From nobody Mon Jun 8 04:27:31 2026 Received: from frasgout13.his.huawei.com (frasgout13.his.huawei.com [14.137.139.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CB39D78F29; Fri, 5 Jun 2026 17:23:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=14.137.139.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680204; cv=none; b=YhyoZ/eYxTIRNPZ6TK8pWRdPRVGJKcRqZR4qUYgQ6XuzlfuZRPVLd3yEuqCDbvWbLxTtlQbF4QbHwkNI8YwA0l0DLwiee+zguEtWWOFWu02lijz4wF1vfJVQTeUXzgj9ptHsKpFD4vvZCOojYI2EsOkzqwy5C+hkJUNE9GkbZHM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680204; c=relaxed/simple; bh=O2Ywtg/iC5HpxfxvXsplMBAu+/q1IeA3KymXxVsqSM0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NUuPz00/JK8zTlA+XL84Qr/RyN8qtKsr17cfS7gLqLrkF+B5BK6/zvmimx+3CeitUbmNDEqxtKtBqa3+0RLgRHPajQhKaCA/nEGKQ5qoKvL8tnYDEwBzW40Q3QTbzvZfSedFJ9+aHhbLnzxIaneWxgn+LpHadcSZeMS4Wh2qFBI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=none smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=14.137.139.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.18.224.235]) by frasgout13.his.huawei.com (SkyGuard) with ESMTPS id 4gX7Rj09RLzpVNV; Sat, 6 Jun 2026 01:17:53 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.27]) by mail.maildlp.com (Postfix) with ESMTP id C9C674056F; Sat, 6 Jun 2026 01:23:08 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwBHV43pBSNqZAhlAA--.46721S3; Fri, 05 Jun 2026 18:23:08 +0100 (CET) From: Roberto Sassu To: corbet@lwn.net, skhan@linuxfoundation.org, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, gregorylumen@linux.microsoft.com, chenste@linux.microsoft.com, nramas@linux.microsoft.com, Roberto Sassu Subject: [PATCH v7 01/12] ima: Remove ima_h_table structure Date: Fri, 5 Jun 2026 19:22:25 +0200 Message-ID: <20260605172236.2042045-2-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> References: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: GxC2BwBHV43pBSNqZAhlAA--.46721S3 X-Coremail-Antispam: 1UD129KBjvJXoW3GF4UWr1DCr1rGF15Kr1kAFb_yoW3Jry3pa nFga42kF4rXFy09ryDAa4qk3yrW3yUKr1UWws8Gw1Fk3WDXr12gF15AFy29FyfGFZ5tF1I qrs0qr1YkwsYyrJanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUPYb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUGw A2048vs2IY020Ec7CjxVAFwI0_Gr0_Xr1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVWUJVWUCwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV W8JVWxJwA2z4x0Y4vEx4A2jsIE14v26r1j6r4UM28EF7xvwVC2z280aVCY1x0267AKxVW8 JVW8Jr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx 0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWU JVW8JwACjcxG0xvY0x0EwIxGrwACI402YVCY1x02628vn2kIc2xKxwCY1x0262kKe7AKxV WUtVW8ZwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E 14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_GFv_WrylIx kGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAF wI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r 4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x07jnpnQU UUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAPBGoiOzcKjwAAsI Content-Type: text/plain; charset="utf-8" From: Roberto Sassu The ima_h_table structure is a collection of IMA measurement list metadata - number of records in the IMA measurement list, number of integrity violations, and a hash table containing the IMA template data hash, needed to prevent measurement list record duplication. Removing records from the measurement list needs to be reflected in the hash table. As a pre-req to removing records from the measurement list, separate those counters from the hash table, remove the ima_h_table structure, and just replace the hash table pointer. Finally, rename ima_show_htable_value(), ima_show_htable_violations() and ima_htable_violations_ops respectively to ima_show_counter(), ima_show_num_violations() and ima_num_violations_ops. Link: https://github.com/linux-integrity/linux/issues/1 Signed-off-by: Roberto Sassu --- security/integrity/ima/ima.h | 11 +++++------ security/integrity/ima/ima_api.c | 2 +- security/integrity/ima/ima_fs.c | 20 +++++++++----------- security/integrity/ima/ima_kexec.c | 2 +- security/integrity/ima/ima_queue.c | 15 ++++++++------- 5 files changed, 24 insertions(+), 26 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 