[PATCH] ima: dynamically allocate shash_desc
zohar at linux.ibm.com
Tue Jun 18 12:44:38 UTC 2019
On Mon, 2019-06-17 at 22:08 +0200, Arnd Bergmann wrote:
> On Mon, Jun 17, 2019 at 8:08 PM Mimi Zohar <zohar at linux.ibm.com> wrote:
> > On Mon, 2019-06-17 at 11:55 -0400, Mimi Zohar wrote:
> > > On Mon, 2019-06-17 at 13:20 +0200, Arnd Bergmann wrote:
> > > > On 32-bit ARM, we get a warning about excessive stack usage when
> > > > building with clang.
> > > >
> > > > security/integrity/ima/ima_crypto.c:504:5: error: stack frame size
> > > > of 1152 bytes in function 'ima_calc_field_array_hash' [-Werror,-
> > > > Wframe-larger-than=]
> > >
> > > I'm definitely not seeing this. Is this problem a result of non
> > > upstreamed patches? For sha1, currently the only possible hash
> > > algorithm, I'm seeing 664.
> You won't see it with gcc, only with clang in some randconfig builds,
> I suppose only when KASAN is enabled.
> > Every time a measurement is added to the measurement list, the memory
> > would be allocated/freed. The frequency of new measurements is policy
> > dependent. For performance reasons, I'd prefer if the allocation
> > remains on the stack.
> Is there a way to preallocate the shash_desc instead? That would
> avoid the overhead.
There are 3 other SHASH_DESC_ON_STACK definitions in just
ima_crypto.c, with a total of ~55 other places in the kernel. Before
fixing this particular function, I'd like to know if the "excessive
stack usage" warning is limited to ima_calc_field_array_hash_tfm().
If so, what is so special about its usage of SHASH_DESC_ON_STACK?
More information about the Linux-security-module-archive