Re: [RFC PATCH] ima: add a knob to make IMA be able to be disabled

[Baoquan He <bhe@redhat.com>]

On 04/02/25 at 04:43pm, Coiby Xu wrote:
> On Tue, Apr 01, 2025 at 11:30:09PM -0400, Mimi Zohar wrote:
> > On Wed, 2025-04-02 at 09:47 +0800, RuiRui Yang wrote:
> [...]
> > > > > that.  Please don't make it generic like this.
> > > > >
> > > > > Please refer to ima_appraise_parse_cmdline().
> > > >
> > > > Hi Mimi,
> > > >
> > > > To save memory for kdump, it seems init_ima has been to be skipped thus
> > > > ima=off is necessary (ima_appraise=off won't serve the purpose). Or do
> > > > you have any specific concerns in mind?
> > > 
> > > I think as Mimi said see below logic enforces the IMA even with the
> > > cmdline disabling, see ima_appraise_parse_cmdline:
> > > if (sb_state) {
> > >                 if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
> > >                         pr_info("Secure boot enabled: ignoring
> > > ima_appraise=%s option",
> > >                                 str);
> > >         } else {
> > >                 ima_appraise = appraisal_state;
> > >         }
> 
> Thanks for pointing me to the above code! Note with the whole IMA
> disabled as done by this patch, the above code will not run so IMA
> (appraisal) won't be enforced.
> 
> > 
> > Thanks, RuiRui.
> > 
> 
> Mimi, so do I understand it correctly that your want IMA-appraisal to be
> always enabled as long as secure boot is enabled even if users choose to
> disable IMA? I wonder what security issue will it bring if this promise
> gets broken considering other LSMs can SELinux can be disabled when
> secure boot is enabled?
> 
> > Coiby, would disabling just IMA-measurement, as opposed to IMA-appraisal, save
> > sufficient memory for kdump?
> 
> For disabling just IMA-measurement, do you mean not enabling any measure
> rules?  The more memory reserved for the kdump kernel, the less memory
> can be used by the 1st kernel. So from the perfective of kdump, we try
> to make the memory footprint as smaller as possible.
> 
> Baoquan, do you have any statistics about the memory overhead of IMA?

I am getting a system to check that. I think there are two aspects of
IMA functionality we want to disable. One is disable the IMA-measurement
copying from 1st kernel to 2nd kernel, this is only needed by kexec
reboot; the other is IMA is not needed at all in kdump kernel, means we
don't want to call ima_init() to initialize
ima_keyring/crypto/template/digests/fs etc. 

With my shallow knowledge about IMA, I don't know how to imitate
appraisal cmdline to disable IMA partially in kdump kernel case.

One exmaple is 'cgroup_disable=memory' we have been doing to add into
kdump cmdline because mem_cgroup is not needed at all for kdump kernel.
We want to achieve that effect.