69e9bf0b82c6..b3ad7eac6a1e 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -324,12 +324,11 @@ int ima_lsm_policy_change(struct notifier_block *nb, = unsigned long event, */ extern spinlock_t ima_queue_lock; =20 -struct ima_h_table { - atomic_long_t len; /* number of stored measurements in the list */ - atomic_long_t violations; - struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE]; -}; -extern struct ima_h_table ima_htable; +/* Total number of measurement list records since hard boot. */ +extern atomic_long_t ima_num_records; +/* Total number of violations since hard boot. */ +extern atomic_long_t ima_num_violations; +extern struct hlist_head ima_htable[IMA_MEASURE_HTABLE_SIZE]; =20 static inline unsigned int ima_hash_key(u8 *digest) { diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_= api.c index 0916f24f005f..122d127e108d 100644 --- a/security/integrity/ima/ima_api.c +++ b/security/integrity/ima/ima_api.c @@ -146,7 +146,7 @@ void ima_add_violation(struct file *file, const unsigne= d char *filename, int result; =20 /* can overflow, only indicator */ - atomic_long_inc(&ima_htable.violations); + atomic_long_inc(&ima_num_violations); =20 result =3D ima_alloc_init_template(&event_data, &entry, NULL); if (result < 0) { diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_f= s.c index ca4931a95098..523d3e81f631 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -38,8 +38,8 @@ __setup("ima_canonical_fmt", default_canonical_fmt_setup); =20 static int valid_policy =3D 1; =20 -static ssize_t ima_show_htable_value(char __user *buf, size_t count, - loff_t *ppos, atomic_long_t *val) +static ssize_t ima_show_counter(char __user *buf, size_t count, loff_t *pp= os, + atomic_long_t *val) { char tmpbuf[32]; /* greater than largest 'long' string value */ ssize_t len; @@ -48,15 +48,14 @@ static ssize_t ima_show_htable_value(char __user *buf, = size_t count, return simple_read_from_buffer(buf, count, ppos, tmpbuf, len); } =20 -static ssize_t ima_show_htable_violations(struct file *filp, - char __user *buf, - size_t count, loff_t *ppos) +static ssize_t ima_show_num_violations(struct file *filp, char __user *buf, + size_t count, loff_t *ppos) { - return ima_show_htable_value(buf, count, ppos, &ima_htable.violations); + return ima_show_counter(buf, count, ppos, &ima_num_violations); } =20 -static const struct file_operations ima_htable_violations_ops =3D { - .read =3D ima_show_htable_violations, +static const struct file_operations ima_num_violations_ops =3D { + .read =3D ima_show_num_violations, .llseek =3D generic_file_llseek, }; =20 @@ -64,8 +63,7 @@ static ssize_t ima_show_measurements_count(struct file *f= ilp, char __user *buf, size_t count, loff_t *ppos) { - return ima_show_htable_value(buf, count, ppos, &ima_htable.len); - + return ima_show_counter(buf, count, ppos, &ima_num_records); } =20 static const struct file_operations ima_measurements_count_ops =3D { @@ -545,7 +543,7 @@ int __init ima_fs_init(void) } =20 dentry =3D securityfs_create_file("violations", S_IRUSR | S_IRGRP, - ima_dir, NULL, &ima_htable_violations_ops); + ima_dir, NULL, &ima_num_violations_ops); if (IS_ERR(dentry)) { ret =3D PTR_ERR(dentry); goto out; diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/im= a_kexec.c index 36a34c54de58..77ad370dbc37 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -43,7 +43,7 @@ void ima_measure_kexec_event(const char *event_name) int n; =20 buf_size =3D ima_get_binary_runtime_size(); - len =3D atomic_long_read(&ima_htable.len); + len =3D atomic_long_read(&ima_num_records); =20 n =3D scnprintf(ima_kexec_event, IMA_KEXEC_EVENT_LEN, "kexec_segment_size=3D%lu;ima_binary_runtime_size=3D%lu;" diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/im= a_queue.c index 319522450854..6bdaefc790c3 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -32,11 +32,12 @@ static unsigned long binary_runtime_size; static unsigned long binary_runtime_size =3D ULONG_MAX; #endif =20 +atomic_long_t ima_num_records =3D ATOMIC_LONG_INIT(0); +atomic_long_t ima_num_violations =3D ATOMIC_LONG_INIT(0); + /* key: inode (before secure-hashing a file) */ -struct ima_h_table ima_htable =3D { - .len =3D ATOMIC_LONG_INIT(0), - .violations =3D ATOMIC_LONG_INIT(0), - .queue[0 ... IMA_MEASURE_HTABLE_SIZE - 1] =3D HLIST_HEAD_INIT +struct hlist_head ima_htable[IMA_MEASURE_HTABLE_SIZE] =3D { + [0 ... IMA_MEASURE_HTABLE_SIZE - 1] =3D HLIST_HEAD_INIT }; =20 /* mutex protects atomicity of extending measurement list @@ -61,7 +62,7 @@ static struct ima_queue_entry *ima_lookup_digest_entry(u8= *digest_value, =20 key =3D ima_hash_key(digest_value); rcu_read_lock(); - hlist_for_each_entry_rcu(qe, &ima_htable.queue[key], hnext) { + hlist_for_each_entry_rcu(qe, &ima_htable[key], hnext) { rc =3D memcmp(qe->entry->digests[ima_hash_algo_idx].digest, digest_value, hash_digest_size[ima_hash_algo]); if ((rc =3D=3D 0) && (qe->entry->pcr =3D=3D pcr)) { @@ -113,10 +114,10 @@ static int ima_add_digest_entry(struct ima_template_e= ntry *entry, INIT_LIST_HEAD(&qe->later); list_add_tail_rcu(&qe->later, &ima_measurements); =20 - atomic_long_inc(&ima_htable.len); + atomic_long_inc(&ima_num_records); if (update_htable) { key =3D ima_hash_key(entry->digests[ima_hash_algo_idx].digest); - hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]); + hlist_add_head_rcu(&qe->hnext, &ima_htable[key]); } =20 if (binary_runtime_size !=3D ULONG_MAX) { --=20 2.43.0 From nobody Mon Jun 8 04:27:31 2026 Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com [14.137.139.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 08E69390616; Fri, 5 Jun 2026 17:23:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=14.137.139.23 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680207; cv=none; b=IQbtSMNDN8/FZKQsP/gZEeq+cpFIFYQWkxVQ7fMgsOJ0BCF0nKU9T1lcX5/fYZeh/kdV+MHH2SKiSVhiErHWfdkOvenKLuV3xnlo+RhUp9MMpRUAG5LGIfVUL5B6GkcVWd5WkbL3IBG8VZk3aummztZkOKp6IswDpCUANLaL8SA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680207; c=relaxed/simple; bh=BNA2CUESf+yHW0POrSULtI1TMqwIbV68I0AGqtEn3fU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Zw2J9jp8/vPm2IGJ2vU1xoL1Fa0nm3EpLMUY8mpQq82oBoR6KIhH1C+E1eH1IBZb/+z8i4tEyJxRDjuixe4d0DDgVoDt3BFIz6ncYYyM05KlOp9NxMuNAI08rvwW6iMj5jvuXsTharUUfvbwwEXGFtJIRxlY8J5fcaUFvgvw7Tc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=14.137.139.23 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.18.224.196]) by frasgout11.his.huawei.com (SkyGuard) with ESMTPS id 4gX7Rp0xdnz1HCnD; Sat, 6 Jun 2026 01:17:58 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.27]) by mail.maildlp.com (Postfix) with ESMTP id 01ADC4056C; Sat, 6 Jun 2026 01:23:17 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwBHV43pBSNqZAhlAA--.46721S4; Fri, 05 Jun 2026 18:23:16 +0100 (CET) From: Roberto Sassu To: corbet@lwn.net, skhan@linuxfoundation.org, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, gregorylumen@linux.microsoft.com, chenste@linux.microsoft.com, nramas@linux.microsoft.com, Roberto Sassu Subject: [PATCH v7 02/12] ima: Replace static htable queue with dynamically allocated array Date: Fri, 5 Jun 2026 19:22:26 +0200 Message-ID: <20260605172236.2042045-3-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> References: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: GxC2BwBHV43pBSNqZAhlAA--.46721S4 X-Coremail-Antispam: 1UD129KBjvJXoW3Xw1fuw45Kr1fCr4rKryxGrg_yoWxAF18pa 9rWFy7Kr48AFWxKr97JaySkr4fursYgryUG398G3sYk3W3Ar1Igr1fGFy2vF98ArZ5J3WS qr4jq3Z8CwsYyFJanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUPYb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUXw A2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVWUJVWUCwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV W8JVWxJwA2z4x0Y4vEx4A2jsIE14v26r1j6r4UM28EF7xvwVC2z280aVCY1x0267AKxVW8 JVW8Jr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx 0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWU JVW8JwACjcxG0xvY0x0EwIxGrwACI402YVCY1x02628vn2kIc2xKxwCY1x0262kKe7AKxV WUtVW8ZwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02F40E 14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_GFv_WrylIx kGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCwCI42IY6xIIjxv20xvEc7CjxVAF wI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14v26r1j6r 4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x07UCZXrU UUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAPBGoiOzcKjwABsJ Content-Type: text/plain; charset="utf-8" From: Roberto Sassu The IMA hash table is a fixed-size array of hlist_head buckets: struct hlist_head ima_htable[IMA_MEASURE_HTABLE_SIZE]; IMA_MEASURE_HTABLE_SIZE is (1 << IMA_HASH_BITS) =3D 1024 buckets, each a struct hlist_head (one pointer, 8 bytes on 64-bit). That is 8 KiB allocated in BSS for every kernel, regardless of whether IMA is ever used, and regardless of how many measurements are actually made. Replace the fixed-size array with a RCU-protected pointer to a dynamically allocated array that is initialized in ima_init_htable(), which is called from ima_init() during early boot. ima_init_htable() calls the static function ima_alloc_replace_htable() which, other than initializing the hash table the first time, can also hot-swap the existing hash table with a blank one. The allocation in ima_alloc_replace_htable() uses kcalloc() so the buckets are zero-initialised (equivalent to HLIST_HEAD_INIT { .first =3D NULL }). Callers of ima_alloc_replace_htable() must call synchronize_rcu() and free the returned hash table. Finally, access the hash table with rcu_dereference() in ima_lookup_digest_entry() (reader side) and with rcu_dereference_protected() in ima_add_digest_entry() (writer side). No functional change: bucket count, hash function, and all locking remain identical. Link: https://github.com/linux-integrity/linux/issues/1 Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/ima/ima.h | 3 +- security/integrity/ima/ima_init.c | 5 ++++ security/integrity/ima/ima_queue.c | 48 ++++++++++++++++++++++++++---- 3 files changed, 50 insertions(+), 6 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index b3ad7eac6a1e..0e41c2113efd 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -311,6 +311,7 @@ bool ima_template_has_modsig(const struct ima_template_= desc *ima_template); int ima_restore_measurement_entry(struct ima_template_entry *entry); int ima_restore_measurement_list(loff_t bufsize, void *buf); int ima_measurements_show(struct seq_file *m, void *v); +int __init ima_init_htable(void); unsigned long ima_get_binary_runtime_size(void); int ima_init_template(void); void ima_init_template_list(void); @@ -328,7 +329,7 @@ extern spinlock_t ima_queue_lock; extern atomic_long_t ima_num_records; /* Total number of violations since hard boot. */ extern atomic_long_t ima_num_violations; -extern struct hlist_head ima_htable[IMA_MEASURE_HTABLE_SIZE]; +extern struct hlist_head __rcu *ima_htable; =20 static inline unsigned int ima_hash_key(u8 *digest) { diff --git a/security/integrity/ima/ima_init.c b/security/integrity/ima/ima= _init.c index a2f34f2d8ad7..7e0aa09a12e6 100644 --- a/security/integrity/ima/ima_init.c +++ b/security/integrity/ima/ima_init.c @@ -140,6 +140,11 @@ int __init ima_init(void) rc =3D ima_init_digests(); if (rc !=3D 0) return rc; + + rc =3D ima_init_htable(); + if (rc !=3D 0) + return rc; + rc =3D ima_add_boot_aggregate(); /* boot aggregate must be first entry */ if (rc !=3D 0) return rc; diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/im= a_queue.c index 6bdaefc790c3..a31b75d9302b 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -36,9 +36,7 @@ atomic_long_t ima_num_records =3D ATOMIC_LONG_INIT(0); atomic_long_t ima_num_violations =3D ATOMIC_LONG_INIT(0); =20 /* key: inode (before secure-hashing a file) */ -struct hlist_head ima_htable[IMA_MEASURE_HTABLE_SIZE] =3D { - [0 ... IMA_MEASURE_HTABLE_SIZE - 1] =3D HLIST_HEAD_INIT -}; +struct hlist_head __rcu *ima_htable; =20 /* mutex protects atomicity of extending measurement list * and extending the TPM PCR aggregate. Since tpm_extend can take @@ -52,17 +50,53 @@ static DEFINE_MUTEX(ima_extend_list_mutex); */ static bool ima_measurements_suspended; =20 +/* Callers must call synchronize_rcu() and free the hash table. */ +static struct hlist_head *ima_alloc_replace_htable(void) +{ + struct hlist_head *old_htable, *new_htable; + + /* Initializing to zeros is equivalent to call HLIST_HEAD_INIT. */ + new_htable =3D kcalloc(IMA_MEASURE_HTABLE_SIZE, sizeof(struct hlist_head), + GFP_KERNEL); + if (!new_htable) + return ERR_PTR(-ENOMEM); + + old_htable =3D rcu_replace_pointer(ima_htable, new_htable, + lockdep_is_held(&ima_extend_list_mutex)); + + return