[v8,4/4] arm64: Add IMA kexec buffer to DTB

Message ID	20201030174429.29893-5-nramas@linux.microsoft.com
State	New
Headers	show Return-Path: <SRS0=0tPT=EF=vger.kernel.org=devicetree-owner@kernel.org> From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com> To: zohar@linux.ibm.com, bauerman@linux.ibm.com, robh@kernel.org, gregkh@linuxfoundation.org, james.morse@arm.com, catalin.marinas@arm.com, sashal@kernel.org, will@kernel.org, mpe@ellerman.id.au, benh@kernel.crashing.org, paulus@samba.org, robh+dt@kernel.org, frowand.list@gmail.com, vincenzo.frascino@arm.com, mark.rutland@arm.com, dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com, pasha.tatashin@soleen.com, allison@lohutok.net, kstewart@linuxfoundation.org, takahiro.akashi@linaro.org, tglx@linutronix.de, masahiroy@kernel.org, bhsharma@redhat.com, mbrugger@suse.com, hsinyi@chromium.org, tao.li@vivo.com, christophe.leroy@c-s.fr Cc: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, devicetree@vger.kernel.org, prsriva@linux.microsoft.com, balajib@linux.microsoft.com Subject: [PATCH v8 4/4] arm64: Add IMA kexec buffer to DTB Date: Fri, 30 Oct 2020 10:44:29 -0700 Message-Id: <20201030174429.29893-5-nramas@linux.microsoft.com> In-Reply-To: <20201030174429.29893-1-nramas@linux.microsoft.com> References: <20201030174429.29893-1-nramas@linux.microsoft.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Carry forward IMA measurement log on kexec on ARM64 \| expand [v8,0/4] Carry forward IMA measurement log on kexec on ARM64 [v8,2/4] powerpc: Refactor kexec functions to move arch independent code to ima [v8,4/4] arm64: Add IMA kexec buffer to DTB

Message ID

20201030174429.29893-5-nramas@linux.microsoft.com

State

New

Headers

From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, bauerman@linux.ibm.com, robh@kernel.org,
	gregkh@linuxfoundation.org, james.morse@arm.com,
	catalin.marinas@arm.com, sashal@kernel.org, will@kernel.org,
	mpe@ellerman.id.au, benh@kernel.crashing.org, paulus@samba.org,
	robh+dt@kernel.org, frowand.list@gmail.com,
	vincenzo.frascino@arm.com, mark.rutland@arm.com,
	dmitry.kasatkin@gmail.com, jmorris@namei.org, serge@hallyn.com,
	pasha.tatashin@soleen.com, allison@lohutok.net,
	kstewart@linuxfoundation.org, takahiro.akashi@linaro.org,
	tglx@linutronix.de, masahiroy@kernel.org, bhsharma@redhat.com,
	mbrugger@suse.com, hsinyi@chromium.org, tao.li@vivo.com,
	christophe.leroy@c-s.fr
Cc: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
	devicetree@vger.kernel.org, prsriva@linux.microsoft.com,
	balajib@linux.microsoft.com
Subject: [PATCH v8 4/4] arm64: Add IMA kexec buffer to DTB
Date: Fri, 30 Oct 2020 10:44:29 -0700
Message-Id: <20201030174429.29893-5-nramas@linux.microsoft.com>
In-Reply-To: <20201030174429.29893-1-nramas@linux.microsoft.com>
References: <20201030174429.29893-1-nramas@linux.microsoft.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Carry forward IMA measurement log on kexec on ARM64 | expand

Commit Message

nramas Oct. 30, 2020, 5:44 p.m. UTC

Any existing FDT_PROP_IMA_KEXEC_BUFFER property in the device tree
needs to be removed and its corresponding memory reservation in
the currently running kernel needs to be freed.

The address and size of the current kernel's IMA measurement log need
to be added to the device tree's IMA kexec buffer node and memory for
the buffer needs to be reserved for the log to be carried over to
the next kernel on the kexec call.

Remove any existing FDT_PROP_IMA_KEXEC_BUFFER property in the device
tree and free the corresponding memory reservation in the currently
running kernel. Add FDT_PROP_IMA_KEXEC_BUFFER property to the device
tree and reserve the memory for storing the IMA log that needs to be
passed from the current kernel to the next one.

Update CONFIG_KEXEC_FILE to select CONFIG_HAVE_IMA_KEXEC to indicate
that the IMA measurement log information is present in the device tree
for ARM64.

Co-developed-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
Signed-off-by: Prakhar Srivastava <prsriva@linux.microsoft.com>
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Reviewed-by: Thiago Jung Bauermann <bauerman@linux.ibm.com>
---
 arch/arm64/Kconfig                     |  1 +
 arch/arm64/kernel/machine_kexec_file.c | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index f858c352f72a..8c6c3fe85694 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1074,6 +1074,7 @@  config KEXEC
 config KEXEC_FILE
 	bool "kexec file based system call"
 	select KEXEC_CORE
+	select HAVE_IMA_KEXEC
 	help
 	  This is new version of kexec system call. This system call is
 	  file based and takes file descriptors as system call argument
diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index 5b0e67b93cdc..4082489358d5 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -21,6 +21,7 @@ 
 #include <linux/string.h>
 #include <linux/types.h>
 #include <linux/vmalloc.h>
+#include <linux/ima.h>
 #include <asm/byteorder.h>
 
 /* relevant device tree properties */
@@ -62,6 +63,8 @@  static int setup_dtb(struct kimage *image,
 
 	off = ret;
 
+	remove_ima_kexec_buffer(dtb, ret);
+
 	ret = fdt_delprop(dtb, off, FDT_PROP_KEXEC_ELFHDR);
 	if (ret && ret != -FDT_ERR_NOTFOUND)
 		goto out;
@@ -136,6 +139,21 @@  static int setup_dtb(struct kimage *image,
 				FDT_PROP_KASLR_SEED);
 	}
 
+	/* add ima-kexec-buffer */
+	if (image->arch.ima_buffer_size > 0) {
+		ret = fdt_appendprop_addrrange(dtb, 0, off,
+				FDT_PROP_IMA_KEXEC_BUFFER,
+				image->arch.ima_buffer_addr,
+				image->arch.ima_buffer_size);
+		if (ret)
+			return (ret == -FDT_ERR_NOSPACE ? -ENOMEM : -EINVAL);
+
+		ret = fdt_add_mem_rsv(dtb, image->arch.ima_buffer_addr,
+				      image->arch.ima_buffer_size);
+		if (ret)
+			goto out;
+	}
+
 	/* add rng-seed */
 	if (rng_is_initialized()) {
 		void *rng_seed;

[v8,4/4] arm64: Add IMA kexec buffer to DTB

Commit Message

Patch