All of lore.kernel.org
 help / color / mirror / Atom feed
From: Baoquan He <bhe@redhat.com>
To: linux-integrity@vger.kernel.org, kexec@lists.infradead.org
Cc: linux-kernel@vger.kernel.org, zohar@linux.ibm.com,
	pmenzel@molgen.mpg.de, coxu@redhat.com, ruyang@redhat.com,
	chenste@linux.microsoft.com
Subject: Re: [PATCH] ima: add a knob ima= to make IMA be able to be disabled
Date: Fri, 16 May 2025 08:22:14 +0800	[thread overview]
Message-ID: <aCaFNvHbYxrCaPbe@MiWiFi-R3L-srv> (raw)
In-Reply-To: <20250515233953.14685-1-bhe@redhat.com>

CC kexec list.

On 05/16/25 at 07:39am, Baoquan He wrote:
> Kdump kernel doesn't need IMA functionality, and enabling IMA will cost
> extra memory. It would be very helpful to allow IMA to be disabled for
> kdump kernel.
> 
> And Coiby also mentioned that for kdump kernel incorrect ima-policy loaded
> by systemd could cause kdump kernel hang, and it's possible the booting
> process may be stopped by a strict, albeit syntax-correct policy and users
> can't log into the system to fix the policy. In these cases, allowing to
> disable IMA is very helpful too for kdump kernel.
> 
> Hence add a knob ima=on|off here to allow people to disable IMA in kdump
> kenrel if needed.
> 
> Signed-off-by: Baoquan He <bhe@redhat.com>
> ---
>  .../admin-guide/kernel-parameters.txt         |  5 +++++
>  security/integrity/ima/ima_main.c             | 22 +++++++++++++++++++
>  2 files changed, 27 insertions(+)
> 
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index d9fd26b95b34..762fb6ddcc24 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -2202,6 +2202,11 @@
>  			different crypto accelerators. This option can be used
>  			to achieve best performance for particular HW.
>  
> +	ima=		[IMA] Enable or disable IMA
> +			Format: { "off" | "on" }
> +			Default: "on"
> +			Note that this is only useful for kdump kernel.
> +
>  	init=		[KNL]
>  			Format: <full_path>
>  			Run specified binary instead of /sbin/init as init
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index f3e7ac513db3..07af5c6af138 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -27,6 +27,7 @@
>  #include <linux/fs.h>
>  #include <linux/iversion.h>
>  #include <linux/evm.h>
> +#include <linux/crash_dump.h>
>  
>  #include "ima.h"
>  
> @@ -38,11 +39,27 @@ int ima_appraise;
>  
>  int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;
>  static int hash_setup_done;
> +static int ima_disabled;
>  
>  static struct notifier_block ima_lsm_policy_notifier = {
>  	.notifier_call = ima_lsm_policy_change,
>  };
>  
> +static int __init ima_setup(char *str)
> +{
> +	if (strncmp(str, "off", 3) == 0)
> +		ima_disabled = 1;
> +	else if (strncmp(str, "on", 2) == 0)
> +		ima_disabled = 0;
> +	else
> +		pr_err("Invalid ima setup option: \"%s\" , please specify ima=on|off.", str);
> +
> +	return 1;
> +}
> +__setup("ima=", ima_setup);
> +
> +
> +
>  static int __init hash_setup(char *str)
>  {
>  	struct ima_template_desc *template_desc = ima_template_desc_current();
> @@ -1184,6 +1201,11 @@ static int __init init_ima(void)
>  {
>  	int error;
>  
> +	if (ima_disabled && is_kdump_kernel()) {
> +		pr_info("IMA functionality is disabled");
> +		return 0;
> +	}
> +
>  	ima_appraise_parse_cmdline();
>  	ima_init_template_list();
>  	hash_setup(CONFIG_IMA_DEFAULT_HASH);
> -- 
> 2.41.0
> 



  reply	other threads:[~2025-05-16  0:22 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-15 23:39 [PATCH] ima: add a knob ima= to make IMA be able to be disabled Baoquan He
2025-05-16  0:22 ` Baoquan He [this message]
2025-05-21 12:54   ` Mimi Zohar
2025-05-21 12:58     ` Mimi Zohar
2025-05-22  3:49       ` Baoquan He
2025-05-22  3:14     ` Coiby Xu
2025-05-22  3:24     ` Baoquan He
2025-05-22  6:02       ` Coiby Xu
2025-05-22 11:08       ` Mimi Zohar
2025-05-22 14:52         ` Baoquan He
     [not found]           ` <CAF+s44QHJs8J27TEy0AW1m2wT=LRSz59nHf-8AuqL8px_zKGUg@mail.gmail.com>
2025-05-27 14:17             ` Mimi Zohar
2025-05-29  4:13               ` Pingfan Liu
2025-05-29 14:31                 ` Mimi Zohar
2025-05-30  4:14                   ` Pingfan Liu
2025-06-04  3:34         ` Coiby Xu
2025-06-04 22:53           ` Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aCaFNvHbYxrCaPbe@MiWiFi-R3L-srv \
    --to=bhe@redhat.com \
    --cc=chenste@linux.microsoft.com \
    --cc=coxu@redhat.com \
    --cc=kexec@lists.infradead.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pmenzel@molgen.mpg.de \
    --cc=ruyang@redhat.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.