old_htable; +} + +int __init ima_init_htable(void) +{ + struct hlist_head *old_htable; + + mutex_lock(&ima_extend_list_mutex); + old_htable =3D ima_alloc_replace_htable(); + mutex_unlock(&ima_extend_list_mutex); + + if (IS_ERR(old_htable)) + return PTR_ERR(old_htable); + + /* Synchronize_rcu() and kfree() not necessary, only for robustness. */ + synchronize_rcu(); + kfree(old_htable); + return 0; +} + /* lookup up the digest value in the hash table, and return the entry */ static struct ima_queue_entry *ima_lookup_digest_entry(u8 *digest_value, int pcr) { struct ima_queue_entry *qe, *ret =3D NULL; + struct hlist_head *htable; unsigned int key; int rc; =20 key =3D ima_hash_key(digest_value); rcu_read_lock(); - hlist_for_each_entry_rcu(qe, &ima_htable[key], hnext) { + htable =3D rcu_dereference(ima_htable); + hlist_for_each_entry_rcu(qe, &htable[key], hnext) { rc =3D memcmp(qe->entry->digests[ima_hash_algo_idx].digest, digest_value, hash_digest_size[ima_hash_algo]); if ((rc =3D=3D 0) && (qe->entry->pcr =3D=3D pcr)) { @@ -102,6 +136,7 @@ static int ima_add_digest_entry(struct ima_template_ent= ry *entry, bool update_htable) { struct ima_queue_entry *qe; + struct hlist_head *htable; unsigned int key; =20 qe =3D kmalloc_obj(*qe); @@ -114,10 +149,13 @@ static int ima_add_digest_entry(struct ima_template_e= ntry *entry, INIT_LIST_HEAD(&qe->later); list_add_tail_rcu(&qe->later, &ima_measurements); =20 + htable =3D rcu_dereference_protected(ima_htable, + lockdep_is_held(&ima_extend_list_mutex)); + atomic_long_inc(&ima_num_records); if (update_htable) { key =3D ima_hash_key(entry->digests[ima_hash_algo_idx].digest); - hlist_add_head_rcu(&qe->hnext, &ima_htable[key]); + hlist_add_head_rcu(&qe->hnext, &htable[key]); } =20 if (binary_runtime_size !=3D ULONG_MAX) { --=20 2.43.0 From nobody Mon Jun 8 04:27:31 2026 Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com [14.137.139.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 27E52358D37; Fri, 5 Jun 2026 17:23:26 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=14.137.139.23 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680210; cv=none; b=d0nzRbhrRnVIALBOZc5GJA518CSdx8pXuckLfNJsn9ILYEbXBckuq157I75i90Rka30yDElwEdOYaKoiPKQbUA1M0yTGzmZEfIPWhewdAtuKJrVivr7eXvmqf3cuconod9GHyOFHRSuDp8lPQ1MoH8DDudedeQGZ6S9yzf0knVw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680210; c=relaxed/simple; bh=4/6LxwemWIJEVDRbaimDYysPEMgUmc1fzvqAja04k0Q=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=hNq3oh+2ubq04I9oWid/5RNNccExenjrVtIM0V1majRzttzYJZP/L36IdJoE408o8b3OuyuaRpdwQCmr1hoRg9EV95B6Q4jtTB2AJigg1zHgM1Dt3jUlyEYqvPtx+lQMy8/M370lXe86SZ4NVClZxiZJbHuTJBXrRJMqLEqyAVg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=none smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=14.137.139.23 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.18.224.235]) by frasgout11.his.huawei.com (SkyGuard) with ESMTPS id 4gX7Ry2X5hz1HCm5; Sat, 6 Jun 2026 01:18:06 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.27]) by mail.maildlp.com (Postfix) with ESMTP id 384B24056C; Sat, 6 Jun 2026 01:23:25 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwBHV43pBSNqZAhlAA--.46721S5; Fri, 05 Jun 2026 18:23:24 +0100 (CET) From: Roberto Sassu To: corbet@lwn.net, skhan@linuxfoundation.org, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, gregorylumen@linux.microsoft.com, chenste@linux.microsoft.com, nramas@linux.microsoft.com, Roberto Sassu Subject: [PATCH v7 03/12] ima: Introduce per binary measurements list type ima_num_records counter Date: Fri, 5 Jun 2026 19:22:27 +0200 Message-ID: <20260605172236.2042045-4-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> References: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: GxC2BwBHV43pBSNqZAhlAA--.46721S5 X-Coremail-Antispam: 1UD129KBjvJXoWxCFyxGFyDAFyDKw1ktFyfCrg_yoWrWw1fpa 9Ig3WUGr40qFy2kF95Cay3AayFg3yYkrWUW398JwnakFsrXr1UXF1YyF129F1fGF95tr1S qrn0qr45Ca1qyrJanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUP2b4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUWw A2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVWUJVWUCwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV WxJVW8Jr1l84ACjcxK6I8E87Iv67AKxVWUJVW8JwA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_ Gr0_Gr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMc Ij6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_ Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFIxGxcIEc7CjxVA2Y2ka0xkIwI1lc7CjxVAaw2AFwI 0_Jw0_GFyl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG 67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r4a6rW5MI IYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E 14v26F4j6r4UJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr 0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7IU14x RDUUUUU== X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAPBGoiOzcKjwACsK Content-Type: text/plain; charset="utf-8" From: Roberto Sassu Make ima_num_records as an array, to have separate counters per binary measurements list type. Currently, define the BINARY type for the existing binary measurements list. No functional change: the BINARY type is equivalent to the value without the array. Link: https://github.com/linux-integrity/linux/issues/1 Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/ima/ima.h | 9 ++++++++- security/integrity/ima/ima_fs.c | 2 +- security/integrity/ima/ima_kexec.c | 2 +- security/integrity/ima/ima_queue.c | 6 ++++-- 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 0e41c2113efd..8f457f2c7b79 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -28,6 +28,13 @@ enum ima_show_type { IMA_SHOW_BINARY, IMA_SHOW_BINARY_NO= _FIELD_LEN, IMA_SHOW_BINARY_OLD_STRING_FMT, IMA_SHOW_ASCII }; enum tpm_pcrs { TPM_PCR0 =3D 0, TPM_PCR8 =3D 8, TPM_PCR10 =3D 10 }; =20 +/* + * BINARY: current binary measurements list + */ +enum binary_lists { + BINARY, BINARY__LAST +}; + /* digest size for IMA, fits SHA1 or MD5 */ #define IMA_DIGEST_SIZE SHA1_DIGEST_SIZE #define IMA_EVENT_NAME_LEN_MAX 255 @@ -326,7 +333,7 @@ int ima_lsm_policy_change(struct notifier_block *nb, un= signed long event, extern spinlock_t ima_queue_lock; =20 /* Total number of measurement list records since hard boot. */ -extern atomic_long_t ima_num_records; +extern atomic_long_t ima_num_records[BINARY__LAST]; /* Total number of violations since hard boot. */ extern atomic_long_t ima_num_violations; extern struct hlist_head __rcu *ima_htable; diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_f= s.c index 523d3e81f631..fcfcf7b6eae2 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -63,7 +63,7 @@ static ssize_t ima_show_measurements_count(struct file *f= ilp, char __user *buf, size_t count, loff_t *ppos) { - return ima_show_counter(buf, count, ppos, &ima_num_records); + return ima_show_counter(buf, count, ppos, &ima_num_records[BINARY]); } =20 static const struct file_operations ima_measurements_count_ops =3D { diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/im= a_kexec.c index 77ad370dbc37..1a0211a12ea4 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -43,7 +43,7 @@ void ima_measure_kexec_event(const char *event_name) int n; =20 buf_size =3D ima_get_binary_runtime_size(); - len =3D atomic_long_read(&ima_num_records); + len =3D atomic_long_read(&ima_num_records[BINARY]); =20 n =3D scnprintf(ima_kexec_event, IMA_KEXEC_EVENT_LEN, "kexec_segment_size=3D%lu;ima_binary_runtime_size=3D%lu;" diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/im= a_queue.c index a31b75d9302b..012e725ed4fc 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -32,7 +32,9 @@ static unsigned long binary_runtime_size; static unsigned long binary_runtime_size =3D ULONG_MAX; #endif =20 -atomic_long_t ima_num_records =3D ATOMIC_LONG_INIT(0); +atomic_long_t ima_num_records[BINARY__LAST] =3D { + [0 ... BINARY__LAST - 1] =3D ATOMIC_LONG_INIT(0) +}; atomic_long_t ima_num_violations =3D ATOMIC_LONG_INIT(0); =20 /* key: inode (before secure-hashing a file) */ @@ -152,7 +154,7 @@ static int ima_add_digest_entry(struct ima_template_ent= ry *entry, htable =3D rcu_dereference_protected(ima_htable, lockdep_is_held(&ima_extend_list_mutex)); =20 - atomic_long_inc(&ima_num_records); + atomic_long_inc(&ima_num_records[BINARY]); if (update_htable) { key =3D ima_hash_key(entry->digests[ima_hash_algo_idx].digest); hlist_add_head_rcu(&qe->hnext, &htable[key]); --=20 2.43.0 From nobody Mon Jun 8 04:27:31 2026 Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com [14.137.139.