[RFC PATCH] ima: add a knob to make IMA be able to be disabled

Thu Apr 3 13:03:45 PDT 2025

On Wed, 2025-04-02 at 19:49 +0800, Baoquan He wrote:
> On 04/02/25 at 04:43pm, Coiby Xu wrote:
> > On Tue, Apr 01, 2025 at 11:30:09PM -0400, Mimi Zohar wrote:
> > > On Wed, 2025-04-02 at 09:47 +0800, RuiRui Yang wrote:
> > [...]
> > > > > > that.  Please don't make it generic like this.
> > > > > > 
> > > > > > Please refer to ima_appraise_parse_cmdline().
> > > > > 
> > > > > Hi Mimi,
> > > > > 
> > > > > To save memory for kdump, it seems init_ima has been to be skipped thus
> > > > > ima=off is necessary (ima_appraise=off won't serve the purpose). Or do
> > > > > you have any specific concerns in mind?
> > > > 
> > > > I think as Mimi said see below logic enforces the IMA even with the
> > > > cmdline disabling, see ima_appraise_parse_cmdline:
> > > > if (sb_state) {
> > > >                 if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
> > > >                         pr_info("Secure boot enabled: ignoring
> > > > ima_appraise=%s option",
> > > >                                 str);
> > > >         } else {
> > > >                 ima_appraise = appraisal_state;
> > > >         }
> > 
> > Thanks for pointing me to the above code! Note with the whole IMA
> > disabled as done by this patch, the above code will not run so IMA
> > (appraisal) won't be enforced.
> > 
> > > 
> > > Thanks, RuiRui.
> > > 
> > 
> > Mimi, so do I understand it correctly that your want IMA-appraisal to be
> > always enabled as long as secure boot is enabled even if users choose to
> > disable IMA? 

Secure boot is not the only reason.  Based on policy IMA-appraisal and EVM
calculate and store file hashes and HMAC's in their respective security xattrs.
Normally the usage of file hashes and HMAC's is limited to mutable files. 
Disabling IMA-appraisal could result in not properly updating the security
xattrs, which would result in not being able to verify the file's integrity on
reboot.

On systems where the RPM includes file signatures, file signatures of immutable
files can be safely restored.  Although it is possible to walk the filesystem(s)
"fixing" the xattrs of mutable files, it defeats the purpose.  "fix" mode should
only be enabled in a trusted environment.

> > I wonder what security issue will it bring if this promise
> > gets broken considering other LSMs can SELinux can be disabled when
> > secure boot is enabled?

The builtin IMA policy rules are not defined in terms of SELinux labels.  If the
initial IMA custom policy defines rules based on SELinux labels and SELinux is
not enabled, the policy will fail to be loaded.

> > > Coiby, would disabling just IMA-measurement, as opposed to IMA-appraisal, save
> > > sufficient memory for kdump?
> > 
> > For disabling just IMA-measurement, do you mean not enabling any measure
> > rules?  The more memory reserved for the kdump kernel, the less memory
> > can be used by the 1st kernel. So from the perfective of kdump, we try
> > to make the memory footprint as smaller as possible.

Got it.

> > Baoquan, do you have any statistics about the memory overhead of IMA?
> 
> I am getting a system to check that. I think there are two aspects of
> IMA functionality we want to disable. One is disable the IMA-measurement
> copying from 1st kernel to 2nd kernel, this is only needed by kexec
> reboot; the other is IMA is not needed at all in kdump kernel, means we
> don't want to call ima_init() to initialize
> ima_keyring/crypto/template/digests/fs etc. 
> 
> With my shallow knowledge about IMA, I don't know how to imitate
> appraisal cmdline to disable IMA partially in kdump kernel case.

The IMA policy controls how much or how little IMA measures and appraises.  Most
of the memory usage is the IMA measurement list, itself, and the per file cache
info.  (The per file cache info limits re-measuring or re-appraising files.)

Similarly my knowledge of kdump is very limited.  Is there a way for the kernel
to differentiate between kexec and kdump?  If we need a mechanism to disable
IMA-measurement, I'd *really* prefer it be limited to kdump.

thanks,

Mimi

> 
> One exmaple is 'cgroup_disable=memory' we have been doing to add into
> kdump cmdline because mem_cgroup is not needed at all for kdump kernel.
> We want to achieve that effect.