[RFC 0/2] ima: evm: Add kernel cmdline options to disable IMA/EVM
Mimi Zohar
zohar at linux.ibm.com
Thu Dec 19 18:18:17 UTC 2024
On Thu, 2024-12-19 at 17:46 +0000, Song Liu wrote:
> Hi Roberto,
>
> Thanks for sharing these information!
>
> > On Dec 19, 2024, at 7:40 AM, Roberto Sassu <roberto.sassu at huaweicloud.com> wrote:
>
> [...]
>
> > > I didn't know about this history until today. I apologize if this
> > > RFC/PATCH is moving to the direction against the original agreement.
> > > I didn't mean to break any agreement.
> > >
> > > My motivation is actually the per inode memory consumption of IMA
> > > and EVM. Once enabled, EVM appends a whole struct evm_iint_cache to
> > > each inode via i_security. IMA is better on memory consumption, as
> > > it only adds a pointer to i_security.
> > >
> > > It appears to me that a way to disable IMA and EVM at boot time can
> > > be useful, especially for distro kernels. But I guess there are
> > > reasons to not allow this (thus the earlier agreement). Could you
> > > please share your thoughts on this?
> >
> > Hi Song
> >
> > IMA/EVM cannot be always disabled for two reasons: (1) for secure and
> > trusted boot, IMA is expected to enforce architecture-specific
> > policies; (2) accidentally disabling them will cause modified files to
> > be rejected when IMA/EVM are turned on again.
> >
> > If the requirements above are met, we are fine on disabling IMA/EVM.
>
> I probably missed something, but it appears to me IMA/EVM might be
> enabled in distro kernels, but the distro by default does not
> configure IMA/EVM, so they are not actually used. Did I misunderstand
> something?
If "CONFIG_IMA_ARCH_POLICY" is configured, then the architecture specific policy
is configured and loaded on boot. For x86 and arm, the architecture specific
policy rules are defined in ima_efi.c. On power, the rules are defined in
arch/powerpc/kernel/ima_arch.c. On most systems, the currently enabled IMA
policy rules can be viewed by cat'ing <securityfs>/integrity/ima/policy.
For more information on IMA policies, refer to
https://ima-doc.readthedocs.io/en/latest/ima-policy.html#
Mimi
>
> > As for reserving space in the inode security blob, please refer to this
> > discussion, where we reached the agreement:
> >
> > https://lore.kernel.org/linux-integrity/CAHC9VhTTKac1o=RnQadu2xqdeKH8C_F+Wh4sY=HkGbCArwc8JQ@mail.gmail.com/
>
> AFAICT, the benefit of i_security storage is its ability to be
> configured at boot time. If IMA/EVM cannot be disabled, it is
> better to add them to struct inode within a "#ifdef CONFIG_"
> block.
>
> Thanks,
> Song
>
More information about the Linux-security-module-archive
mailing list