* [PATCH v2] ima: add a knob ima= to make IMA be able to be disabled
@ 2025-06-11 8:25 Baoquan He
2025-06-12 10:59 ` Mimi Zohar
0 siblings, 1 reply; 3+ messages in thread
From: Baoquan He @ 2025-06-11 8:25 UTC (permalink / raw)
To: linux-integrity
Cc: linux-kernel, zohar, coxu, piliu, pmenzel, chenste, Baoquan He
Kdump kernel doesn't need IMA functionality, and enabling IMA will cost
extra memory. It would be very helpful to allow IMA to be disabled for
kdump kernel.
Hence add a knob ima=on|off here to allow turning IMA off in kdump
kernel if needed.
Note that this IMA disabling is only limited to kdump kernel, please don't
abuse it in other kernel and thus serious consequences are caused.
Signed-off-by: Baoquan He <bhe@redhat.com>
---
v1->v2:
- Improve patch log and doc description;
- Make slight adjustment in code;
These are all made according to Mimi's great suggestions.
.../admin-guide/kernel-parameters.txt | 5 ++++
security/integrity/ima/ima_main.c | 26 +++++++++++++++++++
2 files changed, 31 insertions(+)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index b3d62f4c370a..1de67b9c20b4 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2214,6 +2214,11 @@
different crypto accelerators. This option can be used
to achieve best performance for particular HW.
+ ima= [IMA] Enable or disable IMA
+ Format: { "off" | "on" }
+ Default: "on"
+ Note that this is only limited to kdump kernel.
+
indirect_target_selection= [X86,Intel] Mitigation control for Indirect
Target Selection(ITS) bug in Intel CPUs. Updated
microcode is also required for a fix in IBPB.
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index f99ab1a3b0f0..c38f3881d72f 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -27,6 +27,7 @@
#include <linux/fs.h>
#include <linux/iversion.h>
#include <linux/evm.h>
+#include <linux/crash_dump.h>
#include "ima.h"
@@ -38,11 +39,30 @@ int ima_appraise;
int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;
static int hash_setup_done;
+static int ima_disabled __ro_after_init;
static struct notifier_block ima_lsm_policy_notifier = {
.notifier_call = ima_lsm_policy_change,
};
+static int __init ima_setup(char *str)
+{
+ if (!is_kdump_kernel()) {
+ pr_info("Warning: ima setup option only permitted in kdump");
+ return 1;
+ }
+
+ if (strncmp(str, "off", 3) == 0)
+ ima_disabled = 1;
+ else if (strncmp(str, "on", 2) == 0)
+ ima_disabled = 0;
+ else
+ pr_err("Invalid ima setup option: \"%s\" , please specify ima=on|off.", str);
+
+ return 1;
+}
+__setup("ima=", ima_setup);
+
static int __init hash_setup(char *str)
{
struct ima_template_desc *template_desc = ima_template_desc_current();
@@ -1186,6 +1206,12 @@ static int __init init_ima(void)
{
int error;
+ /*Note that turning IMA off is only limited to kdump kernel.*/
+ if (ima_disabled && is_kdump_kernel()) {
+ pr_info("IMA functionality is disabled");
+ return 0;
+ }
+
ima_appraise_parse_cmdline();
ima_init_template_list();
hash_setup(CONFIG_IMA_DEFAULT_HASH);
--
2.41.0
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] ima: add a knob ima= to make IMA be able to be disabled
2025-06-11 8:25 [PATCH v2] ima: add a knob ima= to make IMA be able to be disabled Baoquan He
@ 2025-06-12 10:59 ` Mimi Zohar
2025-06-12 11:18 ` Baoquan He
0 siblings, 1 reply; 3+ messages in thread
From: Mimi Zohar @ 2025-06-12 10:59 UTC (permalink / raw)
To: Baoquan He, linux-integrity; +Cc: linux-kernel, coxu, piliu, pmenzel, chenste
Hi Baoquan,
As discussed
https://lore.kernel.org/linux-integrity/aC6ezNcUZ%2FulKgpv@MiWiFi-R3L-srv/ the
Subject line should indicate disabling IMA is limited to kdump.
On Wed, 2025-06-11 at 16:25 +0800, Baoquan He wrote:
> Kdump kernel doesn't need IMA functionality, and enabling IMA will cost
> extra memory. It would be very helpful to allow IMA to be disabled for
> kdump kernel.
>
> Hence add a knob ima=on|off here to allow turning IMA off in kdump
> kernel if needed.
>
> Note that this IMA disabling is only limited to kdump kernel, please don't
> abuse it in other kernel and thus serious consequences are caused.
Remove the word 'only', here, and in other places.
>
> Signed-off-by: Baoquan He <bhe@redhat.com>
> ---
> v1->v2:
> - Improve patch log and doc description;
> - Make slight adjustment in code;
> These are all made according to Mimi's great suggestions.
>
> .../admin-guide/kernel-parameters.txt | 5 ++++
> security/integrity/ima/ima_main.c | 26 +++++++++++++++++++
> 2 files changed, 31 insertions(+)
>
> diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> index b3d62f4c370a..1de67b9c20b4 100644
> --- a/Documentation/admin-guide/kernel-parameters.txt
> +++ b/Documentation/admin-guide/kernel-parameters.txt
> @@ -2214,6 +2214,11 @@
> different crypto accelerators. This option can be used
> to achieve best performance for particular HW.
>
> + ima= [IMA] Enable or disable IMA
> + Format: { "off" | "on" }
> + Default: "on"
> + Note that this is only limited to kdump kernel.
Remove the word 'only' -> Note that disabling IMA is limited to kdump kernel.
> +
> indirect_target_selection= [X86,Intel] Mitigation control for Indirect
> Target Selection(ITS) bug in Intel CPUs. Updated
> microcode is also required for a fix in IBPB.
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index f99ab1a3b0f0..c38f3881d72f 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -27,6 +27,7 @@
> #include <linux/fs.h>
> #include <linux/iversion.h>
> #include <linux/evm.h>
> +#include <linux/crash_dump.h>
>
> #include "ima.h"
>
> @@ -38,11 +39,30 @@ int ima_appraise;
>
> int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;
> static int hash_setup_done;
> +static int ima_disabled __ro_after_init;
>
> static struct notifier_block ima_lsm_policy_notifier = {
> .notifier_call = ima_lsm_policy_change,
> };
>
> +static int __init ima_setup(char *str)
> +{
> + if (!is_kdump_kernel()) {
> + pr_info("Warning: ima setup option only permitted in kdump");
> + return 1;
> + }
> +
> + if (strncmp(str, "off", 3) == 0)
> + ima_disabled = 1;
> + else if (strncmp(str, "on", 2) == 0)
> + ima_disabled = 0;
> + else
> + pr_err("Invalid ima setup option: \"%s\" , please specify ima=on|off.", str);
> +
> + return 1;
> +}
> +__setup("ima=", ima_setup);
> +
> static int __init hash_setup(char *str)
> {
> struct ima_template_desc *template_desc = ima_template_desc_current();
> @@ -1186,6 +1206,12 @@ static int __init init_ima(void)
> {
> int error;
>
> + /*Note that turning IMA off is only limited to kdump kernel.*/
Remove the word "only" -> Note that turning IMA off is intentionally limited to
kdump kernel."
> + if (ima_disabled && is_kdump_kernel()) {
> + pr_info("IMA functionality is disabled");
> + return 0;
> + }
> +
> ima_appraise_parse_cmdline();
> ima_init_template_list();
> hash_setup(CONFIG_IMA_DEFAULT_HASH);
Mimi
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] ima: add a knob ima= to make IMA be able to be disabled
2025-06-12 10:59 ` Mimi Zohar
@ 2025-06-12 11:18 ` Baoquan He
0 siblings, 0 replies; 3+ messages in thread
From: Baoquan He @ 2025-06-12 11:18 UTC (permalink / raw)
To: Mimi Zohar; +Cc: linux-integrity, linux-kernel, coxu, piliu, pmenzel, chenste
On 06/12/25 at 06:59am, Mimi Zohar wrote:
> Hi Baoquan,
>
> As discussed
> https://lore.kernel.org/linux-integrity/aC6ezNcUZ%2FulKgpv@MiWiFi-R3L-srv/ the
> Subject line should indicate disabling IMA is limited to kdump.
Oops, my bad, I forgot this one.
