From: Prakhar Srivastava <prsriva@linux•microsoft.com>
To: linux-arm-kernel@lists•infradead.org,
linux-kernel@vger•kernel.org, linuxppc-dev@lists•ozlabs.org,
devicetree@vger•kernel.org, linux-integrity@vger•kernel.org,
linux-security-module@vger•kernel.org
Cc: kstewart@linuxfoundation•org, mark.rutland@arm•com,
catalin.marinas@arm•com, bhsharma@redhat•com, tao.li@vivo•com,
zohar@linux•ibm.com, paulus@samba•org, vincenzo.frascino@arm•com,
frowand.list@gmail•com, nramas@linux•microsoft.com,
masahiroy@kernel•org, jmorris@namei•org,
takahiro.akashi@linaro•org, serge@hallyn•com,
pasha.tatashin@soleen•com, will@kernel•org,
prsriva@linux•microsoft.com, robh+dt@kernel•org,
hsinyi@chromium•org, tusharsu@linux•microsoft.com,
tglx@linutronix•de, allison@lohutok•net, christophe.leroy@c-s•fr,
mbrugger@suse•com, balajib@linux•microsoft.com,
dmitry.kasatkin@gmail•com, james.morse@arm•com,
gregkh@linuxfoundation•org
Subject: [V2 PATCH 3/3] Add support for arm64 to carry over IMA measurement logs
Date: Thu, 18 Jun 2020 00:10:45 -0700 [thread overview]
Message-ID: <20200618071045.471131-4-prsriva@linux.microsoft.com> (raw)
In-Reply-To: <20200618071045.471131-1-prsriva@linux.microsoft.com>
Add support for arm64 to carry over IMA measurement logs.
Update arm64 code to call into functions made available in patch 1/3.
---
arch/arm64/Kconfig | 1 +
arch/arm64/include/asm/ima.h | 17 ++++++++++
arch/arm64/include/asm/kexec.h | 3 ++
arch/arm64/kernel/machine_kexec_file.c | 47 +++++++++++++++++++++-----
4 files changed, 60 insertions(+), 8 deletions(-)
create mode 100644 arch/arm64/include/asm/ima.h
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index 5d513f461957..3d544e2e25e6 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1070,6 +1070,7 @@ config KEXEC
config KEXEC_FILE
bool "kexec file based system call"
select KEXEC_CORE
+ select HAVE_IMA_KEXEC
help
This is new version of kexec system call. This system call is
file based and takes file descriptors as system call argument
diff --git a/arch/arm64/include/asm/ima.h b/arch/arm64/include/asm/ima.h
new file mode 100644
index 000000000000..70ac39b74607
--- /dev/null
+++ b/arch/arm64/include/asm/ima.h
@@ -0,0 +1,17 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _ASM_ARCH_IMA_H
+#define _ASM_ARCH_IMA_H
+
+struct kimage;
+
+#ifdef CONFIG_IMA_KEXEC
+int arch_ima_add_kexec_buffer(struct kimage *image, unsigned long load_addr,
+ size_t size);
+#else
+static inline int arch_ima_add_kexec_buffer(struct kimage *image,
+ unsigned long load_addr, size_t size)
+{
+ return 0;
+}
+#endif /* CONFIG_IMA_KEXEC */
+#endif /* _ASM_ARCH_IMA_H */
diff --git a/arch/arm64/include/asm/kexec.h b/arch/arm64/include/asm/kexec.h
index d24b527e8c00..7bd60c185ad3 100644
--- a/arch/arm64/include/asm/kexec.h
+++ b/arch/arm64/include/asm/kexec.h
@@ -100,6 +100,9 @@ struct kimage_arch {
void *elf_headers;
unsigned long elf_headers_mem;
unsigned long elf_headers_sz;
+
+ phys_addr_t ima_buffer_addr;
+ size_t ima_buffer_size;
};
extern const struct kexec_file_ops kexec_image_ops;
diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index b40c3b0def92..1e9007c926db 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -24,20 +24,37 @@
#include <asm/byteorder.h>
/* relevant device tree properties */
-#define FDT_PROP_KEXEC_ELFHDR "linux,elfcorehdr"
-#define FDT_PROP_MEM_RANGE "linux,usable-memory-range"
-#define FDT_PROP_INITRD_START "linux,initrd-start"
-#define FDT_PROP_INITRD_END "linux,initrd-end"
-#define FDT_PROP_BOOTARGS "bootargs"
-#define FDT_PROP_KASLR_SEED "kaslr-seed"
-#define FDT_PROP_RNG_SEED "rng-seed"
-#define RNG_SEED_SIZE 128
+#define FDT_PROP_KEXEC_ELFHDR "linux,elfcorehdr"
+#define FDT_PROP_MEM_RANGE "linux,usable-memory-range"
+#define FDT_PROP_INITRD_START "linux,initrd-start"
+#define FDT_PROP_INITRD_END "linux,initrd-end"
+#define FDT_PROP_BOOTARGS "bootargs"
+#define FDT_PROP_KASLR_SEED "kaslr-seed"
+#define FDT_PROP_RNG_SEED "rng-seed"
+#define FDT_PROP_IMA_KEXEC_BUFFER "linux,ima-kexec-buffer"
+#define RNG_SEED_SIZE 128
const struct kexec_file_ops * const kexec_file_loaders[] = {
&kexec_image_ops,
NULL
};
+/**
+ * arch_ima_add_kexec_buffer - do arch-specific steps to add the IMA buffer
+ *
+ * Architectures should use this function to pass on the IMA buffer
+ * information to the next kernel.
