From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 234EAC54E90 for ; Thu, 22 May 2025 15:21:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:In-Reply-To: Content-Transfer-Encoding:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=pRqvAWIG+gW89awdSOcbpmSa/4HXlHRyH1DkS4kHixo=; b=hQTiczp97xR5fcnRvaLo65QFJW ovHzZtUApa8FoXDqPt44LNttwPgqkd3bZadxjNP6ZHuQdBzll54wpxGz86FyoXueU+jWo7rYsBQkH E5gJWoTRkAOstThSfW2+MjOlV8jVPPE0Vqx5uyU7cFJ198KohtfxN3iEuFwpRl0IpZugh8Zo0NCQV vAV/CB1Gs+qL1vTrJSIy0AEh1QO1FHAgm8ZTlks3ifmz0WMr6sPFa1uKeHPUaOo6FDq4fZaOH3VQr 4Cq1xxsVEMEJplc8x0t0uB81KPpum9Qnxx8MLxDHn49gV+Fi/pTPIzRL8oQl0urrbiD9q626swcGI ORAq7XUA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux)) id 1uI7ju-00000001QWy-3Odq; Thu, 22 May 2025 15:21:46 +0000 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux)) id 1uI7Hu-00000001KVU-3JFm for kexec@lists.infradead.org; Thu, 22 May 2025 14:52:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1747925568; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pRqvAWIG+gW89awdSOcbpmSa/4HXlHRyH1DkS4kHixo=; b=aUabyZfBJYbrnKftZNPaanLk9VKxMd14nNvNDiRP2NKt33fB81nyBQxWnHZKJTmzlpU1p3 ni0lrQrYWL0P9WJDhgNNgg0A0GqkKtXto1bgN7vr/99UhSubSfWc/8jPaJFLREXrIqMIdo bH4fh6JO5CkRVpo+SPmPsRONYUYrnXc= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-678-CcOIsM9IPI2ikLnRdLq8jw-1; Thu, 22 May 2025 10:52:44 -0400 X-MC-Unique: CcOIsM9IPI2ikLnRdLq8jw-1 X-Mimecast-MFC-AGG-ID: CcOIsM9IPI2ikLnRdLq8jw_1747925563 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 5D92619560AA; Thu, 22 May 2025 14:52:43 +0000 (UTC) Received: from localhost (unknown [10.72.112.172]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 60F0218001D8; Thu, 22 May 2025 14:52:40 +0000 (UTC) Date: Thu, 22 May 2025 22:52:37 +0800 From: Baoquan He To: Mimi Zohar , piliu@redhat.com, prudo@redhat.com Cc: linux-integrity@vger.kernel.org, kexec@lists.infradead.org, linux-kernel@vger.kernel.org, pmenzel@molgen.mpg.de, coxu@redhat.com, ruyang@redhat.com, chenste@linux.microsoft.com Subject: Re: [PATCH] ima: add a knob ima= to make IMA be able to be disabled Message-ID: References: <20250515233953.14685-1-bhe@redhat.com> <1d2848fe45dbf58707cecf16c4fc46b179e24415.camel@linux.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250522_075250_894717_8454D4E8 X-CRM114-Status: GOOD ( 21.49 ) X-BeenThere: kexec@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "kexec" Errors-To: kexec-bounces+kexec=archiver.kernel.org@lists.infradead.org On 05/22/25 at 07:08am, Mimi Zohar wrote: > On Thu, 2025-05-22 at 11:24 +0800, Baoquan He wrote: > > On 05/21/25 at 08:54am, Mimi Zohar wrote: > > > On Fri, 2025-05-16 at 08:22 +0800, Baoquan He wrote: > > > > CC kexec list. > > > > > > > > On 05/16/25 at 07:39am, Baoquan He wrote: > > > > > Kdump kernel doesn't need IMA functionality, and enabling IMA will cost > > > > > extra memory. It would be very helpful to allow IMA to be disabled for > > > > > kdump kernel. > > > > Thanks a lot for careufl reviewing and great suggestions. > > > > > > > > The real question is not whether kdump needs "IMA", but whether not enabling > > > IMA in the kdump kernel could be abused.  The comments below don't address > > > that question but limit/emphasize, as much as possible, turning IMA off is > > > limited to the kdump kernel. > > > > Are you suggesting removing below paragraph from patch log because they > > are redundant? I can remove it in v2 if yes. > > "The comments below" was referring to my comments on the patch, not the next > paragraph. "don't address that question" refers to whether the kdump kernel > could be abused. > > We're trying to close integrity gaps, not add new ones. Verifying the UKI's > signature addresses the integrity of the initramfs. What about the integrity of > the kdump initramfs (or for that matter the kexec initramfs)? If the kdump > initramfs was signed, IMA would be able to verify it before the kexec. Kdump initramfs could be generated each time when loading once change is detected, e.g newer kernel, kdump config tuning. It's different than UNI's normal initramfs. We don't need verify it as far as I know according to discussion with UNI dev, so ima=off can be set by default in kdump kernel. Even though one day that's really needed, ima=on|off is a switch, not a hard code. Add people woiking on kdump UKI to CC. > > As for the next paragraph, based on Coiby's response, please remove it. Got it, thanks.