Re: [PATCH v9 6/8] powerpc: Move ima_get_kexec_buffer() and ima_free_kexec_buffer() to ima
From: Lakshmi Ramasubramanian
Date: Tue Dec 01 2020 - 14:06:57 EST
On 12/1/20 3:38 AM, Mimi Zohar wrote:
Hi Lakshmi,
On Fri, 2020-11-13 at 11:22 -0800, Lakshmi Ramasubramanian wrote:
ima_get_kexec_buffer() retrieves the address and size of the buffer
used for carrying forward the IMA measurement logs on kexec from
the device tree.
ima_free_kexec_buffer() removes the chosen node namely
"linux,ima-kexec-buffer" from the device tree, and frees the buffer
used for carrying forward the IMA measurement logs on kexec.
These functions do not have architecture specific code, but are
currently limited to powerpc.
Move ima_get_kexec_buffer() and ima_free_kexec_buffer() to ima_kexec.c
in IMA so that they are accessible for other architectures as well.
This sentence flows from the previous line. No need for separate
paragraphs here.
Sure - will update Mimi.
With the above change the functions in arch/powerpc/kexec/ima.c are
defined only when the kernel config CONFIG_IMA_KEXEC is enabled.
Update the Makefile to build arch/powerpc/kexec/ima.c only when
CONFIG_IMA_KEXEC is enabled and remove "#ifdef CONFIG_IMA_KEXEC"
in arch/powerpc/kexec/ima.c.
Co-developed-by: Prakhar Srivastava <prsriva@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Prakhar Srivastava <prsriva@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx>
After making the two changes,
Reviewed-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
index 121de3e04af2..3f0fa2673dd3 100644
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -9,9 +9,60 @@
#include <linux/seq_file.h>
#include <linux/vmalloc.h>
+#include <linux/memblock.h>
+#include <linux/of.h>
#include <linux/kexec.h>
+#include <linux/ima.h>
#include "ima.h"
+/**
+ * ima_get_kexec_buffer - get IMA buffer from the previous kernel
+ * @addr: On successful return, set to point to the buffer contents.
+ * @size: On successful return, set to the buffer size.
+ *
+ * Return: 0 on success, negative errno on error.
+ */
+static int ima_get_kexec_buffer(void **addr, size_t *size)
+{
+ int ret;
+ unsigned long tmp_addr;
+ size_t tmp_size;
+
+ ret = get_ima_kexec_buffer(NULL, 0, &tmp_addr, &tmp_size);
+ if (ret)
+ return ret;
+
+ *addr = __va(tmp_addr);
+ *size = tmp_size;
+
+ return 0;
+}
+
+/**
+ * ima_free_kexec_buffer - free memory used by the IMA buffer
+ */
+static int ima_free_kexec_buffer(void)
+{
+ int ret;
+ unsigned long addr;
+ size_t size;
+ struct property *prop;
+
+ prop = of_find_property(of_chosen, "linux,ima-kexec-buffer", NULL);
+ if (!prop)
+ return -ENOENT;
+
+ ret = get_ima_kexec_buffer(NULL, 0, &addr, &size);
+ if (ret)
+ return ret;
+
+ ret = of_remove_property(of_chosen, prop);
+ if (ret)
+ return ret;
+
+ return memblock_free(addr, size);
+}
+
Please move these functions, after the ifdef below, before the function
where they're used.
Will make the above change.
thanks,
-lakshmi
#ifdef CONFIG_IMA_KEXEC
static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer,
unsigned long segment_size)