[PATCH] ima: add a knob ima= to make IMA be able to be disabled

Mimi Zohar zohar at linux.ibm.com
Tue May 27 07:17:54 PDT 2025 

On Tue, 2025-05-27 at 11:25 +0800, Pingfan Liu wrote

When responding to kernel mailing lists, please use plain text not Mime encoded.

> On Thu, May 22, 2025 at 10:52 PM Baoquan He <bhe at redhat.com> wrote:
> > On 05/22/25 at 07:08am, Mimi Zohar wrote:
> > > On Thu, 2025-05-22 at 11:24 +0800, Baoquan He wrote:
> > > > On 05/21/25 at 08:54am, Mimi Zohar wrote:
> > > > > On Fri, 2025-05-16 at 08:22 +0800, Baoquan He wrote:
> > > > > > CC kexec list.
> > > > > > 
> > > > > > On 05/16/25 at 07:39am, Baoquan He wrote:
> > > > > > > Kdump kernel doesn't need IMA functionality, and enabling IMA will
> > > > > > > cost
> > > > > > > extra memory. It would be very helpful to allow IMA to be disabled
> > > > > > > for
> > > > > > > kdump kernel.
> > > > 
> > > > Thanks a lot for careufl reviewing and great suggestions.
> > > > 
> > > > > 
> > > > > The real question is not whether kdump needs "IMA", but whether not
> > > > > enabling
> > > > > IMA in the kdump kernel could be abused.  The comments below don't
> > > > > address
> > > > > that question but limit/emphasize, as much as possible, turning IMA
> > > > > off is
> > > > > limited to the kdump kernel.
> > > > 
> > > > Are you suggesting removing below paragraph from patch log because they
> > > > are redundant? I can remove it in v2 if yes.
> > > 
> > > "The comments below" was referring to my comments on the patch, not the
> > > next
> > > paragraph.  "don't address that question" refers to whether the kdump
> > > kernel
> > > could be abused.
> > > 
> > > We're trying to close integrity gaps, not add new ones.  Verifying the
> > > UKI's
> > > signature addresses the integrity of the initramfs.  What about the
> > > integrity of
> > > the kdump initramfs (or for that matter the kexec initramfs)?  If the
> > > kdump
> > > initramfs was signed, IMA would be able to verify it before the kexec.
> 
> IMHO, from the higher level, if there is a requirement on the integrity of the
> initramfs, it should take a similar approach as UKI. And the system admin can
> choose whether to disable the unsafe format loader or not.

Yes, that is a possibility, probably a good aim, but in the case of kexec/kdump
that isn't really necessary.  As filesystem(s) support xattrs, IMA policies
could be written in terms of "func=KEXEC_INITRAMFS_CHECK" to include the
initramfs.

> 
> This other thing is how to make a handy signature on initramfs? It is neither
> PE nor ELF.

IMA supports signatures stored in the security.ima xattr or as an appended
signatures.

Mimi

More information about the kexec mailing list