security/integrity/evm/evm.h | 6 ++++++ security/integrity/evm/evm_main.c | 22 ++++++++++++++-------- security/integrity/evm/evm_secfs.c | 3 ++- security/integrity/ima/ima_main.c | 13 +++++++++++++ 4 files changed, 35 insertions(+), 9 deletions(-)
While reading and testing LSM code, I found IMA/EVM consume per inode storage even when they are not in use. Add options to diable them in kernel command line. The logic and syntax is mostly borrowed from an old serious [1]. [1] https://lore.kernel.org/lkml/cover.1398259638.git.d.kasatkin@samsung.com/ Song Liu (2): ima: Add kernel parameter to disable IMA evm: Add kernel parameter to disable EVM security/integrity/evm/evm.h | 6 ++++++ security/integrity/evm/evm_main.c | 22 ++++++++++++++-------- security/integrity/evm/evm_secfs.c | 3 ++- security/integrity/ima/ima_main.c | 13 +++++++++++++ 4 files changed, 35 insertions(+), 9 deletions(-) -- 2.43.5
On 12/17/2024 12:25 PM, Song Liu wrote: > While reading and testing LSM code, I found IMA/EVM consume per inode > storage even when they are not in use. Add options to diable them in > kernel command line. The logic and syntax is mostly borrowed from an > old serious [1]. Why not omit ima and evm from the lsm= parameter? > > [1] https://lore.kernel.org/lkml/cover.1398259638.git.d.kasatkin@samsung.com/ > > Song Liu (2): > ima: Add kernel parameter to disable IMA > evm: Add kernel parameter to disable EVM > > security/integrity/evm/evm.h | 6 ++++++ > security/integrity/evm/evm_main.c | 22 ++++++++++++++-------- > security/integrity/evm/evm_secfs.c | 3 ++- > security/integrity/ima/ima_main.c | 13 +++++++++++++ > 4 files changed, 35 insertions(+), 9 deletions(-) > > -- > 2.43.5 >
On Tue, 2024-12-17 at 13:29 -0800, Casey Schaufler wrote: > On 12/17/2024 12:25 PM, Song Liu wrote: > > While reading and testing LSM code, I found IMA/EVM consume per inode > > storage even when they are not in use. Add options to diable them in > > kernel command line. The logic and syntax is mostly borrowed from an > > old serious [1]. > > Why not omit ima and evm from the lsm= parameter? Casey, Paul, always enabling IMA & EVM as the last LSMs, if configured, were the conditions for making IMA and EVM LSMs. Up to that point, only when an inode was in policy did it consume any memory (rbtree). I'm pretty sure you remember the rather heated discussion(s). Mimi > > > > > [1] https://lore.kernel.org/lkml/cover.1398259638.git.d.kasatkin@samsung.com/ > > > > Song Liu (2): > > ima: Add kernel parameter to disable IMA > > evm: Add kernel parameter to disable EVM > > > > security/integrity/evm/evm.h | 6 ++++++ > > security/integrity/evm/evm_main.c | 22 ++++++++++++++-------- > > security/integrity/evm/evm_secfs.c | 3 ++- > > security/integrity/ima/ima_main.c | 13 +++++++++++++ > > 4 files changed, 35 insertions(+), 9 deletions(-) > > > > -- > > 2.43.5 > > >
Hi Mimi, Thanks for your comments! > On Dec 18, 2024, at 3:02 AM, Mimi Zohar <zohar@linux.ibm.com> wrote: > > On Tue, 2024-12-17 at 13:29 -0800, Casey Schaufler wrote: >> On 12/17/2024 12:25 PM, Song Liu wrote: >>> While reading and testing LSM code, I found IMA/EVM consume per inode >>> storage even when they are not in use. Add options to diable them in >>> kernel command line. The logic and syntax is mostly borrowed from an >>> old serious [1]. >> >> Why not omit ima and evm from the lsm= parameter? > > Casey, Paul, always enabling IMA & EVM as the last LSMs, if configured, were the > conditions for making IMA and EVM LSMs. Up to that point, only when an inode > was in policy did it consume any memory (rbtree). I'm pretty sure you remember > the rather heated discussion(s). I didn't know about this history until today. I apologize if this RFC/PATCH is moving to the direction against the original agreement. I didn't mean to break any agreement. My motivation is actually the per inode memory consumption of IMA and EVM. Once enabled, EVM appends a whole struct evm_iint_cache to each inode via i_security. IMA is better on memory consumption, as it only adds a pointer to i_security. It appears to me that a way to disable IMA and EVM at boot time can be useful, especially for distro kernels. But I guess there are reasons to not allow this (thus the earlier agreement). Could you please share your thoughts on this? Thanks, Song
