From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
corbet@lwn.net, dmitry.kasatkin@gmail.com,
eric.snowberg@oracle.com, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com
Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
gregorylumen@linux.microsoft.com, chenste@linux.microsoft.com,
nramas@linux.microsoft.com,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: Re: [RFC][PATCH v2] ima: Add support for staging measurements for deletion and trimming
Date: Wed, 17 Dec 2025 17:01:36 +0100 [thread overview]
Message-ID: <41ead1c44a678b597ffd3350cce332a8a5d4ac7c.camel@huaweicloud.com> (raw)
In-Reply-To: <45ca26a5b08f42fb1318cd78a62dda20b9adb84e.camel@linux.ibm.com>
On Wed, 2025-12-17 at 10:26 -0500, Mimi Zohar wrote:
> Hi Roberto,
>
> Thank you! Everything is working as designed.
>
> - Only public functions require kernel-doc comments, but other functions would
> benefit having a comment.
>
> - As I mentioned in response to Steven's patch, "After trimming the measurement
> list, existing verifiers, which walk the IMA measurement list, will obviously
> fail to match the PCRs. Breaking existing userspace applications is a problem
> and, unfortunately, requires yet another Kconfig option. It needs to be at
> least mentioned here in the patch description."
Hi Mimi
sure.
> On Fri, 2025-12-12 at 18:19 +0100, Roberto Sassu wrote:
> > From: Roberto Sassu <roberto.sassu@huawei.com>
> >
> > Introduce the ability of staging the entire (or a portion of the) IMA
> > measurement list for deletion. Staging means moving the current content of
> > the measurement list to a separate location, and allowing users to read and
> > delete it. This causes the measurement list to be atomically truncated
> > before new measurements can be added.
>
> This last sentence is the crux of your of your proposal.
> -> "quickly be atomically ... so ..."
Ok.
> I must be missing something. With the ability of trimming N records, it's
> unclear to me the benefit of staging the measurement list and requiring a
> separate deletion. The measurement list can be read before trimming without
> loosing any measurements. Like now, the entire measurement list could be moved
> to a staging area. Instead of freeing all of the records, only N records would
> be freed. Afterwards the remaining staged measurements (N+1) could be restored
> to the head of the measurement list.
My hope is to avoid trimming based on N in the kernel, but rather offer
the same functionality on a user space service that simply gets all the
measurements it can from the kernel (with the stage all approach), and
exposes the desired measurements to requesting applications (based on N
or based on a PCR value, as Microsoft requested).
I think it was already mentioned earlier in the discussion. By reading
and trimming at two different times, there is a race window where two
separate remote attestation agents determine N on the current
measurements list and attempt to trim one after another with the same
N, but the latter attempts to do it on an already trimmed measurements
list. They could take the write lock for the read too to avoid that.
The stage all approach is not susceptible to this race window, because
it does not require a prior read before the operation.
Thanks
Roberto
next prev parent reply other threads:[~2025-12-17 16:01 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-12 17:19 [RFC][PATCH v2] ima: Add support for staging measurements for deletion and trimming Roberto Sassu
2025-12-12 19:41 ` steven chen
2025-12-12 22:58 ` steven chen
2025-12-13 2:06 ` Paul Moore
2025-12-15 12:41 ` Roberto Sassu
2025-12-17 15:26 ` Mimi Zohar
2025-12-17 16:01 ` Roberto Sassu [this message]
2025-12-17 19:41 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41ead1c44a678b597ffd3350cce332a8a5d4ac7c.camel@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=chenste@linux.microsoft.com \
--cc=corbet@lwn.net \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=gregorylumen@linux.microsoft.com \
--cc=jmorris@namei.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).