tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'x86_kdump_for_v6.0_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip

Pull x86 kdump updates from Borislav Petkov:

- Add the ability to pass early an RNG seed to the kernel from the boot
loader

- Add the ability to pass the IMA measurement of kernel and bootloader
to the kexec-ed kernel

* tag 'x86_kdump_for_v6.0_rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/setup: Use rng seeds from setup_data
x86/kexec: Carry forward IMA measurement log on kexec

Linus Torvalds 60ee49fa 8b705452

+171 -20
+1
arch/x86/Kconfig
··· 2010 2010 config KEXEC_FILE 2011 2011 bool "kexec file based system call" 2012 2012 select KEXEC_CORE 2013 + select HAVE_IMA_KEXEC if IMA 2013 2014 depends on X86_64 2014 2015 depends on CRYPTO=y 2015 2016 depends on CRYPTO_SHA256=y
+12 -3
arch/x86/include/uapi/asm/bootparam.h
··· 11 11 #define SETUP_APPLE_PROPERTIES 5 12 12 #define SETUP_JAILHOUSE 6 13 13 #define SETUP_CC_BLOB 7 14 + #define SETUP_IMA 8 15 + #define SETUP_RNG_SEED 9 16 + #define SETUP_ENUM_MAX SETUP_RNG_SEED 14 17 15 18 #define SETUP_INDIRECT (1<<31) 16 - 17 - /* SETUP_INDIRECT | max(SETUP_*) */ 18 - #define SETUP_TYPE_MAX (SETUP_INDIRECT | SETUP_CC_BLOB) 19 + #define SETUP_TYPE_MAX (SETUP_ENUM_MAX | SETUP_INDIRECT) 19 20 20 21 /* ram_size flags */ 21 22 #define RAMDISK_IMAGE_START_MASK 0x07FF ··· 171 170 struct { 172 171 __u32 flags; 173 172 } __attribute__((packed)) v2; 173 + } __attribute__((packed)); 174 + 175 + /* 176 + * IMA buffer setup data information from the previous kernel during kexec 177 + */ 178 + struct ima_setup_data { 179 + __u64 addr; 180 + __u64 size; 174 181 } __attribute__((packed)); 175 182 176 183 /* The so-called "zeropage" */
+3 -3
arch/x86/kernel/e820.c
··· 1017 1017 e820__range_update(pa_data, sizeof(*data)+data->len, E820_TYPE_RAM, E820_TYPE_RESERVED_KERN); 1018 1018 1019 1019 /* 1020 - * SETUP_EFI is supplied by kexec and does not need to be 1021 - * reserved. 1020 + * SETUP_EFI and SETUP_IMA are supplied by kexec and do not need 1021 + * to be reserved. 1022 1022 */ 1023 - if (data->type != SETUP_EFI) 1023 + if (data->type != SETUP_EFI && data->type != SETUP_IMA) 1024 1024 e820__range_update_kexec(pa_data, 1025 1025 sizeof(*data) + data->len, 1026 1026 E820_TYPE_RAM, E820_TYPE_RESERVED_KERN);
+71 -3
arch/x86/kernel/kexec-bzimage64.c
··· 18 18 #include <linux/mm.h> 19 19 #include <linux/efi.h> 20 20 #include <linux/verification.h> 21 + #include <linux/random.h> 21 22 22 23 #include <asm/bootparam.h> 23 24 #include <asm/setup.h> ··· 111 110 return 0; 112 111 } 113 112 113 + enum { RNG_SEED_LENGTH = 32 }; 114 + 115 + static void 116 + setup_rng_seed(struct boot_params *params, unsigned long params_load_addr, 117 + unsigned int rng_seed_setup_data_offset) 118 + { 119 + struct setup_data *sd = (void *)params + rng_seed_setup_data_offset; 120 + unsigned long setup_data_phys; 121 + 122 + if (!rng_is_initialized()) 123 + return; 124 + 125 + sd->type = SETUP_RNG_SEED; 126 + sd->len = RNG_SEED_LENGTH; 127 + get_random_bytes(sd->data, RNG_SEED_LENGTH); 128 + setup_data_phys = params_load_addr + rng_seed_setup_data_offset; 129 + sd->next = params->hdr.setup_data; 130 + params->hdr.setup_data = setup_data_phys; 131 + } 132 + 114 133 #ifdef CONFIG_EFI 115 134 static int setup_efi_info_memmap(struct boot_params *params, 116 135 unsigned long params_load_addr, ··· 207 186 } 208 187 #endif /* CONFIG_EFI */ 209 188 189 + static void 190 + setup_ima_state(const struct kimage *image, struct boot_params *params, 191 + unsigned long params_load_addr, 192 + unsigned int ima_setup_data_offset) 193 + { 194 + #ifdef CONFIG_IMA_KEXEC 195 + struct setup_data *sd = (void *)params + ima_setup_data_offset; 196 + unsigned long setup_data_phys; 197 + struct ima_setup_data *ima; 198 + 199 + if (!image->ima_buffer_size) 200 + return; 201 + 202 + sd->type = SETUP_IMA; 203 + sd->len = sizeof(*ima); 204 + 205 + ima = (void *)sd + sizeof(struct setup_data); 206 + ima->addr = image->ima_buffer_addr; 207 + ima->size = image->ima_buffer_size; 208 + 209 + /* Add setup data */ 210 + setup_data_phys = params_load_addr + ima_setup_data_offset; 211 + sd->next = params->hdr.setup_data; 212 + params->hdr.setup_data = setup_data_phys; 213 + #endif /* CONFIG_IMA_KEXEC */ 214 + } 215 + 210 216 static int 211 217 setup_boot_parameters(struct kimage *image, struct boot_params *params, 212 218 unsigned long params_load_addr, 213 219 unsigned int efi_map_offset, unsigned int efi_map_sz, 214 - unsigned int efi_setup_data_offset) 220 + unsigned int setup_data_offset) 215 221 { 216 222 unsigned int nr_e820_entries; 217 223 unsigned long long mem_k, start, end; ··· 293 245 #ifdef CONFIG_EFI 294 246 /* Setup EFI state */ 295 247 setup_efi_state(params, params_load_addr, efi_map_offset, efi_map_sz, 296 - efi_setup_data_offset); 248 + setup_data_offset); 249 + setup_data_offset += sizeof(struct setup_data) + 250 + sizeof(struct efi_setup_data); 297 251 #endif 252 + 253 + if (IS_ENABLED(CONFIG_IMA_KEXEC)) { 254 + /* Setup IMA log buffer state */ 255 + setup_ima_state(image, params, params_load_addr, 256 + setup_data_offset); 257 + setup_data_offset += sizeof(struct setup_data) + 258 + sizeof(struct ima_setup_data); 259 + } 260 + 261 + /* Setup RNG seed */ 262 + setup_rng_seed(params, params_load_addr, setup_data_offset); 263 + 298 264 /* Setup EDD info */ 299 265 memcpy(params->eddbuf, boot_params.eddbuf, 300 266 EDDMAXNR * sizeof(struct edd_info)); ··· 463 401 params_cmdline_sz = ALIGN(params_cmdline_sz, 16); 464 402 kbuf.bufsz = params_cmdline_sz + ALIGN(efi_map_sz, 16) + 465 403 sizeof(struct setup_data) + 466 - sizeof(struct efi_setup_data); 404 + sizeof(struct efi_setup_data) + 405 + sizeof(struct setup_data) + 406 + RNG_SEED_LENGTH; 407 + 408 + if (IS_ENABLED(CONFIG_IMA_KEXEC)) 409 + kbuf.bufsz += sizeof(struct setup_data) + 410 + sizeof(struct ima_setup_data); 467 411 468 412 params = kzalloc(kbuf.bufsz, GFP_KERNEL); 469 413 if (!params)
+73
arch/x86/kernel/setup.c
··· 11 11 #include <linux/dma-map-ops.h> 12 12 #include <linux/dmi.h> 13 13 #include <linux/efi.h> 14 + #include <linux/ima.h> 14 15 #include <linux/init_ohci1394_dma.h> 15 16 #include <linux/initrd.h> 16 17 #include <linux/iscsi_ibft.h> ··· 24 23 #include <linux/usb/xhci-dbgp.h> 25 24 #include <linux/static_call.h> 26 25 #include <linux/swiotlb.h> 26 + #include <linux/random.h> 27 27 28 28 #include <uapi/linux/mount.h> 29 29 ··· 140 138 __visible unsigned long mmu_cr4_features __ro_after_init; 141 139 #else 142 140 __visible unsigned long mmu_cr4_features __ro_after_init = X86_CR4_PAE; 141 + #endif 142 + 143 + #ifdef CONFIG_IMA 144 + static phys_addr_t ima_kexec_buffer_phys; 145 + static size_t ima_kexec_buffer_size; 143 146 #endif 144 147 145 148 /* Boot loader ID and version as integers, for the benefit of proc_dointvec */ ··· 337 330 } 338 331 #endif /* CONFIG_BLK_DEV_INITRD */ 339 332 333 + static void __init add_early_ima_buffer(u64 phys_addr) 334 + { 335 + #ifdef CONFIG_IMA 336 + struct ima_setup_data *data; 337 + 338 + data = early_memremap(phys_addr + sizeof(struct setup_data), sizeof(*data)); 339 + if (!data) { 340 + pr_warn("setup: failed to memremap ima_setup_data entry\n"); 341 + return; 342 + } 343 + 344 + if (data->size) { 345 + memblock_reserve(data->addr, data->size); 346 + ima_kexec_buffer_phys = data->addr; 347 + ima_kexec_buffer_size = data->size; 348 + } 349 + 350 + early_memunmap(data, sizeof(*data)); 351 + #else 352 + pr_warn("Passed IMA kexec data, but CONFIG_IMA not set. Ignoring.