From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: James Bottomley <James.Bottomley@HansenPartnership.com>,
steven chen <chenste@linux.microsoft.com>,
linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, roberto.sassu@huawei.com,
dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com,
paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
linux-security-module@vger.kernel.org,
anirudhve@linux.microsoft.com, gregorylumen@linux.microsoft.com,
nramas@linux.microsoft.com, sushring@linux.microsoft.com
Subject: Re: [PATCH 1/1] IMA event log trimming
Date: Tue, 09 Dec 2025 10:36:48 +0100 [thread overview]
Message-ID: <736e21826c6a283d74d592393c392abbff56a409.camel@huaweicloud.com> (raw)
In-Reply-To: <d0c00469a8501483baffaf1158102c0f2c5211e8.camel@HansenPartnership.com>
On Tue, 2025-12-09 at 07:17 +0900, James Bottomley wrote:
> On Mon, 2025-12-08 at 10:40 +0100, Roberto Sassu wrote:
> > I have the impression that none the functionality you cited has to be
> > implemented in the kernel, because the only component one can trust
> > to verify the integrity of the IMA measurements list is the TPM.
> > Whether either the kernel or user space retain the measurements is
> > irrelevant.
>
> That's correct, I'm not advocating moving quoting into the kernel. Co-
> ordinating the trim with where the quote gets you to is phenomenally
> useful. While you could theoretically store any mismatch in userspace,
> having two locations for the log makes it more error prone.
>
> > I believe that the only role of the kernel is to get rid of the
> > measurements entries as fast as possible (the kernel would act more
> > like a buffer).
>
> I wouldn't say that, I'd say to get rid of measurements that the user
> has indicated are of no further use.
Different users could have different and conflicting requirements, and
we would spend time trying to conciliate those. We can avoid that by
doing it the same for everyone, and the additional cost of handling it
I believe it is fair.
I could accept staging N entries since I already agreed with Gregory
and Steven, and since it requires only an extra iteration in the linked
list. The other desired functionality should be implemented in user
space.
> > This was actually the intent of my original proposal in
> > https://github.com/linux-integrity/linux/issues/1 . The idea of
> > staging (was snapshotting, but Mimi thinks the term is not accurate)
> > is simply to detach the entire IMA measurement list as fast as
> > possible. Further read and delete after staging is done without
> > interfering with new measurements (sure, the detaching of the hash
> > table is not yet as efficient as I hoped).
>
> From the application point of view, offloading the log and random
> points is a bit more work because now the log collector has to be
> modified to look in multiple locations and we'd also need an agreement
> of where those locations are and how the log is sequenced in a naming
> scheme so it's the same for every distribution. If the application is
> in charge of trimming the log at a particular point, collection remains
> the same (it can simply be the existing in-kernel location), so we
> don't need a cross distro agreement, and the trim can simply be added
> as an extra function.
It could be a single location, the user space program would be
responsible to present the IMA measurement list as if it was never
trimmed.
Roberto
next prev parent reply other threads:[~2025-12-09 9:37 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-02 23:28 [PATCH 0/1] Trim N entries of IMA event logs steven chen
2025-12-02 23:28 ` [PATCH 1/1] IMA event log trimming steven chen
2025-12-05 9:30 ` Roberto Sassu
2025-12-05 14:21 ` Roberto Sassu
2025-12-05 18:30 ` James Bottomley
2025-12-08 9:40 ` Roberto Sassu
2025-12-08 17:21 ` Gregory Lumen
2025-12-08 17:50 ` Roberto Sassu
2025-12-08 22:17 ` James Bottomley
2025-12-09 9:36 ` Roberto Sassu [this message]
2025-12-10 19:16 ` Mimi Zohar
2025-12-06 1:28 ` steven chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=736e21826c6a283d74d592393c392abbff56a409.camel@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=anirudhve@linux.microsoft.com \
--cc=chenste@linux.microsoft.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=gregorylumen@linux.microsoft.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=sushring@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).