• Jonathan McDowell's avatar
    x86/kexec: Carry forward IMA measurement log on kexec · b69a2afd
    Jonathan McDowell authored
    On kexec file load, the Integrity Measurement Architecture (IMA)
    subsystem may verify the IMA signature of the kernel and initramfs, and
    measure it. The command line parameters passed to the kernel in the
    kexec call may also be measured by IMA.
    
    A remote attestation service can verify a TPM quote based on the TPM
    event log, the IMA measurement list and the TPM PCR data. This can
    be achieved only if the IMA measurement log is carried over from the
    current kernel to the next kernel across the kexec call.
    
    PowerPC and ARM64 both achieve this using device tree with a
    "linux,ima-kexec-buffer" node. x86 platforms generally don't make use of
    device tree, so use the setup_data mechanism to pass the IMA buffer to
    the new kernel.
    Signed-off-by: default avatarJonathan McDowell <noodles@fb.com>
    Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
    Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> # IMA function definitions
    Link: https://lore.kernel.org/r/YmKyvlF3my1yWTvK@noodles-fedora-PC23Y6EG
    b69a2afd
ima_kexec.c 4.05 KB