>
> On Wed, 2025-06-11 at 16:25 +0800, Baoquan He wrote:
> > Kdump kernel doesn't need IMA functionality, and enabling IMA will cost
> > extra memory. It would be very helpful to allow IMA to be disabled for
> > kdump kernel.
> >
> > Hence add a knob ima=on|off here to allow turning IMA off in kdump
> > kernel if needed.
> >
> > Note that this IMA disabling is only limited to kdump kernel, please don't
> > abuse it in other kernel and thus serious consequences are caused.
>
> Remove the word 'only', here, and in other places.
Sure, will udpate in all relevant places. Thanks.
>
> >
> > Signed-off-by: Baoquan He <bhe@redhat.com>
> > ---
> > v1->v2:
> > - Improve patch log and doc description;
> > - Make slight adjustment in code;
> > These are all made according to Mimi's great suggestions.
> >
> > .../admin-guide/kernel-parameters.txt | 5 ++++
> > security/integrity/ima/ima_main.c | 26 +++++++++++++++++++
> > 2 files changed, 31 insertions(+)
> >
> > diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
> > index b3d62f4c370a..1de67b9c20b4 100644
> > --- a/Documentation/admin-guide/kernel-parameters.txt
> > +++ b/Documentation/admin-guide/kernel-parameters.txt
> > @@ -2214,6 +2214,11 @@
> > different crypto accelerators. This option can be used
> > to achieve best performance for particular HW.
> >
> > + ima= [IMA] Enable or disable IMA
> > + Format: { "off" | "on" }
> > + Default: "on"
> > + Note that this is only limited to kdump kernel.
>
> Remove the word 'only' -> Note that disabling IMA is limited to kdump kernel.
>
> > +
> > indirect_target_selection= [X86,Intel] Mitigation control for Indirect
> > Target Selection(ITS) bug in Intel CPUs. Updated
> > microcode is also required for a fix in IBPB.
> > diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> > index f99ab1a3b0f0..c38f3881d72f 100644
> > --- a/security/integrity/ima/ima_main.c
> > +++ b/security/integrity/ima/ima_main.c
> > @@ -27,6 +27,7 @@
> > #include <linux/fs.h>
> > #include <linux/iversion.h>
> > #include <linux/evm.h>
> > +#include <linux/crash_dump.h>
> >
> > #include "ima.h"
> >
> > @@ -38,11 +39,30 @@ int ima_appraise;
> >
> > int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;
> > static int hash_setup_done;
> > +static int ima_disabled __ro_after_init;
> >
> > static struct notifier_block ima_lsm_policy_notifier = {
> > .notifier_call = ima_lsm_policy_change,
> > };
> >
> > +static int __init ima_setup(char *str)
> > +{
> > + if (!is_kdump_kernel()) {
> > + pr_info("Warning: ima setup option only permitted in kdump");
> > + return 1;
> > + }
> > +
> > + if (strncmp(str, "off", 3) == 0)
> > + ima_disabled = 1;
> > + else if (strncmp(str, "on", 2) == 0)
> > + ima_disabled = 0;
> > + else
> > + pr_err("Invalid ima setup option: \"%s\" , please specify ima=on|off.", str);
> > +
> > + return 1;
> > +}
> > +__setup("ima=", ima_setup);
> > +
> > static int __init hash_setup(char *str)
> > {
> > struct ima_template_desc *template_desc = ima_template_desc_current();
> > @@ -1186,6 +1206,12 @@ static int __init init_ima(void)
> > {
> > int error;
> >
> > + /*Note that turning IMA off is only limited to kdump kernel.*/
>
> Remove the word "only" -> Note that turning IMA off is intentionally limited to
> kdump kernel."
>
> > + if (ima_disabled && is_kdump_kernel()) {
> > + pr_info("IMA functionality is disabled");
> > + return 0;
> > + }
> > +
> > ima_appraise_parse_cmdline();
> > ima_init_template_list();
> > hash_setup(CONFIG_IMA_DEFAULT_HASH);
>
> Mimi
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-06-12 11:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-11 8:25 [PATCH v2] ima: add a knob ima= to make IMA be able to be disabled Baoquan He
2025-06-12 10:59 ` Mimi Zohar
2025-06-12 11:18 ` Baoquan He
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).