1. Patchew
  2. linux
  3. [PATCH v11 0/9] ima: kexec: measure events between kexec load and execute
  4. View patch

[PATCH v11 8/9] ima: make the kexec extra memory configurable

steven chen posted 9 patches 1 month, 1 week ago
There is a newer version of this series
[PATCH v11 8/9] ima: make the kexec extra memory configurable
Posted by steven chen 1 month, 1 week ago 
The extra memory allocated for carrying the IMA measurement list across
kexec is hard-coded as half a PAGE.  Make it configurable.

Define a Kconfig option, IMA_KEXEC_EXTRA_MEMORY_KB, to configure the
extra memory (in kb) to be allocated for IMA measurements added during
kexec soft reboot.  Ensure the default value of the option is set such
that extra half a page of memory for additional measurements is allocated
for the additional measurements.

Update ima_add_kexec_buffer() function to allocate memory based on the
Kconfig option value, rather than the currently hard-coded one.

Suggested-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
Signed-off-by: steven chen <chenste@linux.microsoft.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
---
 security/integrity/ima/Kconfig     | 10 ++++++++++
 security/integrity/ima/ima_kexec.c | 16 +++++++++++-----
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 475c32615006..d73c96c3c1c9 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -321,4 +321,14 @@ config IMA_DISABLE_HTABLE
 	help
 	   This option disables htable to allow measurement of duplicate records.
 
+config IMA_KEXEC_EXTRA_MEMORY_KB
+	int "Extra memory for IMA measurements added during kexec soft reboot"
+	depends on IMA_KEXEC
+	default 0
+	help
+	  IMA_KEXEC_EXTRA_MEMORY_KB determines the extra memory to be
+	  allocated (in kb) for IMA measurements added during kexec soft reboot.
+	  If set to the default value of 0, an extra half page of memory for those
+	  additional measurements will be allocated.
+
 endif
diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/ima_kexec.c
index ed867734ee70..d1c9d369ba08 100644
--- a/security/integrity/ima/ima_kexec.c
+++ b/security/integrity/ima/ima_kexec.c
@@ -118,6 +118,7 @@ void ima_add_kexec_buffer(struct kimage *image)
 				  .buf_min = 0, .buf_max = ULONG_MAX,
 				  .top_down = true };
 	unsigned long binary_runtime_size;
+	unsigned long extra_memory;
 
 	/* use more understandable variable names than defined in kbuf */
 	size_t kexec_buffer_size = 0;
@@ -125,15 +126,20 @@ void ima_add_kexec_buffer(struct kimage *image)
 	int ret;
 
