1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * Copyright (C) 2016 IBM Corporation 4 * 5 * Authors: 6 * Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> 7 * Mimi Zohar <zohar@linux.vnet.ibm.com> 8 */ 9 10 #include <linux/seq_file.h> 11 #include <linux/vmalloc.h> 12 #include <linux/kexec.h> 13 #include <linux/of.h> 14 #include <linux/ima.h> 15 #include <linux/mm.h> 16 #include <linux/overflow.h> 17 #include <linux/reboot.h> 18 #include <asm/page.h> 19 #include "ima.h" 20 21 #ifdef CONFIG_IMA_KEXEC 22 #define IMA_KEXEC_EVENT_LEN 256 23 24 static bool ima_kexec_update_registered; 25 static struct seq_file ima_kexec_file; 26 static size_t kexec_segment_size; 27 static void *ima_kexec_buffer; 28 29 static void ima_free_kexec_file_buf(struct seq_file *sf) 30 { 31 vfree(sf->buf); 32 sf->buf = NULL; 33 sf->size = 0; 34 sf->read_pos = 0; 35 sf->count = 0; 36 } 37 38 void ima_measure_kexec_event(const char *event_name) 39 { 40 char ima_kexec_event[IMA_KEXEC_EVENT_LEN]; 41 size_t buf_size = 0; 42 long len; 43 int n; 44 45 buf_size = ima_get_binary_runtime_size(BINARY_FULL); 46 len = atomic_long_read(&ima_num_records[BINARY_FULL]); 47 48 n = scnprintf(ima_kexec_event, IMA_KEXEC_EVENT_LEN, 49 "kexec_segment_size=%lu;ima_binary_runtime_size=%lu;" 50 "ima_runtime_measurements_count=%ld;", 51 kexec_segment_size, buf_size, len); 52 53 ima_measure_critical_data("ima_kexec", event_name, ima_kexec_event, n, false, NULL, 0); 54 } 55 56 static int ima_alloc_kexec_file_buf(size_t segment_size) 57 { 58 /* 59 * kexec 'load' may be called multiple times. 60 * Free and realloc the buffer only if the segment_size is 61 * changed from the previous kexec 'load' call. 62 */ 63 if (ima_kexec_file.buf && ima_kexec_file.size == segment_size) 64 goto out; 65 66 ima_free_kexec_file_buf(&ima_kexec_file); 67 68 /* segment size can't change between kexec load and execute */ 69 ima_kexec_file.buf = vmalloc(segment_size); 70 if (!ima_kexec_file.buf) 71 return -ENOMEM; 72 73 ima_kexec_file.size = segment_size; 74 75 out: 76 ima_kexec_file.read_pos = 0; 77 ima_kexec_file.count = sizeof(struct ima_kexec_hdr); /* reserved space */ 78 ima_measure_kexec_event("kexec_load"); 79 80 return 0; 81 } 82 83 static int ima_dump_measurement(struct ima_kexec_hdr *khdr, 84 struct ima_queue_entry *qe) 85 { 86 if (ima_kexec_file.count >= ima_kexec_file.size) 87 return -EINVAL; 88 89 khdr->count++; 90 ima_measurements_show(&ima_kexec_file, qe); 91 return 0; 92 } 93 94 static int ima_dump_measurement_list(unsigned long *buffer_size, void **buffer, 95 unsigned long segment_size) 96 { 97 struct ima_queue_entry *qe; 98 struct ima_kexec_hdr khdr; 99 int ret = 0; 100 101 /* segment size can't change between kexec load and execute */ 102 if (!ima_kexec_file.buf) { 103 pr_err("Kexec file buf not allocated\n"); 104 return -EINVAL; 105 } 106 107 memset(&khdr, 0, sizeof(khdr)); 108 khdr.version = 1; 109 /* 110 * Lockless walks possible due to strict ordering of the reboot 111 * notifiers, suspending measurement before dump, and forbidding 112 * staging/deleting (list mutations) after suspend. 