+ *
+ * Return: 0 on success, negative errno on error.
+ */
+int arch_ima_add_kexec_buffer(struct kimage *image, unsigned long load_addr,
+ size_t size)
+{
+ image->arch.ima_buffer_addr = load_addr;
+ image->arch.ima_buffer_size = size;
+ return 0;
+}
+
int arch_kimage_file_post_load_cleanup(struct kimage *image)
{
vfree(image->arch.dtb);
@@ -66,6 +83,9 @@ static int setup_dtb(struct kimage *image,
if (ret && ret != -FDT_ERR_NOTFOUND)
goto out;
ret = fdt_delprop(dtb, off, FDT_PROP_MEM_RANGE);
+ if (ret && ret != -FDT_ERR_NOTFOUND)
+ goto out;
+ ret = fdt_delprop(dtb, off, FDT_PROP_IMA_KEXEC_BUFFER);
if (ret && ret != -FDT_ERR_NOTFOUND)
goto out;
@@ -119,6 +139,17 @@ static int setup_dtb(struct kimage *image,
goto out;
}
+ if (image->arch.ima_buffer_size > 0) {
+
+ ret = fdt_appendprop_addrrange(dtb, 0, off,
+ FDT_PROP_IMA_KEXEC_BUFFER,
+ image->arch.ima_buffer_addr,
+ image->arch.ima_buffer_size);
+ if (ret)
+ return (ret == -FDT_ERR_NOSPACE ? -ENOMEM : -EINVAL);
+
+ }
+
/* add kaslr-seed */
ret = fdt_delprop(dtb, off, FDT_PROP_KASLR_SEED);
if (ret == -FDT_ERR_NOTFOUND)
--
2.25.1
prev parent reply other threads:[~2020-06-18 7:18 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-18 7:10 [V2 PATCH 0/3] Adding support for carrying IMA measurement logs Prakhar Srivastava
2020-06-18 7:10 ` [V2 PATCH 1/3] Refactoring powerpc code for carrying over IMA measurement logs, to move non architecture specific code to security/ima Prakhar Srivastava
2020-06-20 0:19 ` Thiago Jung Bauermann
2020-07-13 20:30 ` Prakhar Srivastava
2020-07-16 17:51 ` Thiago Jung Bauermann
2020-06-18 7:10 ` [V2 PATCH 2/3] dt-bindings: chosen: Document ima-kexec-buffer Prakhar Srivastava
2020-06-20 0:41 ` Thiago Jung Bauermann
2020-07-13 20:32 ` Prakhar Srivastava
2020-06-18 7:10 ` Prakhar Srivastava [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200618071045.471131-4-prsriva@linux.microsoft.com \
--to=prsriva@linux$(echo .)microsoft.com \
--cc=allison@lohutok$(echo .)net \
--cc=balajib@linux$(echo .)microsoft.com \
--cc=bhsharma@redhat$(echo .)com \
--cc=catalin.marinas@arm$(echo .)com \
--cc=christophe.leroy@c-s$(echo .)fr \
--cc=devicetree@vger$(echo .)kernel.org \
--cc=dmitry.kasatkin@gmail$(echo .)com \
--cc=frowand.list@gmail$(echo .)com \
--cc=gregkh@linuxfoundation$(echo .)org \
--cc=hsinyi@chromium$(echo .)org \
--cc=james.morse@arm$(echo .)com \
--cc=jmorris@namei$(echo .)org \
--cc=kstewart@linuxfoundation$(echo .)org \
--cc=linux-arm-kernel@lists$(echo .)infradead.org \
--cc=linux-integrity@vger$(echo .)kernel.org \
--cc=linux-kernel@vger$(echo .)kernel.org \
--cc=linux-security-module@vger$(echo .)kernel.org \
--cc=linuxppc-dev@lists$(echo .)ozlabs.org \
--cc=mark.rutland@arm$(echo .)com \
--cc=masahiroy@kernel$(echo .)org \
--cc=mbrugger@suse$(echo .)com \
--cc=nramas@linux$(echo .)microsoft.com \
--cc=pasha.tatashin@soleen$(echo .)com \
--cc=paulus@samba$(echo .)org \
--cc=robh+dt@kernel$(echo .)org \
--cc=serge@hallyn$(echo .)com \
--cc=takahiro.akashi@linaro$(echo .)org \
--cc=tao.li@vivo$(echo .)com \
--cc=tglx@linutronix$(echo .)de \
--cc=tusharsu@linux$(echo .)microsoft.com \
--cc=vincenzo.frascino@arm$(echo .)com \
--cc=will@kernel$(echo .)org \
--cc=zohar@linux$(echo .)ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox