Commit 0ad93987 authored by Steven Chen's avatar Steven Chen Committed by Mimi Zohar
Browse files

ima: make the kexec extra memory configurable 



The extra memory allocated for carrying the IMA measurement list across
kexec is hard-coded as half a PAGE.  Make it configurable.

Define a Kconfig option, IMA_KEXEC_EXTRA_MEMORY_KB, to configure the
extra memory (in kb) to be allocated for IMA measurements added during
kexec soft reboot.  Ensure the default value of the option is set such
that extra half a page of memory for additional measurements is allocated
for the additional measurements.

Update ima_add_kexec_buffer() function to allocate memory based on the
Kconfig option value, rather than the currently hard-coded one.

Suggested-by: default avatarStefan Berger <stefanb@linux.ibm.com>
Co-developed-by: default avatarTushar Sugandhi <tusharsu@linux.microsoft.com>
Signed-off-by: default avatarTushar Sugandhi <tusharsu@linux.microsoft.com>
Signed-off-by: default avatarSteven Chen <chenste@linux.microsoft.com>
Reviewed-by: default avatarStefan Berger <stefanb@linux.ibm.com>
Acked-by: default avatarBaoquan He <bhe@redhat.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com> # ppc64/kvm
Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
parent d0a00ce4

security/integrity/ima/Kconfig

+11 −0
Original line number Diff line number Diff line
@@ -321,4 +321,15 @@ config IMA_DISABLE_HTABLE 
	help

	   This option disables htable to allow measurement of duplicate records.



config IMA_KEXEC_EXTRA_MEMORY_KB

	int "Extra memory for IMA measurements added during kexec soft reboot"

	range 0 40

	depends on IMA_KEXEC

	default 0

	help

	  IMA_KEXEC_EXTRA_MEMORY_KB determines the extra memory to be

	  allocated (in kb) for IMA measurements added during kexec soft reboot.

	  If set to the default value of 0, an extra half page of memory for those

	  additional measurements will be allocated.



endif

security/integrity/ima/ima_kexec.c

+11 −5
Original line number Diff line number Diff line
@@ -118,6 +118,7 @@ void ima_add_kexec_buffer(struct kimage *image) 
				  .buf_min = 0, .buf_max = ULONG_MAX,

				  .top_down = true };

	unsigned long binary_runtime_size;

	unsigned long extra_memory;



	/* use more understandable variable names than defined in kbuf */

	size_t kexec_buffer_size = 0;
@@ -125,15 +126,20 @@ void ima_add_kexec_buffer(struct kimage *image) 
	int ret;



	/*

	 * Reserve an extra half page of memory for additional measurements

	 * added during the kexec load.

	 * Reserve extra memory for measurements added during kexec.

	 */

	binary_runtime_size = ima_get_binary_runtime_size();

	if (CONFIG_IMA_KEXEC_EXTRA_MEMORY_KB <= 0)

		extra_memory = PAGE_SIZE / 2;

	else

		extra_memory = CONFIG_IMA_KEXEC_EXTRA_MEMORY_KB * 1024;



	binary_runtime_size = ima_get_binary_runtime_size() + extra_memory;



	if (binary_runtime_size >= ULONG_MAX - PAGE_SIZE)

		kexec_segment_size = ULONG_MAX;

	else

		kexec_segment_size = ALIGN(ima_get_binary_runtime_size() +

					   PAGE_SIZE / 2, PAGE_SIZE);

		kexec_segment_size = ALIGN(binary_runtime_size, PAGE_SIZE);



	if ((kexec_segment_size == ULONG_MAX) ||

	    ((kexec_segment_size >> PAGE_SHIFT) > totalram_pages() / 2)) {

		pr_err("Binary measurement list too large.\n");