MIRRORS/linux-yocto
1
0
Fork 0
mirror of git://git.yoctoproject.org/linux-yocto.git synced 2025-10-22 23:13:01 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
c95e1acb6d
linux-yocto/security
History
Steven Chen c95e1acb6d ima: define and call ima_alloc_kexec_file_buf() 
In the current implementation, the ima_dump_measurement_list() API is
called during the kexec "load" phase, where a buffer is allocated and
the measurement records are copied. Due to this, new events added after
kexec load but before kexec execute are not carried over to the new kernel
during kexec operation

Carrying the IMA measurement list across kexec requires allocating a
buffer and copying the measurement records.  Separate allocating the
buffer and copying the measurement records into separate functions in
order to allocate the buffer at kexec 'load' and copy the measurements
at kexec 'execute'.

After moving the vfree() here at this stage in the patch set, the IMA
measurement list fails to verify when doing two consecutive "kexec -s -l"
with/without a "kexec -s -u" in between.  Only after "ima: kexec: move
IMA log copy from kexec load to execute" the IMA measurement list verifies
properly with the vfree() here.

Co-developed-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
Signed-off-by: Tushar Sugandhi <tusharsu@linux.microsoft.com>
Signed-off-by: Steven Chen <chenste@linux.microsoft.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Acked-by: Baoquan He <bhe@redhat.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com> # ppc64/kvm
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
2025-04-29 15:54:53 -04:00
..
apparmor Change inode_operations.mkdir to return struct dentry * 2025-02-27 20:00:17 +01:00
bpf bpf: lsm: Remove hook to bpf_task_storage_free 2024-12-16 12:32:31 -08:00
integrity ima: define and call ima_alloc_kexec_file_buf() 2025-04-29 15:54:53 -04:00
ipe ipe: policy_fs: fix kernel-doc warnings 2025-03-24 13:36:00 -07:00
keys This update includes the following changes: 2025-03-29 10:01:55 -07:00
landlock landlock: Fix documentation for landlock_restrict_self(2) 2025-04-17 11:09:10 +02:00
loadpin loadpin: remove MODULE_COMPRESS_NONE as it is no longer supported 2025-03-03 09:35:50 -08:00
lockdown lockdown: initialize local array before use to quiet static analysis 2025-01-05 12:48:43 -05:00
safesetid safesetid: check size of policy writes 2025-01-04 22:46:09 -05:00
selinux Driver core updates for 6.15-rc1 2025-04-01 11:02:03 -07:00
smack smack: recognize ipv4 CIPSO w/o categories 2025-02-16 14:17:55 -08:00
tomoyo tomoyo: use better patterns for procfs in learning mode 2025-01-31 00:27:44 +09:00
yama yama: don't abuse rcu_read_lock/get_task_struct in yama_task_prctl() 2025-03-07 19:58:05 -08:00
commoncap.c capability: Remove unused has_capability 2025-03-07 22:03:09 -06:00
device_cgroup.c
inode.c lsm: Use IS_ERR_OR_NULL() helper function 2024-08-29 11:12:13 -04:00
Kconfig mseal sysmap: kernel config and header change 2025-04-01 15:17:14 -07:00
Kconfig.hardening hardening: Disable GCC randstruct for COMPILE_TEST 2025-04-15 13:50:17 -07:00
lsm_audit.c Landlock update for v6.15-rc1 2025-03-28 12:37:13 -07:00
lsm_syscalls.c lsm: use 32-bit compatible data types in LSM syscalls 2024-03-14 11:31:26 -04:00
Makefile lsm: Only build lsm_audit.c if CONFIG_SECURITY and CONFIG_AUDIT are set 2025-01-04 11:50:44 -05:00
min_addr.c security: min_addr: move sysctl to security/min_addr.c 2025-02-07 16:53:04 +01:00
security.c bpf-next-6.15 2025-03-30 12:43:03 -07:00