[PATCH v11 0/8] powerpc: Implement kexec_file_load()

Thu Dec 1 00:03:46 AEDT 2016

On Wed, 2016-11-30 at 15:52 +1100, Michael Ellerman wrote:
> Andrew Morton <akpm at linux-foundation.org> writes:
> 
> > On Tue, 29 Nov 2016 23:45:46 +1100 Michael Ellerman <mpe at ellerman.id.au> wrote:
> >
> >> This is v11 of the kexec_file_load() for powerpc series.
> >> 
> >> I've stripped this down to the minimum we need, so we can get this in for 4.10.
> >> Any additions can come later incrementally.
> >
> > This made a bit of a mess of Mimi's series "ima: carry the
> > measurement list across kexec v10".
> 
> Urk, sorry about that. I didn't realise there was a big dependency
> between them, but I guess I should have tried to do the rebase.
> 
> > powerpc-ima-get-the-kexec-buffer-passed-by-the-previous-kernel.patch
> > ima-on-soft-reboot-restore-the-measurement-list.patch
> > ima-permit-duplicate-measurement-list-entries.patch
> > ima-maintain-memory-size-needed-for-serializing-the-measurement-list.patch
> > powerpc-ima-send-the-kexec-buffer-to-the-next-kernel.patch
> > ima-on-soft-reboot-save-the-measurement-list.patch
> > ima-store-the-builtin-custom-template-definitions-in-a-list.patch
> > ima-support-restoring-multiple-template-formats.patch
> > ima-define-a-canonical-binary_runtime_measurements-list-format.patch
> > ima-platform-independent-hash-value.patch
> >
> > I made the syntactic fixes but I won't be testing it.

Dmitry Kasatkin's acked-by needs to be included for the IMA patches.

> Thanks. 
> 
> TBH I don't know how to test the IMA part, I'm relying on Thiago and
> Mimi to do that.

It should be straight forward.  Enable CONFIG_IMA_KEXEC to carry the
measurements from one kernel to the next.  Use a kexec_file_load version
of kexec to boot the next kernel.  On the boot command line add
"ima_tcb" or "ima_policy=ima_tcb".

If the measurements were carried across kexec, the IMA measurement list
<securityfs>/ima/ascii_runtime_measurements should contain an initial
"boot_aggregate", as the first record, and a "boot_aggregate", as a
delimiter, for each subsequent kexec.

> >> If no one objects I'll merge this via the powerpc tree. The three kexec patches
> >> have been acked by Dave Young (since forever), and have been in linux-next (via
> >> akpm's tree) also for a long time.
> >
> > OK, I'll wait for these to appear in -next and I will await advice on 
> 
> Thanks. I'll let them stew for a few more hours and then put them in my
> next for tomorrows linux-next.

Thaigo tested the patches yesterday.   Everything seemed fine.  After
cherry picking the kexec_file_load() patches and rebasing the
restore_kexec patches on top of it in my tree, there were some problems.
Perhaps there is some dependencies that I'm missing.

Mimi