Re: [PATCH v3 3/3] ima: Add support for staging measurements for deletion

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: steven chen <chenste@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.ibm.com>,
	Roberto Sassu <roberto.sassu@huaweicloud.com>,
	corbet@lwn.net, skhan@linuxfoundation.org,
	dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com,
	paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com
Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	gregorylumen@linux.microsoft.com, nramas@linux.microsoft.com,
	Roberto Sassu <roberto.sassu@huawei.com>,
	steven chen <chenste@linux.microsoft.com>
Subject: Re: [PATCH v3 3/3] ima: Add support for staging measurements for deletion
Date: Fri, 20 Mar 2026 09:58:52 -0700	[thread overview]
Message-ID: <c9258708-2db2-4c08-998f-e67a681781da@linux.microsoft.com> (raw)
In-Reply-To: <ffe1d4645a66a690892163be8e16c4b5d24a690d.camel@linux.ibm.com>

On 3/20/2026 5:41 AM, Mimi Zohar wrote:
> On Thu, 2026-03-19 at 14:31 -0700, steven chen wrote:
>
>>> - Support for deleting N measurement records (and pre-pending the remaining
>>> measurement records)
>> Is there any problem to bring work of "stage" step together to the
>> deletion step?
>>
>> "Trim N" method does everything that "staged" method can do, right?
>> what's the "stage" method can do but "trim N" method can't do?
>>
>> in user space, if in "staged" state, no other user space agent can
>> access the IMA measure list, right?
>>
>> Could you explain the benefit of bringing the "stage" step?
> The performance improvement is because "staging" the IMA measurement list takes
> the lock in order to move the measurement list pointer and then releases it.
> New measurements can then be appended to a new measurement list.  Deleting
> records is done without taking the lock to walk the staged measurement list.
>
> Without staging the measurement list, walking the measurement list to trim N
> records requires taking and holding the lock.  The performance is dependent on
> the size of the measurement list.
>
> Your question isn't really about "staging" the measurement list records, but
> requiring a userspace signal to delete them.  To answer that question, deleting
> N records (third patch) could imply staging all the measurement records and
> immediately deleting N records without an explicit userspace signal.
>
> I expect the requested "documentation" patch will provide the motivation for the
> delayed deletion of the measurement list.
>
> Mimi

"Staging" is great on reducing kernel IMA measurement list locking time.

How about just do "stage N" entries and then delete the staged list in 
one shot?
It means merge two APIs into one API
     int ima_queue_stage(void)
     int ima_queue_delete_staged(unsigned long req_value)

The kernel lock time will be the same. And user space lock time will be 
reduced.

Thanks,

Steven

>
>
>
>
>

next prev parent reply	other threads:[~2026-03-20 16:58 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-11 17:19 [PATCH v3 1/3] ima: Remove ima_h_table structure Roberto Sassu
2026-03-11 17:19 ` [PATCH v3 2/3] ima: Replace static htable queue with dynamically allocated array Roberto Sassu
2026-03-11 17:19 ` [PATCH v3 3/3] ima: Add support for staging measurements for deletion Roberto Sassu
2026-03-17 21:03   ` Mimi Zohar
2026-03-19 21:31     ` steven chen
2026-03-20 12:41       ` Mimi Zohar
2026-03-20 16:58         ` steven chen [this message]
2026-03-20 17:10           ` Roberto Sassu
2026-03-20 17:24             ` steven chen
2026-03-20 17:26               ` Roberto Sassu
2026-03-20 17:40                 ` steven chen
2026-03-17 19:15 ` [PATCH v3 1/3] ima: Remove ima_h_table structure Mimi Zohar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c9258708-2db2-4c08-998f-e67a681781da@linux.microsoft.com \
    --to=chenste@linux.microsoft.com \
    --cc=corbet@lwn.net \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=eric.snowberg@oracle.com \
    --cc=gregorylumen@linux.microsoft.com \
    --cc=jmorris@namei.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=nramas@linux.microsoft.com \
    --cc=paul@paul-moore.com \
    --cc=roberto.sassu@huawei.com \
    --cc=roberto.sassu@huaweicloud.com \
    --cc=serge@hallyn.com \
    --cc=skhan@linuxfoundation.org \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox