Re: [PATCH v12 0/9] ima: kexec: measure events between kexec load and execute

From: Stefan Berger
Date: Wed Apr 16 2025 - 21:10:17 EST

Next message: Mi, Dapeng: "Re: [Patch v3 12/22] perf/x86/intel: Update dyn_constranit base on PEBS event precise level"
Previous message: Guenter Roeck: "[PATCH v3] x86: Disable image size check for test builds"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 4/15/25 10:10 PM, steven chen wrote:

From: Steven Chen <chenste@xxxxxxxxxxxxxxxxxxx>

The current kernel behavior is IMA measurements snapshot is taken at
kexec 'load' and not at kexec 'execute'. IMA log is then carried
over to the new kernel after kexec 'execute'.

Currently, the kernel behavior during kexec load is to fetch the IMA
measurements log from TPM PCRs and store it in a buffer. When a kexec
reboot is triggered, this stored log buffer is carried over to the second
kernel. However, the time gap between kexec load and kexec reboot can be
very long. During this time window, new events extended into TPM PCRs miss
the chance to be carried over to the second kernel. This results in
mismatch between TPM PCR quotes and the actual IMA measurements list after
kexec soft reboot, which in turn results in remote attestation failure.

Tested-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> # ppc64/kvm

Next message: Mi, Dapeng: "Re: [Patch v3 12/22] perf/x86/intel: Update dyn_constranit base on PEBS event precise level"
Previous message: Guenter Roeck: "[PATCH v3] x86: Disable image size check for test builds"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]