[RFC 0/2] ima: evm: Add kernel cmdline options to disable IMA/EVM
Song Liu
songliubraving at meta.com
Thu Dec 19 17:46:52 UTC 2024
Hi Roberto,
Thanks for sharing these information!
> On Dec 19, 2024, at 7:40 AM, Roberto Sassu <roberto.sassu at huaweicloud.com> wrote:
[...]
>> I didn't know about this history until today. I apologize if this
>> RFC/PATCH is moving to the direction against the original agreement.
>> I didn't mean to break any agreement.
>>
>> My motivation is actually the per inode memory consumption of IMA
>> and EVM. Once enabled, EVM appends a whole struct evm_iint_cache to
>> each inode via i_security. IMA is better on memory consumption, as
>> it only adds a pointer to i_security.
>>
>> It appears to me that a way to disable IMA and EVM at boot time can
>> be useful, especially for distro kernels. But I guess there are
>> reasons to not allow this (thus the earlier agreement). Could you
>> please share your thoughts on this?
>
> Hi Song
>
> IMA/EVM cannot be always disabled for two reasons: (1) for secure and
> trusted boot, IMA is expected to enforce architecture-specific
> policies; (2) accidentally disabling them will cause modified files to
> be rejected when IMA/EVM are turned on again.
>
> If the requirements above are met, we are fine on disabling IMA/EVM.
I probably missed something, but it appears to me IMA/EVM might be
enabled in distro kernels, but the distro by default does not
configure IMA/EVM, so they are not actually used. Did I misunderstand
something?
> As for reserving space in the inode security blob, please refer to this
> discussion, where we reached the agreement:
>
> https://lore.kernel.org/linux-integrity/CAHC9VhTTKac1o=RnQadu2xqdeKH8C_F+Wh4sY=HkGbCArwc8JQ@mail.gmail.com/
AFAICT, the benefit of i_security storage is its ability to be
configured at boot time. If IMA/EVM cannot be disabled, it is
better to add them to struct inode within a "#ifdef CONFIG_"
block.
Thanks,
Song
More information about the Linux-security-module-archive
mailing list