From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: Gregory Lumen <gregorylumen@linux.microsoft.com>
Cc: corbet@lwn.net, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com,
eric.snowberg@oracle.com, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com, linux-doc@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org,
chenste@linux.microsoft.com, nramas@linux.microsoft.com,
Roberto Sassu <roberto.sassu@huawei.com>
Subject: Re: [RFC][PATCH] ima: Add support for staging measurements for deletion
Date: Thu, 11 Dec 2025 10:56:22 +0100 [thread overview]
Message-ID: <d7418d0afa696b8da67e4f25fd0dc1b9d6fd908f.camel@huaweicloud.com> (raw)
In-Reply-To: <207fd6d7-53c-57bb-36d8-13a0902052d1@linux.microsoft.com>
On Wed, 2025-12-10 at 11:12 -0800, Gregory Lumen wrote:
> Roberto,
>
> The proposed approach appears to be workable. However, if our primary goal
> here is to enable UM to free kernel memory consumed by the IMA log with an
> absolute minimum of kernel functionality/change, then I would argue that
> the proposed Stage-then-delete approach still represents unnecessary
> complexity when compared to a trim-to-N solution. Specifically:
>
> - Any functional benefit offered through the introduction of a staged
> measurement list could be equally achieved in UM with a trim-to-N solution
> coupled with the proposed ima_measure_users counter for access locking.
Ok, let's quantify the complexity of each solution. Let's assume that
the IMA measurements list has M entries and you want to trim at N < M.
Staging:
1st. trim at N
(kernel)
1. list lock (write side) -> list replace (swap the heads) -> list unlock
2. read M -> file (file contains 0..M)
3. for each 0..M -> delete entry
(user)
1. for each 0..N in file -> replay PCR
2. trim at N (keep N + 1..M)
2nd. trim at O
(kernel)
1. list lock -> list replace (swap the heads) -> list unlock
2. read P -> file (file contains N + 1..P)
3. for each M + 1..P -> delete entry
(user)
1. for each N + 1..O in file -> replay PCR
2. trim at O (keep O + 1..P)
Trimming:
1st. trim at N
(kernel)
1. list lock (read side) -> for each 0..M -> read in file (file now contains 0..M) -> list unlock
(user)
1. for each 0..N -> replay PCR
2. discard N + 1..M
(kernel)
1. list lock (write side) -> for each 0..N -> trim -> list unlock
2nd. trim at O
(kernel)
1. list lock (read side) -> for each N + 1..P -> read in file (file now contains N + 1..P) -> list unlock
(user)
1. for each N + 1..O -> replay PCR
2. discard O + 1..P
(kernel)
1. list lock (write side) -> for each N + 1..O -> trim -> list unlock
You can try to optimize it a bit by prematurely ending the reading
before M and P, and by replaying the PCR on a partial buffer.
But still:
I just swap list heads in the hot path (still need to do the same for
the hash table, postponed to later), and do the free later once there
is no contention with new measurements.
In your case you are taking the lock and walking the list two times,
once as a reader and once as a writer, and discarding measurements in
user space that you already have.
I think your solution is more complex.
> - There exists a potential UM measurement-loss race condition introduced
> by the staging functionality that would not exist with a trim-to-N
> approach. (Occurs if a kexec call occurs after a UM agent has staged
> measurements for deletion, but has not completed copying them to
> userspace). This could be avoided by persisting staged measurements across
> kexec calls at the cost of making the proposed change larger.
The solution is to coordinate the staging with kexec in user space.
Roberto
next prev parent reply other threads:[~2025-12-11 10:13 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-09 10:17 [RFC][PATCH] ima: Add support for staging measurements for deletion Roberto Sassu
2025-12-10 19:12 ` Gregory Lumen
2025-12-11 9:56 ` Roberto Sassu [this message]
2025-12-11 14:50 ` Roberto Sassu
2025-12-11 15:24 ` Roberto Sassu
2025-12-11 18:06 ` steven chen
2025-12-11 23:38 ` steven chen
2025-12-11 19:47 ` steven chen
2025-12-11 0:03 ` steven chen
2025-12-11 10:18 ` Roberto Sassu
2025-12-11 19:20 ` steven chen
2025-12-11 22:06 ` steven chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d7418d0afa696b8da67e4f25fd0dc1b9d6fd908f.camel@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=chenste@linux.microsoft.com \
--cc=corbet@lwn.net \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=gregorylumen@linux.microsoft.com \
--cc=jmorris@namei.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).