Re: [PATCH v5 00/13] ima: Introduce staging mechanism

Next message: Vishal Moola: "[PATCH 5/9] x86/mm: Convert sync_global_pgds_l5() to ptdescs"
Previous message: wang.yaxin: "[PATCH 1/3] delaytop: add delay max for delaytop"
In reply to: Mimi Zohar: "Re: [PATCH v5 00/13] ima: Introduce staging mechanism"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Stefan Berger

Date: Wed May 27 2026 - 10:04:41 EST

On 4/29/26 12:03 PM, Roberto Sassu wrote:

From: Roberto Sassu <roberto.sassu@xxxxxxxxxx>

Usage
=====

The IMA staging mechanism can be enabled from the kernel configuration
with the CONFIG_IMA_STAGING option.

If it is enabled, IMA duplicates the current measurements interfaces
(both binary and ASCII), by adding the _staged file suffix. Both the
original and the staging interfaces gain the write permission for the
root user and group, but require the process to have CAP_SYS_ADMIN set.

The staging mechanism supports two flavors.

Staging with prompt
~~~~~~~~~~~~~~~~~~~

The current measurements list is moved to a temporary staging area, and
staged measurements are deleted upon confirmation.

This staging process is achieved with the following steps.

1. echo A > <original interface>: the user requests IMA to stage the
entire measurements list;
2. cat <_staged interface>: the user reads the staged measurements;
3. echo D > <_staged interface>: the user requests IMA to delete
staged measurements.

I have a IMA log sharder (based on FUSE; does more 'copying' than 'sharding') that successfully uses this method.

Tested-by: Stefan Berger <stefanb@xxxxxxxxxxxxx>