[RFC PATCH] ima: add a knob to make IMA be able to be disabled
Coiby Xu
coxu at redhat.com
Wed Apr 2 01:43:57 PDT 2025
On Tue, Apr 01, 2025 at 11:30:09PM -0400, Mimi Zohar wrote:
>On Wed, 2025-04-02 at 09:47 +0800, RuiRui Yang wrote:
[...]
>> > > that. Please don't make it generic like this.
>> > >
>> > > Please refer to ima_appraise_parse_cmdline().
>> >
>> > Hi Mimi,
>> >
>> > To save memory for kdump, it seems init_ima has been to be skipped thus
>> > ima=off is necessary (ima_appraise=off won't serve the purpose). Or do
>> > you have any specific concerns in mind?
>>
>> I think as Mimi said see below logic enforces the IMA even with the
>> cmdline disabling, see ima_appraise_parse_cmdline:
>> if (sb_state) {
>> if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
>> pr_info("Secure boot enabled: ignoring
>> ima_appraise=%s option",
>> str);
>> } else {
>> ima_appraise = appraisal_state;
>> }
Thanks for pointing me to the above code! Note with the whole IMA
disabled as done by this patch, the above code will not run so IMA
(appraisal) won't be enforced.
>
>Thanks, RuiRui.
>
Mimi, so do I understand it correctly that your want IMA-appraisal to be
always enabled as long as secure boot is enabled even if users choose to
disable IMA? I wonder what security issue will it bring if this promise
gets broken considering other LSMs can SELinux can be disabled when
secure boot is enabled?
>Coiby, would disabling just IMA-measurement, as opposed to IMA-appraisal, save
>sufficient memory for kdump?
For disabling just IMA-measurement, do you mean not enabling any measure
rules? The more memory reserved for the kdump kernel, the less memory
can be used by the 1st kernel. So from the perfective of kdump, we try
to make the memory footprint as smaller as possible.
Baoquan, do you have any statistics about the memory overhead of IMA?
--
Best regards,
Coiby
More information about the kexec
mailing list