From: Mimi Zohar <zohar@linux.ibm.com>
To: Roberto Sassu <roberto.sassu@huaweicloud.com>,
corbet@lwn.net, skhan@linuxfoundation.org,
dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com,
paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com
Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
gregorylumen@linux.microsoft.com, chenste@linux.microsoft.com,
nramas@linux.microsoft.com,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: Re: [PATCH v5 11/13] ima: Support staging and deleting N measurements entries
Date: Tue, 26 May 2026 07:08:00 -0400 [thread overview]
Message-ID: <f00aabe05aeee7f6fd0426fd992839758d810da7.camel@linux.ibm.com> (raw)
In-Reply-To: <20260429160319.4162918-12-roberto.sassu@huaweicloud.com>
On Wed, 2026-04-29 at 18:03 +0200, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu@huawei.com>
>
> Add support for sending a value N between 1 and ULONG_MAX to the IMA
> original measurement interface. This value represents the number of
> measurements that should be deleted from the current measurements list. In
> this case, measurements are staged in an internal non-user visible list,
> and immediately deleted.
>
> This staging method allows the remote attestation agents to easily separate
> the measurements that were verified (staged and deleted) from those that
> weren't due to the race between taking a TPM quote and reading the
> measurements list.
The reason for removing records from the IMA measurement list is to free kernel
memory. However, the level of precision in removing only those measurements
needed for the quote seems necessary only if the measurement records are not
being saved. Upstreaming a feature to remove measurement records from the IMA
measurement list is to address the kernel memory issue — clearly not to drop
measurement records and break attestation.
>
> In order to minimize the locking time of ima_extend_list_mutex, deleting
> N entries is realized by doing a lockless walk in the current measurements
> list to determine the N-th entry to cut, to cut the current measurements
> list under the lock, and by deleting the excess entries after releasing the
> lock.
>
> Flushing the hash table is not supported for N entries, since it would
> require removing the N entries one by one from the hash table under the
> ima_extend_list_mutex lock, which would increase the locking time.
>
> The ima_extend_list_mutex lock is necessary in ima_dump_measurement_list()
> because ima_queue_delete_partial() uses __list_cut_position() to modify
> ima_measurements, for which no RCU-safe variant exists. For the staging
> with prompt flavor alone, list_replace_rcu() could have been used instead,
> but since both flavors share the same kexec serialization path, the mutex
> is required regardless.
Thank you for the clear explanation for the changes and limitations required to
support this feature.
The changes needed for supporting "stage and delete N" measurement records
should be limited to this patch. Patch 9/13 should have used
list_replace_rcu(), without the mutex_lock.
>
> Link: https://github.com/linux-integrity/linux/issues/1
> Suggested-by: Steven Chen <chenste@linux.microsoft.com>
> Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Otherwise,
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
next prev parent reply other threads:[~2026-05-26 11:08 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-29 16:03 [PATCH v5 00/13] ima: Introduce staging mechanism Roberto Sassu
2026-04-29 16:03 ` [PATCH v5 01/13] ima: Remove ima_h_table structure Roberto Sassu
2026-05-21 2:05 ` Mimi Zohar
2026-04-29 16:03 ` [PATCH v5 02/13] ima: Replace static htable queue with dynamically allocated array Roberto Sassu
2026-05-21 2:05 ` Mimi Zohar
2026-04-29 16:03 ` [PATCH v5 03/13] ima: Introduce per binary measurements list type ima_num_entries counter Roberto Sassu
2026-05-21 2:05 ` Mimi Zohar
2026-04-29 16:03 ` [PATCH v5 04/13] ima: Introduce per binary measurements list type binary_runtime_size value Roberto Sassu
2026-05-21 2:06 ` Mimi Zohar
2026-05-21 7:58 ` Roberto Sassu
2026-04-29 16:03 ` [PATCH v5 05/13] ima: Introduce _ima_measurements_start() and _ima_measurements_next() Roberto Sassu
2026-05-21 2:06 ` Mimi Zohar
2026-04-29 16:03 ` [PATCH v5 06/13] ima: Mediate open/release method of the measurements list Roberto Sassu
2026-05-21 2:07 ` Mimi Zohar
2026-05-21 8:30 ` Roberto Sassu
2026-04-29 16:03 ` [PATCH v5 07/13] ima: Use snprintf() in create_securityfs_measurement_lists Roberto Sassu
2026-05-21 2:07 ` Mimi Zohar
2026-04-29 16:03 ` [PATCH v5 08/13] ima: Introduce ima_dump_measurement() Roberto Sassu
2026-05-21 2:07 ` Mimi Zohar
2026-04-29 16:03 ` [PATCH v5 09/13] ima: Add support for staging measurements with prompt Roberto Sassu
2026-05-04 12:51 ` Roberto Sassu
2026-05-21 15:18 ` Mimi Zohar
2026-04-29 16:03 ` [PATCH v5 10/13] ima: Add support for flushing the hash table when staging measurements Roberto Sassu
2026-05-21 16:06 ` Mimi Zohar
2026-04-29 16:03 ` [PATCH v5 11/13] ima: Support staging and deleting N measurements entries Roberto Sassu
2026-05-05 18:43 ` steven chen
2026-05-26 11:08 ` Mimi Zohar [this message]
2026-04-29 16:03 ` [PATCH v5 12/13] ima: Return error on deleting measurements already copied during kexec Roberto Sassu
2026-05-26 14:02 ` Mimi Zohar
2026-04-29 16:03 ` [PATCH v5 13/13] doc: security: Add documentation of the IMA staging mechanism Roberto Sassu
2026-05-26 15:53 ` Mimi Zohar
2026-05-07 16:47 ` [PATCH v5 00/13] ima: Introduce " steven chen
2026-05-11 17:29 ` Lakshmi Ramasubramanian
2026-05-12 8:17 ` Roberto Sassu
2026-05-15 17:37 ` Lakshmi Ramasubramanian
2026-05-19 8:38 ` Roberto Sassu
2026-05-26 14:10 ` Mimi Zohar
2026-05-21 2:02 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f00aabe05aeee7f6fd0426fd992839758d810da7.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=chenste@linux.microsoft.com \
--cc=corbet@lwn.net \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=gregorylumen@linux.microsoft.com \
--cc=jmorris@namei.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=serge@hallyn.com \
--cc=skhan@linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox