Re: [RFC 0/2] ima: evm: Add kernel cmdline options to disable IMA/EVM

From: Roberto Sassu
Date: Thu Dec 19 2024 - 11:00:26 EST

Next message: Paolo Abeni: "Re: [GIT PULL] Networking for v6.13-rc4"
Previous message: Richard Fitzgerald: "[PATCH] firmware: cs_dsp: Delete redundant assignments in cs_dsp_test_bin.c"
In reply to: Song Liu: "Re: [RFC 0/2] ima: evm: Add kernel cmdline options to disable IMA/EVM"
Next in thread: Song Liu: "Re: [RFC 0/2] ima: evm: Add kernel cmdline options to disable IMA/EVM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2024-12-18 at 17:07 +0000, Song Liu wrote:
> Hi Mimi,
>
> Thanks for your comments!
>
> > On Dec 18, 2024, at 3:02 AM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> >
> > On Tue, 2024-12-17 at 13:29 -0800, Casey Schaufler wrote:
> > > On 12/17/2024 12:25 PM, Song Liu wrote:
> > > > While reading and testing LSM code, I found IMA/EVM consume per inode
> > > > storage even when they are not in use. Add options to diable them in
> > > > kernel command line. The logic and syntax is mostly borrowed from an
> > > > old serious [1].
> > >
> > > Why not omit ima and evm from the lsm= parameter?
> >
> > Casey, Paul, always enabling IMA & EVM as the last LSMs, if configured, were the
> > conditions for making IMA and EVM LSMs. Up to that point, only when an inode
> > was in policy did it consume any memory (rbtree). I'm pretty sure you remember
> > the rather heated discussion(s).
>
> I didn't know about this history until today. I apologize if this
> RFC/PATCH is moving to the direction against the original agreement.
> I didn't mean to break any agreement.
>
> My motivation is actually the per inode memory consumption of IMA
> and EVM. Once enabled, EVM appends a whole struct evm_iint_cache to
> each inode via i_security. IMA is better on memory consumption, as
> it only adds a pointer to i_security.
>
> It appears to me that a way to disable IMA and EVM at boot time can
> be useful, especially for distro kernels. But I guess there are
> reasons to not allow this (thus the earlier agreement). Could you
> please share your thoughts on this?

Hi Song

IMA/EVM cannot be always disabled for two reasons: (1) for secure and
trusted boot, IMA is expected to enforce architecture-specific
policies; (2) accidentally disabling them will cause modified files to
be rejected when IMA/EVM are turned on again.

If the requirements above are met, we are fine on disabling IMA/EVM.

As for reserving space in the inode security blob, please refer to this
discussion, where we reached the agreement:

https://lore.kernel.org/linux-integrity/CAHC9VhTTKac1o=RnQadu2xqdeKH8C_F+Wh4sY=HkGbCArwc8JQ@xxxxxxxxxxxxxx/

Thanks

Roberto

Next message: Paolo Abeni: "Re: [GIT PULL] Networking for v6.13-rc4"
Previous message: Richard Fitzgerald: "[PATCH] firmware: cs_dsp: Delete redundant assignments in cs_dsp_test_bin.c"
In reply to: Song Liu: "Re: [RFC 0/2] ima: evm: Add kernel cmdline options to disable IMA/EVM"
Next in thread: Song Liu: "Re: [RFC 0/2] ima: evm: Add kernel cmdline options to disable IMA/EVM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]