 	/*
-	 * Reserve an extra half page of memory for additional measurements
-	 * added during the kexec load.
+	 * Reserve extra memory for measurements added during kexec.
 	 */
-	binary_runtime_size = ima_get_binary_runtime_size();
+	if (CONFIG_IMA_KEXEC_EXTRA_MEMORY_KB <= 0)
+		extra_memory = PAGE_SIZE / 2;
+	else
+		extra_memory = CONFIG_IMA_KEXEC_EXTRA_MEMORY_KB * 1024;
+
+	binary_runtime_size = ima_get_binary_runtime_size() + extra_memory;
+
 	if (binary_runtime_size >= ULONG_MAX - PAGE_SIZE)
 		kexec_segment_size = ULONG_MAX;
 	else
-		kexec_segment_size = ALIGN(ima_get_binary_runtime_size() +
-					   PAGE_SIZE / 2, PAGE_SIZE);
+		kexec_segment_size = ALIGN(binary_runtime_size, PAGE_SIZE);
+
 	if ((kexec_segment_size == ULONG_MAX) ||
 	    ((kexec_segment_size >> PAGE_SHIFT) > totalram_pages() / 2)) {
 		pr_err("Binary measurement list too large.\n");
-- 
2.25.1
Re: [PATCH v11 8/9] ima: make the kexec extra memory configurable
Posted by Baoquan He 1 month ago 
On 04/02/25 at 05:47am, steven chen wrote:
> The extra memory allocated for carrying the IMA measurement list across
> kexec is hard-coded as half a PAGE.  Make it configurable.
> 
> Define a Kconfig option, IMA_KEXEC_EXTRA_MEMORY_KB, to configure the
> extra memory (in kb) to be allocated for IMA measurements added during
> kexec soft reboot.  Ensure the default value of the option is set such
> that extra half a page of memory for additional measurements is allocated
> for the additional measurements.
> 
> Update ima_add_kexec_buffer() function to allocate memory based on the
> Kconfig option value, rather than the currently hard-coded one.
> 
> Suggested-by: Stefan Berger <stefanb@linux.ibm.com>
> Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
> Signed-off-by: steven chen <chenste@linux.microsoft.com>
> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
>  security/integrity/ima/Kconfig     | 10 ++++++++++
>  security/integrity/ima/ima_kexec.c | 16 +++++++++++-----
>  2 files changed, 21 insertions(+), 5 deletions(-)
> 
> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> index 475c32615006..d73c96c3c1c9 100644
> --- a/security/integrity/ima/Kconfig
> +++ b/security/integrity/ima/Kconfig
> @@ -321,4 +321,14 @@ config IMA_DISABLE_HTABLE
>  	help
>  	   This option disables htable to allow measurement of duplicate records.
>  
> +config IMA_KEXEC_EXTRA_MEMORY_KB
> +	int "Extra memory for IMA measurements added during kexec soft reboot"
> +	depends on IMA_KEXEC
> +	default 0

Usually a new Kconfig item which accepts a range should define the range
boundary, otherwise it's not clear to people how large or how small it
can be set. For example, can I set it as value of 1<<40? We should at
least estimate a possible upper limit for it for other people's
reference. My personal opinion.

The rest looks good to me.


> +	help
> +	  IMA_KEXEC_EXTRA_MEMORY_KB determines the extra memory to be
> +	  allocated (in kb) for IMA measurements added during kexec soft reboot.
> +	  If set to the default value of 0, an extra half page of memory for those
> +	  additional measurements will be allocated.
> +
>  endif
...snip...
Re: [PATCH v11 8/9] ima: make the kexec extra memory configurable
Posted by steven chen 1 month ago 
On 4/10/2025 2:54 AM, Baoquan He wrote:
> On 04/02/25 at 05:47am, steven chen wrote:
>> The extra memory allocated for carrying the IMA measurement list across
>> kexec is hard-coded as half a PAGE.  Make it configurable.
>>
>> Define a Kconfig option, IMA_KEXEC_EXTRA_MEMORY_KB, to configure the
>> extra memory (in kb) to be allocated for IMA measurements added during
>> kexec soft reboot.  Ensure the default value of the option is set such
>> that extra half a page of memory for additional measurements is allocated
>> for the additional measurements.
>>
>> Update ima_add_kexec_buffer() function to allocate memory based on the
>> Kconfig option value, rather than the currently hard-coded one.
>>
>> Suggested-by: Stefan Berger <stefanb@linux.ibm.com>
>> Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
>> Signed-off-by: steven chen <chenste@linux.microsoft.com>
>> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
>> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
>> ---
>>   security/integrity/ima/Kconfig     | 10 ++++++++++
>>   security/integrity/ima/ima_kexec.c | 16 +++++++++++-----
>>   2 files changed, 21 insertions(+), 5 deletions(-)
>>
>> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
>> index 475c32615006..d73c96c3c1c9 100644
>> --- a/security/integrity/ima/Kconfig
>> +++ b/security/integrity/ima/Kconfig
>> @@ -321,4 +321,14 @@ config IMA_DISABLE_HTABLE
>>   	help
>>   	   This option disables htable to allow measurement of duplicate records.
>>   
>> +config IMA_KEXEC_EXTRA_MEMORY_KB
>> +	int "Extra memory for IMA measurements added during kexec soft reboot"
>> +	depends on IMA_KEXEC
>> +	default 0
> Usually a new Kconfig item which accepts a range should define the range
> boundary, otherwise it's not clear to people how large or how small it
> can be set. For example, can I set it as value of 1<<40? We should at
> least estimate a possible upper limit for it for other people's
> reference. My personal opinion.

Hi Baoquan,

How about I set range 2-40? Default set as 2, same as the fixed setting.

Thanks,

Steven

> The rest looks good to me.
>
>
>> +	help
>> +	  IMA_KEXEC_EXTRA_MEMORY_KB determines the extra memory to be
>> +	  allocated (in kb) for IMA measurements added during kexec soft reboot.
>> +	  If set to the default value of 0, an extra half page of memory for those
>> +	  additional measurements will be allocated.
>> +
>>   endif
> ...snip...
Re: [PATCH v11 8/9] ima: make the kexec extra memory configurable
Posted by Mimi Zohar 1 month ago 
On Thu, 2025-04-10 at 09:59 -0700, steven chen wrote:
> On 4/10/2025 2:54 AM, Baoquan He wrote:
> > On 04/02/25 at 05:47am, steven chen wrote:
> > > The extra memory allocated for carrying the IMA measurement list across
> > > kexec is hard-coded as half a PAGE.  Make it configurable.
> > > 
> > > Define a Kconfig option, IMA_KEXEC_EXTRA_MEMORY_KB, to configure the
> > > extra memory (in kb) to be allocated for IMA measurements added during
> > > kexec soft reboot.  Ensure the default value of the option is set such
> > > that extra half a page of memory for additional measurements is allocated
> > > for the additional measurements.
> > > 
> > > Update ima_add_kexec_buffer() function to allocate memory based on the
> > > Kconfig option value, rather than the currently hard-coded one.
> > > 
> > > Suggested-by: Stefan Berger <stefanb@linux.ibm.com>
> > > Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
> > > Signed-off-by: steven chen <chenste@linux.microsoft.com>
> > > Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > > ---
> > >   security/integrity/ima/Kconfig     | 10 ++++++++++
> > >   security/integrity/ima/ima_kexec.c | 16 +++++++++++-----
> > >   2 files changed, 21 insertions(+), 5 deletions(-)
> > > 
> > > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> > > index 475c32615006..d73c96c3c1c9 100644
> > > --- a/security/integrity/ima/Kconfig
> > > +++ b/security/integrity/ima/Kconfig
> > > @@ -321,4 +321,14 @@ config IMA_DISABLE_HTABLE
> > >   	help
> > >   	   This option disables htable to allow measurement of duplicate records.
> > >   
> > > +config IMA_KEXEC_EXTRA_MEMORY_KB
> > > +	int "Extra memory for IMA measurements added during kexec soft reboot"
> > > +	depends on IMA_KEXEC
> > > +	default 0
> > Usually a new Kconfig item which accepts a range should define the range
> > boundary, otherwise it's not clear to people how large or how small it
> > can be set. For example, can I set it as value of 1<<40? We should at
> > least estimate a possible upper limit for it for other people's
> > reference. My personal opinion.
> 
> Hi Baoquan,
> 
> How about I set range 2-40? Default set as 2, same as the fixed setting.

0, the current default, sets the "extra" memory to the existing "extra half a
page of memory for the additional measurements".  For backwards compatibility,
please do not change this.

The requirement for a larger "extra" measurement is coming from Microsoft. If
this isn't any longer a requirement, we could drop this patch.  Lakshmi, do you
have any thoughts on this?

thanks,

Mimi

> 
> > The rest looks good to me.
> > 
> > 
> > > +	help
> > > +	  IMA_KEXEC_EXTRA_MEMORY_KB determines the extra memory to be
> > > +	  allocated (in kb) for IMA measurements added during kexec soft reboot.
> > > +	  If set to the default value of 0, an extra half page of memory for those
> > > +	  additional measurements will be allocated.
> > > +
> > >   endif
> > ...snip...
> 
> 
>
Re: [PATCH v11 8/9] ima: make the kexec extra memory configurable
Posted by steven chen 1 month ago 
On 4/10/2025 11:04 AM, Mimi Zohar wrote:
> On Thu, 2025-04-10 at 09:59 -0700, steven chen wrote:
>> On 4/10/2025 2:54 AM, Baoquan He wrote:
>>> On 04/02/25 at 05:47am, steven chen wrote:
>>>> The extra memory allocated for carrying the IMA measurement list across
>>>> kexec is hard-coded as half a PAGE.  Make it configurable.
>>>>
>>>> Define a Kconfig option, IMA_KEXEC_EXTRA_MEMORY_KB, to configure the
>>>> extra memory (in kb) to be allocated for IMA measurements added during
>>>> kexec soft reboot.  Ensure the default value of the option is set such
>>>> that extra half a page of memory for additional measurements is allocated
>>>> for the additional measurements.
>>>>
>>>> Update ima_add_kexec_buffer() function to allocate memory based on the
>>>> Kconfig option value, rather than the currently hard-coded one.
>>>>
>>>> Suggested-by: Stefan Berger <stefanb@linux.ibm.com>
>>>> Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
>>>> Signed-off-by: steven chen <chenste@linux.microsoft.com>
>>>> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
>>>> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
>>>> ---
>>>>    security/integrity/ima/Kconfig     | 10 ++++++++++
>>>>    security/integrity/ima/ima_kexec.c | 16 +++++++++++-----
>>>>    2 files changed, 21 insertions(+), 5 deletions(-)
>>>>
>>>> diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
>>>> index 475c32615006..d73c96c3c1c9 100644
>>>> --- a/security/integrity/ima/Kconfig
>>>> +++ b/security/integrity/ima/Kconfig
>>>> @@ -321,4 +321,14 @@ config IMA_DISABLE_HTABLE
>>>>    	help
>>>>    	   This option disables htable to allow measurement of duplicate records.
>>>>    
>>>> +config IMA_KEXEC_EXTRA_MEMORY_KB
>>>> +	int "Extra memory for IMA measurements added during kexec soft reboot"
>>>> +	depends on IMA_KEXEC
>>>> +	default 0
>>> Usually a new Kconfig item which accepts a range should define the range
>>> boundary, otherwise it's not clear to people how large or how small it
>>> can be set. For example, can I set it as value of 1<<40? We should at
>>> least estimate a possible upper limit for it for other people's
>>> reference. My personal opinion.
>> Hi Baoquan,
>>
>> How about I set range 2-40? Default set as 2, same as the fixed setting.
> 0, the current default, sets the "extra" memory to the existing "extra half a
> page of memory for the additional measurements".  For backwards compatibility,
> please do not change this.
>
> The requirement for a larger "extra" measurement is coming from Microsoft. If
> this isn't any longer a requirement, we could drop this patch.  Lakshmi, do you
> have any thoughts on this?
>
> thanks,
>
> Mimi

How about the range set as 0-40 and the default as 0?

We (Microsoft) are ok with 0 as the default.

Thanks

>>> The rest looks good to me.
>>>
>>>
>>>> +	help
>>>> +	  IMA_KEXEC_EXTRA_MEMORY_KB determines the extra memory to be
>>>> +	  allocated (in kb) for IMA measurements added during kexec soft reboot.
>>>> +	  If set to the default value of 0, an extra half page of memory for those
>>>> +	  additional measurements will be allocated.
>>>> +
>>>>    endif
>>> ...snip...
>>
>>
Re: [PATCH v11 8/9] ima: make the kexec extra memory configurable
Posted by Mimi Zohar 1 month ago 
On Thu, 2025-04-10 at 11:49 -0700, steven chen wrote:
> On 4/10/2025 11:04 AM, Mimi Zohar wrote:
> > On Thu, 2025-04-10 at 09:59 -0700, steven chen wrote:
> > > On 4/10/2025 2:54 AM, Baoquan He wrote:
> > > > On 04/02/25 at 05:47am, steven chen wrote:
> > > > > The extra memory allocated for carrying the IMA measurement list across
> > > > > kexec is hard-coded as half a PAGE.  Make it configurable.
> > > > > 
> > > > > Define a Kconfig option, IMA_KEXEC_EXTRA_MEMORY_KB, to configure the
> > > > > extra memory (in kb) to be allocated for IMA measurements added during
> > > > > kexec soft reboot.  Ensure the default value of the option is set such
> > > > > that extra half a page of memory for additional measurements is allocated
> > > > > for the additional measurements.
> > > > > 
> > > > > Update ima_add_kexec_buffer() function to allocate memory based on the
> > > > > Kconfig option value, rather than the currently hard-coded one.
> > > > > 
> > > > > Suggested-by: Stefan Berger <stefanb@linux.ibm.com>
> > > > > Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
> > > > > Signed-off-by: steven chen <chenste@linux.microsoft.com>
> > > > > Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
> > > > > Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
> > > > > ---
> > > > >    security/integrity/ima/Kconfig     | 10 ++++++++++
> > > > >    security/integrity/ima/ima_kexec.c | 16 +++++++++++-----
> > > > >    2 files changed, 21 insertions(+), 5 deletions(-)
> > > > > 
> > > > > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
> > > > > index 475c32615006..d73c96c3c1c9 100644
> > > > > --- a/security/integrity/ima/Kconfig
> > > > > +++ b/security/integrity/ima/Kconfig
> > > > > @@ -321,4 +321,14 @@ config IMA_DISABLE_HTABLE
> > > > >    	help
> > > > >    	   This option disables htable to allow measurement of duplicate records.
> > > > >    
> > > > > +config IMA_KEXEC_EXTRA_MEMORY_KB
> > > > > +	int "Extra memory for IMA measurements added during kexec soft reboot"
> > > > > +	depends on IMA_KEXEC
> > > > > +	default 0
> > > > Usually a new Kconfig item which accepts a range should define the range
> > > > boundary, otherwise it's not clear to people how large or how small it
> > > > can be set. For example, can I set it as value of 1<<40? We should at
> > > > least estimate a possible upper limit for it for other people's
> > > > reference. My personal opinion.
> > > Hi Baoquan,
> > > 
> > > How about I set range 2-40? Default set as 2, same as the fixed setting.
> > 0, the current default, sets the "extra" memory to the existing "extra half a
> > page of memory for the additional measurements".  For backwards compatibility,
> > please do not change this.
> > 
> > The requirement for a larger "extra" measurement is coming from Microsoft. If
> > this isn't any longer a requirement, we could drop this patch.  Lakshmi, do you
> > have any thoughts on this?
> 
> How about the range set as 0-40 and the default as 0?
> 
> We (Microsoft) are ok with 0 as the default.

Thanks, fine.

> 
> Thanks
> 
> > > > The rest looks good to me.
> > > > 
> > > > 
> > > > > +	help
> > > > > +	  IMA_KEXEC_EXTRA_MEMORY_KB determines the extra memory to be
> > > > > +	  allocated (in kb) for IMA measurements added during kexec soft reboot.
> > > > > +	  If set to the default value of 0, an extra half page of memory for those
> > > > > +	  additional measurements will be allocated.
> > > > > +
> > > > >    endif
> > > > ...snip...
> > > 
> > > 
> 
>

Patchew 2.1-devel-b67e4c2

© 2016 - 2025 Red Hat, Inc.