integrity/ima/ima_api.c| 6 ++--
security/integrity/ima/ima_main.c | 6
On 2020-12-24 6:41 a.m., Mimi Zohar wrote:
On Sat, 2020-12-12 at 10:02 -0800, Tushar Sugandhi wrote:
From: Lakshmi Ramasubramanian
Define a new critical data builtin policy to allow measuring
early kernel integrity critical data before a custom IMA policy
is loaded.
Add critical data to bu
subsystems is needed. This policy
condition would constrain the measurement of the critical data based on
a label for the given subsystems.
Restricting which kernel integrity critical data is measured is not
only of interest to system administrators. Why single them out?
system administrators
100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -786,13 +786,13 @@ int ima_post_load_data(char *buf, loff_t size,
* @eventname: event name to be used for the buffer entry.
* @func: IMA hook
* @pcr: pcr to extend the measurement
- * @keyring: keyring name
On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs, and measure
it. The command line parameters passed to the kernel in the kexec call
may also be measured by IMA. A remote attestation service can verify
a TPM quote based
On Sat, 2020-12-12 at 10:02 -0800, Tushar Sugandhi wrote:
> From: Lakshmi Ramasubramanian
>
> Define a new critical data builtin policy to allow measuring
> early kernel integrity critical data before a custom IMA policy
> is loaded.
>
> Add critical data to built-in IMA rules if the kernel comm
is policy
> condition would constrain the measurement of the critical data based on
> a label for the given subsystems.
Restricting which kernel integrity critical data is measured is not
only of interest to system administrators. Why single them out?
Limiting which critical data is measured is b
t; @@ -786,13 +786,13 @@ int ima_post_load_data(char *buf, loff_t size,
> * @eventname: event name to be used for the buffer entry.
> * @func: IMA hook
> * @pcr: pcr to extend the measurement
> - * @keyring: keyring name to determine the action to be performed
> + * @func_data: pr
On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs, and measure
it. The command line parameters passed to the kernel in the kexec call
may also be measured by IMA. A remote attestation service can verify
a TPM quote based
On 12/17/20 9:37 AM, Lakshmi Ramasubramanian wrote:
On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs, and measure
it. The command line parameters passed to the kernel in the kexec call
may also be measured by IMA. A
On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs, and measure
it. The command line parameters passed to the kernel in the kexec call
may also be measured by IMA. A remote attestation service can verify
a TPM quote based
On kexec file load Integrity Measurement Architecture (IMA) subsystem
may verify the IMA signature of the kernel and initramfs, and measure
it. The command line parameters passed to the kernel in the kexec call
may also be measured by IMA. A remote attestation service can verify
a TPM quote based
. This policy
condition would constrain the measurement of the critical data based on
a label for the given subsystems.
Add a new IMA policy condition - "data_source:=" to the IMA func
CRITICAL_DATA to allow measurement of various kernel subsystems. This
policy condition would enable
onstrain the measurement of the critical data based on
> a label for the given subsystems.
>
> Add a new IMA policy condition - "data_source:=" to the IMA func
> CRITICAL_DATA to allow measurement of various kernel subsystems. This
> policy condition would enable the
From: Lakshmi Ramasubramanian
Define a new critical data builtin policy to allow measuring
early kernel integrity critical data before a custom IMA policy
is loaded.
Add critical data to built-in IMA rules if the kernel command line
contains "ima_policy=critical_data".
Update the documentation
1 - 100 of 584 matches
Mail list logo