113 */ 114 list_for_each_entry(qe, &ima_measurements_staged, later) { 115 ret = ima_dump_measurement(&khdr, qe); 116 if (ret < 0) 117 break; 118 } 119 120 list_for_each_entry(qe, &ima_measurements, later) { 121 if (!ret) 122 ret = ima_dump_measurement(&khdr, qe); 123 if (ret < 0) 124 break; 125 } 126 127 /* 128 * fill in reserved space with some buffer details 129 * (eg. version, buffer size, number of measurements) 130 */ 131 khdr.buffer_size = ima_kexec_file.count; 132 if (ima_canonical_fmt) { 133 khdr.version = cpu_to_le16(khdr.version); 134 khdr.count = cpu_to_le64(khdr.count); 135 khdr.buffer_size = cpu_to_le64(khdr.buffer_size); 136 } 137 memcpy(ima_kexec_file.buf, &khdr, sizeof(khdr)); 138 139 print_hex_dump_debug("ima dump: ", DUMP_PREFIX_NONE, 16, 1, 140 ima_kexec_file.buf, ima_kexec_file.count < 100 ? 141 ima_kexec_file.count : 100, 142 true); 143 144 *buffer_size = ima_kexec_file.count; 145 *buffer = ima_kexec_file.buf; 146 147 return ret; 148 } 149 150 /* 151 * Called during kexec_file_load so that IMA can add a segment to the kexec 152 * image for the measurement list for the next kernel. 153 * 154 * This function assumes that kexec_lock is held. 155 */ 156 void ima_add_kexec_buffer(struct kimage *image) 157 { 158 struct kexec_buf kbuf = { .image = image, .buf_align = PAGE_SIZE, 159 .buf_min = 0, .buf_max = ULONG_MAX, 160 .top_down = true }; 161 unsigned long binary_runtime_size; 162 unsigned long extra_memory; 163 164 /* use more understandable variable names than defined in kbuf */ 165 size_t kexec_buffer_size = 0; 166 void *kexec_buffer = NULL; 167 int ret; 168 169 if (image->type == KEXEC_TYPE_CRASH) 170 return; 171 172 /* 173 * Reserve extra memory for measurements added during kexec. 174 */ 175 if (CONFIG_IMA_KEXEC_EXTRA_MEMORY_KB <= 0) 176 extra_memory = PAGE_SIZE / 2; 177 else 178 extra_memory = CONFIG_IMA_KEXEC_EXTRA_MEMORY_KB * 1024; 179 180 binary_runtime_size = ima_get_binary_runtime_size(BINARY) + 181 ima_get_binary_runtime_size(BINARY_STAGED) + 182 extra_memory; 183 184 if (binary_runtime_size >= ULONG_MAX - PAGE_SIZE) 185 kexec_segment_size = ULONG_MAX; 186 else 187 kexec_segment_size = ALIGN(binary_runtime_size, PAGE_SIZE); 188 189 if ((kexec_segment_size == ULONG_MAX) || 190 ((kexec_segment_size >> PAGE_SHIFT) > totalram_pages() / 2)) { 191 pr_err("Binary measurement list too large.\n"); 192 return; 193 } 194 195 ret = ima_alloc_kexec_file_buf(kexec_segment_size); 196 if (ret < 0) { 197 pr_err("Not enough memory for the kexec measurement buffer.\n"); 198 return; 199 } 200 201 kbuf.buffer = kexec_buffer; 202 kbuf.bufsz = kexec_buffer_size; 203 kbuf.memsz = kexec_segment_size; 204 image->is_ima_segment_index_set = false; 205 ret = kexec_add_buffer(&kbuf); 206 if (ret) { 207 pr_err("Error passing over kexec measurement buffer.\n"); 208 vfree(kexec_buffer); 209 return; 210 } 211 212 image->ima_buffer_addr = kbuf.mem; 213 image->ima_buffer_size = kexec_segment_size; 214 image->ima_buffer = kexec_buffer; 215 image->ima_segment_index = image->nr_segments - 1; 216 image->is_ima_segment_index_set = true; 217 218 kexec_dprintk("kexec measurement buffer for the loaded kernel at 0x%lx.\n", 219 kbuf.mem); 220 } 221 222 /* 223 * Called during kexec execute so that IMA can update the measurement list. 224 */ 225 static int ima_update_kexec_buffer(struct notifier_block *self, 226 unsigned long action, void *data) 227 { 228 size_t buf_size = 0; 229 int ret = NOTIFY_OK; 230 void *buf = NULL; 231 232 if (!kexec_in_progress) { 233 pr_info("No kexec in progress.\n"); 234 return ret; 235 } 236 237 if (!ima_kexec_buffer) { 238 pr_err("Kexec buffer not set.\n"); 239 return ret; 240 } 241 242 ret = ima_dump_measurement_list(&buf_size, &buf, kexec_segment_size); 243 244 if (ret) 245 pr_err("Dump measurements failed. Error:%d\n", ret); 246 247 if (buf_size != 0) 248 memcpy(ima_kexec_buffer, buf, buf_size); 249 250 kimage_unmap_segment(ima_kexec_buffer); 251 ima_kexec_buffer = NULL; 252 253 return ret; 254 } 255 256 static struct notifier_block update_buffer_nb = { 257 .notifier_call = ima_update_kexec_buffer, 258 .priority = INT_MIN 259 }; 260 261 /* 262 * Create a mapping for the source pages that contain the IMA buffer 263 * so we can update it later. 264 */ 265 void ima_kexec_post_load(struct kimage *image) 266 { 267 if (ima_kexec_buffer) { 268 kimage_unmap_segment(ima_kexec_buffer); 269 ima_kexec_buffer = NULL; 270 } 271 272 if (!image->ima_buffer_addr) 273 return; 274 275 ima_kexec_buffer = kimage_map_segment(image, image->ima_segment_index); 276 if (!ima_kexec_buffer) { 277 pr_err("Could not map measurements buffer.\n"); 278 return; 279 } 280 281 if (!ima_kexec_update_registered) { 282 register_reboot_notifier(&update_buffer_nb); 283 ima_kexec_update_registered = true; 284 } 285 } 286 287 #endif /* IMA_KEXEC */ 288 289 /* 290 * Restore the measurement list from the previous kernel. 291 */ 292 void __init ima_load_kexec_buffer(void) 293 { 294 void *kexec_buffer = NULL; 295 size_t kexec_buffer_size = 0; 296 int rc; 297 298 rc = ima_get_kexec_buffer(&kexec_buffer, &kexec_buffer_size); 299 switch (rc) { 300 case 0: 301 rc = ima_restore_measurement_list(kexec_buffer_size, 302 kexec_buffer); 303 if (rc != 0) 304 pr_err("Failed to restore the measurement list: %d\n", 305 rc); 306 307 ima_free_kexec_buffer(); 308 break; 309 case -ENOTSUPP: 310 pr_debug("Restoring the measurement list not supported\n"); 311 break; 312 case -ENOENT: 313 pr_debug("No measurement list to restore\n"); 314 break; 315 default: 316 pr_debug("Error restoring the measurement list: %d\n", rc); 317 } 318 } 319 320 /* 321 * ima_validate_range - verify a physical buffer lies in addressable RAM 322 * @phys: physical start address of the buffer from previous kernel 323 * @size: size of the buffer 324 * 325 * On success return 0. On failure returns -EINVAL so callers can skip 326 * restoring. 327 */ 328 int ima_validate_range(phys_addr_t phys, size_t size) 329 { 330 unsigned long start_pfn, end_pfn; 331 phys_addr_t end_phys; 332 333 if (check_add_overflow(phys, (phys_addr_t)size - 1, &end_phys)) 334 return -EINVAL; 335 336 start_pfn = PHYS_PFN(phys); 337 end_pfn = PHYS_PFN(end_phys); 338 339 #ifdef CONFIG_X86 340 if (!pfn_range_is_mapped(start_pfn, end_pfn)) 341 #else 342 if (!page_is_ram(start_pfn) || !page_is_ram(end_pfn)) 343 #endif 344 { 345 pr_warn("IMA: previous kernel measurement buffer %pa (size 0x%zx) lies outside available memory\n", 346 &phys, size); 347 return -EINVAL; 348 } 349 350 return 0; 351 } 352