\n"); 353 + #endif 354 + } 355 + 356 + #if defined(CONFIG_HAVE_IMA_KEXEC) && !defined(CONFIG_OF_FLATTREE) 357 + int __init ima_free_kexec_buffer(void) 358 + { 359 + int rc; 360 + 361 + if (!ima_kexec_buffer_size) 362 + return -ENOENT; 363 + 364 + rc = memblock_phys_free(ima_kexec_buffer_phys, 365 + ima_kexec_buffer_size); 366 + if (rc) 367 + return rc; 368 + 369 + ima_kexec_buffer_phys = 0; 370 + ima_kexec_buffer_size = 0; 371 + 372 + return 0; 373 + } 374 + 375 + int __init ima_get_kexec_buffer(void **addr, size_t *size) 376 + { 377 + if (!ima_kexec_buffer_size) 378 + return -ENOENT; 379 + 380 + *addr = __va(ima_kexec_buffer_phys); 381 + *size = ima_kexec_buffer_size; 382 + 383 + return 0; 384 + } 385 + #endif 386 + 340 387 static void __init parse_setup_data(void) 341 388 { 342 389 struct setup_data *data; ··· 415 354 break; 416 355 case SETUP_EFI: 417 356 parse_efi_setup(pa_data, data_len); 357 + break; 358 + case SETUP_IMA: 359 + add_early_ima_buffer(pa_data); 360 + break; 361 + case SETUP_RNG_SEED: 362 + data = early_memremap(pa_data, data_len); 363 + add_bootloader_randomness(data->data, data->len); 364 + /* Zero seed for forward secrecy. */ 365 + memzero_explicit(data->data, data->len); 366 + /* Zero length in case we find ourselves back here by accident. */ 367 + memzero_explicit(&data->len, sizeof(data->len)); 368 + early_memunmap(data, data_len); 418 369 break; 419 370 default: 420 371 break;
+5 -8
drivers/of/kexec.c
··· 9 9 * Copyright (C) 2016 IBM Corporation 10 10 */ 11 11 12 + #include <linux/ima.h> 12 13 #include <linux/kernel.h> 13 14 #include <linux/kexec.h> 14 15 #include <linux/memblock.h> ··· 116 115 return 0; 117 116 } 118 117 118 + #ifdef CONFIG_HAVE_IMA_KEXEC 119 119 /** 120 120 * ima_get_kexec_buffer - get IMA buffer from the previous kernel 121 121 * @addr: On successful return, set to point to the buffer contents. ··· 124 122 * 125 123 * Return: 0 on success, negative errno on error. 126 124 */ 127 - int ima_get_kexec_buffer(void **addr, size_t *size) 125 + int __init ima_get_kexec_buffer(void **addr, size_t *size) 128 126 { 129 127 int ret, len; 130 128 unsigned long tmp_addr; 131 129 size_t tmp_size; 132 130 const void *prop; 133 - 134 - if (!IS_ENABLED(CONFIG_HAVE_IMA_KEXEC)) 135 - return -ENOTSUPP; 136 131 137 132 prop = of_get_property(of_chosen, "linux,ima-kexec-buffer", &len); 138 133 if (!prop) ··· 148 149 /** 149 150 * ima_free_kexec_buffer - free memory used by the IMA buffer 150 151 */ 151 - int ima_free_kexec_buffer(void) 152 + int __init ima_free_kexec_buffer(void) 152 153 { 153 154 int ret; 154 155 unsigned long addr; 155 156 size_t size; 156 157 struct property *prop; 157 - 158 - if (!IS_ENABLED(CONFIG_HAVE_IMA_KEXEC)) 159 - return -ENOTSUPP; 160 158 161 159 prop = of_find_property(of_chosen, "linux,ima-kexec-buffer", NULL); 162 160 if (!prop) ··· 169 173 170 174 return memblock_phys_free(addr, size); 171 175 } 176 + #endif 172 177 173 178 /** 174 179 * remove_ima_buffer - remove the IMA buffer property and reservation from @fdt
+5
include/linux/ima.h
··· 140 140 141 141 #endif /* CONFIG_IMA */ 142 142 143 + #ifdef CONFIG_HAVE_IMA_KEXEC 144 + int __init ima_free_kexec_buffer(void); 145 + int __init ima_get_kexec_buffer(void **addr, size_t *size); 146 + #endif 147 + 143 148 #ifdef CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT 144 149 extern bool arch_ima_get_secureboot(void); 145 150 extern const char * const *arch_get_ima_policy(void);
-2
include/linux/of.h
··· 441 441 unsigned long initrd_load_addr, 442 442 unsigned long initrd_len, 443 443 const char *cmdline, size_t extra_fdt_size); 444 - int ima_get_kexec_buffer(void **addr, size_t *size); 445 - int ima_free_kexec_buffer(void); 446 444 #else /* CONFIG_OF */ 447 445 448 446 static inline void of_core_init(void)
+1 -1
security/integrity/ima/ima_kexec.c
··· 137 137 /* 138 138 * Restore the measurement list from the previous kernel. 139 139 */ 140 - void ima_load_kexec_buffer(void) 140 + void __init ima_load_kexec_buffer(void) 141 141 { 142 142 void *kexec_buffer = NULL; 143 143 size_t kexec_buffer_size = 0;