On Wed, 2024-12-18 at 17:07 +0000, Song Liu wrote: > Hi Mimi, > > Thanks for your comments! > > > On Dec 18, 2024, at 3:02 AM, Mimi Zohar <zohar@linux.ibm.com> wrote: > > > > On Tue, 2024-12-17 at 13:29 -0800, Casey Schaufler wrote: > > > On 12/17/2024 12:25 PM, Song Liu wrote: > > > > While reading and testing LSM code, I found IMA/EVM consume per inode > > > > storage even when they are not in use. Add options to diable them in > > > > kernel command line. The logic and syntax is mostly borrowed from an > > > > old serious [1]. > > > > > > Why not omit ima and evm from the lsm= parameter? > > > > Casey, Paul, always enabling IMA & EVM as the last LSMs, if configured, were the > > conditions for making IMA and EVM LSMs. Up to that point, only when an inode > > was in policy did it consume any memory (rbtree). I'm pretty sure you remember > > the rather heated discussion(s). > > I didn't know about this history until today. I apologize if this > RFC/PATCH is moving to the direction against the original agreement. > I didn't mean to break any agreement. > > My motivation is actually the per inode memory consumption of IMA > and EVM. Once enabled, EVM appends a whole struct evm_iint_cache to > each inode via i_security. IMA is better on memory consumption, as > it only adds a pointer to i_security. > > It appears to me that a way to disable IMA and EVM at boot time can > be useful, especially for distro kernels. But I guess there are > reasons to not allow this (thus the earlier agreement). Could you > please share your thoughts on this? Hi Song IMA/EVM cannot be always disabled for two reasons: (1) for secure and trusted boot, IMA is expected to enforce architecture-specific policies; (2) accidentally disabling them will cause modified files to be rejected when IMA/EVM are turned on again. If the requirements above are met, we are fine on disabling IMA/EVM. As for reserving space in the inode security blob, please refer to this discussion, where we reached the agreement: https://lore.kernel.org/linux-integrity/CAHC9VhTTKac1o=RnQadu2xqdeKH8C_F+Wh4sY=HkGbCArwc8JQ@mail.gmail.com/ Thanks Roberto
Hi Roberto, Thanks for sharing these information! > On Dec 19, 2024, at 7:40 AM, Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: [...] >> I didn't know about this history until today. I apologize if this >> RFC/PATCH is moving to the direction against the original agreement. >> I didn't mean to break any agreement. >> >> My motivation is actually the per inode memory consumption of IMA >> and EVM. Once enabled, EVM appends a whole struct evm_iint_cache to >> each inode via i_security. IMA is better on memory consumption, as >> it only adds a pointer to i_security. >> >> It appears to me that a way to disable IMA and EVM at boot time can >> be useful, especially for distro kernels. But I guess there are >> reasons to not allow this (thus the earlier agreement). Could you >> please share your thoughts on this? > > Hi Song > > IMA/EVM cannot be always disabled for two reasons: (1) for secure and > trusted boot, IMA is expected to enforce architecture-specific > policies; (2) accidentally disabling them will cause modified files to > be rejected when IMA/EVM are turned on again. > > If the requirements above are met, we are fine on disabling IMA/EVM. I probably missed something, but it appears to me IMA/EVM might be enabled in distro kernels, but the distro by default does not configure IMA/EVM, so they are not actually used. Did I misunderstand something? > As for reserving space in the inode security blob, please refer to this > discussion, where we reached the agreement: > > https://lore.kernel.org/linux-integrity/CAHC9VhTTKac1o=RnQadu2xqdeKH8C_F+Wh4sY=HkGbCArwc8JQ@mail.gmail.com/ AFAICT, the benefit of i_security storage is its ability to be configured at boot time. If IMA/EVM cannot be disabled, it is better to add them to struct inode within a "#ifdef CONFIG_" block. Thanks, Song
