Re: [RFC PATCH] ima: add a knob to make IMA be able to be disabled

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Baoquan He <bhe@redhat.com>
To: Mimi Zohar <zohar@linux.ibm.com>, Coiby Xu <coxu@redhat.com>
Cc: chenste@linux.microsoft.com, RuiRui Yang <ruyang@redhat.com>,
	linux-integrity@vger.kernel.org, kexec@lists.infradead.org
Subject: Re: [RFC PATCH] ima: add a knob to make IMA be able to be disabled
Date: Wed, 16 Apr 2025 11:22:52 +0800	[thread overview]
Message-ID: <Z/8ijFhIf1J6vbWM@MiWiFi-R3L-srv> (raw)
In-Reply-To: <db0f463cbf4ad9b9cf9f9a23c5869a751ad12bba.camel@linux.ibm.com>

On 04/09/25 at 11:40am, Mimi Zohar wrote:
> On Wed, 2025-04-09 at 10:42 +0800, Baoquan He wrote:
......snip.. 
> > Thanks for confirming. I will consider how to fix it accordingly. Maybe
> > after Steven's patches are merged. That would be great if the buffer
> > allocating and storing can be skiped for kdump in Steven's patch. While
> > I am worried that could disrupt the progress of Steven's patches.
> 
> Agreed, let's get Steven's patch set upstreamed and then make the kdump
> exceptions.
> 
> - "ima: kexec: move IMA log copy from kexec load to execute" looks like it isn't
> copying the IMA measurement list records (kexec_post_load), but the memory for
> the IMA measurement list is being allocated (ima_alloc_kexec_file_buf).
> 
> - Do you really want to totally disable IMA for kdump or would disabling IMA-
> measurement be sufficient?  Remember there's already an option to disable IMA-
> appraisal.  Disabling just IMA-measurement would allow IMA-appraisal to continue
> to work.  Meaning based on policy the integrity of files - executables, kernel
> image, etc - could still be verified.
> 
> Without IMA-measurement:
> - No adding records to the IMA measurement list
> - No IMA measurement list pseudo securityfs files
> - No extending the TPM
> 
> With IMA-appraisal:
> - Integrity verification of files based on keys, keyrings
> - Loading keys

Currently, Kdump has no demand to do integrity verification based on
keys, keyrings, except of Coiby's LUKS support in kdump:

[PATCH v8 0/7] Support kdump with LUKS encryption by reusing LUKS volume keys
https://lore.kernel.org/all/20250207080818.129165-1-coxu@redhat.com/T/#u

I have talked to Coiby, he will do some investigations to see if loading
keys related to IMA or IMA-appraisal functionality is related to LUKS
support in kdump because the LUKS support in kdump also needs
store/restore keys/keyrings between normal kernel and kdump kernel.

> 
> Obviously my preference would be to add support to disable IMA-measurement in a
> kdump environment.
> 
> thanks,
> 
> Mimi
>

next prev parent reply	other threads:[~2025-04-16  3:24 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-31  6:16 [RFC PATCH] ima: add a knob to make IMA be able to be disabled Baoquan He
2025-03-31  6:22 ` Paul Menzel
2025-03-31  8:21   ` Baoquan He
2025-03-31 12:15 ` Mimi Zohar
2025-04-02  1:38   ` Coiby Xu
2025-04-02  1:47     ` RuiRui Yang
2025-04-02  3:30       ` Mimi Zohar
2025-04-02  8:43         ` Coiby Xu
2025-04-02 11:25           ` Mimi Zohar
2025-04-02 11:49           ` Baoquan He
2025-04-03 20:03             ` Mimi Zohar
2025-04-07  1:34               ` Baoquan He
2025-04-07 11:46                 ` Mimi Zohar
2025-04-09  2:42                   ` Baoquan He
2025-04-09 15:40                     ` Mimi Zohar
2025-04-16  3:22                       ` Baoquan He [this message]
2025-04-28  3:48                         ` Coiby Xu
2025-04-29 11:39                           ` Mimi Zohar
2025-05-09  5:59                             ` Coiby Xu
2025-05-09 13:03                               ` Mimi Zohar
2025-05-13  0:14                                 ` Coiby Xu
2025-05-13  3:55                                   ` Gao Xiang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z/8ijFhIf1J6vbWM@MiWiFi-R3L-srv \
    --to=bhe@redhat.com \
    --cc=chenste@linux.microsoft.com \
    --cc=coxu@redhat.com \
    --cc=kexec@lists.infradead.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=ruyang@redhat.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.