On Thu, 2024-12-19 at 17:46 +0000, Song Liu wrote: > Hi Roberto, > > Thanks for sharing these information! > > > On Dec 19, 2024, at 7:40 AM, Roberto Sassu <roberto.sassu@huaweicloud.com> wrote: > > [...] > > > > I didn't know about this history until today. I apologize if this > > > RFC/PATCH is moving to the direction against the original agreement. > > > I didn't mean to break any agreement. > > > > > > My motivation is actually the per inode memory consumption of IMA > > > and EVM. Once enabled, EVM appends a whole struct evm_iint_cache to > > > each inode via i_security. IMA is better on memory consumption, as > > > it only adds a pointer to i_security. > > > > > > It appears to me that a way to disable IMA and EVM at boot time can > > > be useful, especially for distro kernels. But I guess there are > > > reasons to not allow this (thus the earlier agreement). Could you > > > please share your thoughts on this? > > > > Hi Song > > > > IMA/EVM cannot be always disabled for two reasons: (1) for secure and > > trusted boot, IMA is expected to enforce architecture-specific > > policies; (2) accidentally disabling them will cause modified files to > > be rejected when IMA/EVM are turned on again. > > > > If the requirements above are met, we are fine on disabling IMA/EVM. > > I probably missed something, but it appears to me IMA/EVM might be > enabled in distro kernels, but the distro by default does not > configure IMA/EVM, so they are not actually used. Did I misunderstand > something? If "CONFIG_IMA_ARCH_POLICY" is configured, then the architecture specific policy is configured and loaded on boot. For x86 and arm, the architecture specific policy rules are defined in ima_efi.c. On power, the rules are defined in arch/powerpc/kernel/ima_arch.c. On most systems, the currently enabled IMA policy rules can be viewed by cat'ing <securityfs>/integrity/ima/policy. For more information on IMA policies, refer to https://ima-doc.readthedocs.io/en/latest/ima-policy.html# Mimi > > > As for reserving space in the inode security blob, please refer to this > > discussion, where we reached the agreement: > > > > https://lore.kernel.org/linux-integrity/CAHC9VhTTKac1o=RnQadu2xqdeKH8C_F+Wh4sY=HkGbCArwc8JQ@mail.gmail.com/ > > AFAICT, the benefit of i_security storage is its ability to be > configured at boot time. If IMA/EVM cannot be disabled, it is > better to add them to struct inode within a "#ifdef CONFIG_" > block. > > Thanks, > Song >
> On Dec 17, 2024, at 1:29 PM, Casey Schaufler <casey@schaufler-ca.com> wrote: > > On 12/17/2024 12:25 PM, Song Liu wrote: >> While reading and testing LSM code, I found IMA/EVM consume per inode >> storage even when they are not in use. Add options to diable them in >> kernel command line. The logic and syntax is mostly borrowed from an >> old serious [1]. > > Why not omit ima and evm from the lsm= parameter? Both ima and evm have LSM_ORDER_LAST, so they are not controlled by lsm= parameter. But we can probably change this behavior in ordered_lsm_parse(), so that ima and evm are controlled by lsm=. Thanks, Song > >> >> [1] https://lore.kernel.org/lkml/cover.1398259638.git.d.kasatkin@samsung.com/ >> >> Song Liu (2): >> ima: Add kernel parameter to disable IMA >> evm: Add kernel parameter to disable EVM >> >> security/integrity/evm/evm.h | 6 ++++++ >> security/integrity/evm/evm_main.c | 22 ++++++++++++++-------- >> security/integrity/evm/evm_secfs.c | 3 ++- >> security/integrity/ima/ima_main.c | 13 +++++++++++++ >> 4 files changed, 35 insertions(+), 9 deletions(-) >> >> -- >> 2.43.5 >>
On Tue, Dec 17, 2024 at 4:29 PM Casey Schaufler <casey@schaufler-ca.com> wrote: > On 12/17/2024 12:25 PM, Song Liu wrote: > > While reading and testing LSM code, I found IMA/EVM consume per inode > > storage even when they are not in use. Add options to diable them in > > kernel command line. The logic and syntax is mostly borrowed from an > > old serious [1]. > > Why not omit ima and evm from the lsm= parameter? Exactly. Here is a link to the kernel documentation if anyone is interested (search for "lsm"): https://docs.kernel.org/admin-guide/kernel-parameters.html It is worth mentioning that this works for all the LSMs. > > [1] https://lore.kernel.org/lkml/cover.1398259638.git.d.kasatkin@samsung.com/ > > > > Song Liu (2): > > ima: Add kernel parameter to disable IMA > > evm: Add kernel parameter to disable EVM > > > > security/integrity/evm/evm.h | 6 ++++++ > > security/integrity/evm/evm_main.c | 22 ++++++++++++++-------- > > security/integrity/evm/evm_secfs.c | 3 ++- > > security/integrity/ima/ima_main.c | 13 +++++++++++++ > > 4 files changed, 35 insertions(+), 9 deletions(-) > > > > -- > > 2.43.5 -- paul-moore.com
© 2016 - 2025 Red Hat, Inc.