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A13543A5E9B; Fri, 5 Jun 2026 17:23:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=14.137.139.23 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680219; cv=none; b=huuLFecRjbrHH5bPxMTgWzdWSDlGtAH3VUs18lDOXg8hC3bg8uk9z5hvuoxHDu3RuDBXj5FzRrr4UZ8mTj5y0CM8MBfSxs0TzQEIZLz3aseCRam4IoTNBORSEU8Tt/dmoKqsJAuh1pBBg7QGK0kysVzg3E66anBS+AbaXKbjkJc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680219; c=relaxed/simple; bh=DIs/jdZzYcfBb8Pj3iCU+Q6jz5RIeRsCVygvgL1gNjQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=I2O+9eA+Q4AfIe0drG0e5M90LeeLyluTamt88SDIwryV8t9AIZV/7iFK+M+CSBpAEY4W/g2jTQ6wtfJvBUsliOs6hmePv859wD75a0s7TKxFTUAVRZXGXC6ckAWR+eGUYzfEHDNlX61Cs6eX7ng+Zg6624h7SV+W+wSeOE1pneU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=14.137.139.23 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.18.224.196]) by frasgout11.his.huawei.com (SkyGuard) with ESMTPS id 4gX7S645M8z1HCnG; Sat, 6 Jun 2026 01:18:14 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.27]) by mail.maildlp.com (Postfix) with ESMTP id 6DB044056F; Sat, 6 Jun 2026 01:23:33 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwBHV43pBSNqZAhlAA--.46721S6; Fri, 05 Jun 2026 18:23:32 +0100 (CET) From: Roberto Sassu To: corbet@lwn.net, skhan@linuxfoundation.org, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, gregorylumen@linux.microsoft.com, chenste@linux.microsoft.com, nramas@linux.microsoft.com, Roberto Sassu Subject: [PATCH v7 04/12] ima: Introduce per binary measurements list type binary_runtime_size value Date: Fri, 5 Jun 2026 19:22:28 +0200 Message-ID: <20260605172236.2042045-5-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> References: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: GxC2BwBHV43pBSNqZAhlAA--.46721S6 X-Coremail-Antispam: 1UD129KBjvJXoW3Jw15Xr1ftr4kGF1kJryftFb_yoW7CrWDpa nxZF18tr4kXay7KFZ5GF97ZFWrW3yrXr9rJ3s8W3Wv9Fs7Ar1jqF15tryjkFW5G3s8t3W7 JrWqqr4fAan7t3DanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUPSb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUAV Cq3wA2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0 rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVWUJVWUCwA2z4x0Y4vE2Ix0cI8IcVCY1x0267 AKxVWxJVW8Jr1l84ACjcxK6I8E87Iv67AKxVWUJVW8JwA2z4x0Y4vEx4A2jsIEc7CjxVAF wI0_Gr0_Gr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7 xfMcIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Y z7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFIxGxcIEc7CjxVA2Y2ka0xkIwI1lc7CjxVAaw2 AFwI0_Jw0_GFyl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAq x4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r4a6r W5MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF 7I0E14v26F4j6r4UJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI 0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7I U1aLvJUUUUU== X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAQAPBGoiO0QKbQAAsa Content-Type: text/plain; charset="utf-8" From: Roberto Sassu Make binary_runtime_size as an array, to have separate counters per binary measurements list type. Currently, define the BINARY type for the existing binary measurements list. Introduce ima_update_binary_runtime_size() to facilitate updating a binary_runtime_size value with a given binary measurement list type. Also add the binary measurements list type parameter to ima_get_binary_runtime_size(), to retrieve the desired value. Retrieving the value is now done under the ima_extend_list_mutex, since there can be concurrent updates. No functional change (except for the mutex usage, that fixes the concurrency issue): the BINARY array element is equivalent to the old binary_runtime_size. Link: https://github.com/linux-integrity/linux/issues/1 Signed-off-by: Roberto Sassu --- security/integrity/ima/ima.h | 2 +- security/integrity/ima/ima_kexec.c | 5 ++-- security/integrity/ima/ima_queue.c | 40 +++++++++++++++++++++--------- 3 files changed, 32 insertions(+), 15 deletions(-) diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 8f457f2c7b79..c00c133a140f 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -319,7 +319,7 @@ int ima_restore_measurement_entry(struct ima_template_e= ntry *entry); int ima_restore_measurement_list(loff_t bufsize, void *buf); int ima_measurements_show(struct seq_file *m, void *v); int __init ima_init_htable(void); -unsigned long ima_get_binary_runtime_size(void); +unsigned long ima_get_binary_runtime_size(enum binary_lists binary_list); int ima_init_template(void); void ima_init_template_list(void); int __init ima_init_digests(void); diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/im= a_kexec.c index 1a0211a12ea4..8dc9459622b3 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -42,7 +42,7 @@ void ima_measure_kexec_event(const char *event_name) long len; int n; =20 - buf_size =3D ima_get_binary_runtime_size(); + buf_size =3D ima_get_binary_runtime_size(BINARY); len =3D atomic_long_read(&ima_num_records[BINARY]); =20 n =3D scnprintf(ima_kexec_event, IMA_KEXEC_EVENT_LEN, @@ -159,7 +159,8 @@ void ima_add_kexec_buffer(struct kimage *image) else extra_memory =3D CONFIG_IMA_KEXEC_EXTRA_MEMORY_KB * 1024; =20 - binary_runtime_size =3D ima_get_binary_runtime_size() + extra_memory; + binary_runtime_size =3D ima_get_binary_runtime_size(BINARY) + + extra_memory; =20 if (binary_runtime_size >=3D ULONG_MAX - PAGE_SIZE) kexec_segment_size =3D ULONG_MAX; diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/im= a_queue.c index 012e725ed4fc..618694d5c082 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -27,9 +27,11 @@ static struct tpm_digest *digests; =20 LIST_HEAD(ima_measurements); /* list of all measurements */ #ifdef CONFIG_IMA_KEXEC -static unsigned long binary_runtime_size; +static unsigned long binary_runtime_size[BINARY__LAST]; #else -static unsigned long binary_runtime_size =3D ULONG_MAX; +static unsigned long binary_runtime_size[BINARY__LAST] =3D { + [0 ... BINARY__LAST - 1] =3D ULONG_MAX +}; #endif =20 atomic_long_t ima_num_records[BINARY__LAST] =3D { @@ -128,6 +130,20 @@ static int get_binary_runtime_size(struct ima_template= _entry *entry) return size; } =20 +static void ima_update_binary_runtime_size(struct ima_template_entry *entr= y, + enum binary_lists binary_list) +{ + int size; + + if (binary_runtime_size[binary_list] =3D=3D ULONG_MAX) + return; + + size =3D get_binary_runtime_size(entry); + binary_runtime_size[binary_list] =3D + (binary_runtime_size[binary_list] < ULONG_MAX - size) ? + binary_runtime_size[binary_list] + size : ULONG_MAX; +} + /* ima_add_template_entry helper function: * - Add template entry to the measurement list and hash table, for * all entries except those carried across kexec. @@ -160,13 +176,7 @@ static int ima_add_digest_entry(struct ima_template_en= try *entry, hlist_add_head_rcu(&qe->hnext, &htable[key]); } =20 - if (binary_runtime_size !=3D ULONG_MAX) { - int size; - - size =3D get_binary_runtime_size(entry); - binary_runtime_size =3D (binary_runtime_size < ULONG_MAX - size) ? - binary_runtime_size + size : ULONG_MAX; - } + ima_update_binary_runtime_size(entry, BINARY); return 0; } =20 @@ -175,12 +185,18 @@ static int ima_add_digest_entry(struct ima_template_e= ntry *entry, * entire binary_runtime_measurement list, including the ima_kexec_hdr * structure. */ -unsigned long ima_get_binary_runtime_size(void) +unsigned long ima_get_binary_runtime_size(enum binary_lists binary_list) { - if (binary_runtime_size >=3D (ULONG_MAX - sizeof(struct ima_kexec_hdr))) + unsigned long val; + + mutex_lock(&ima_extend_list_mutex); + val =3D binary_runtime_size[binary_list]; + mutex_unlock(&ima_extend_list_mutex); + + if (val >=3D (ULONG_MAX - sizeof(struct ima_kexec_hdr))) return ULONG_MAX; else - return binary_runtime_size + sizeof(struct ima_kexec_hdr); + return val + sizeof(struct ima_kexec_hdr); } =20 static int ima_pcr_extend(struct tpm_digest *digests_arg, int pcr) --=20 2.43.0 From nobody Mon Jun 8 04:27:31 2026 Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com [14.137.139.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 491D533F597; Fri, 5 Jun 2026 17:23:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=14.137.139.23 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680225; cv=none; b=V/syamKH/ZWAqY5upLV1GrGdRhraiODr8VGz6/suqY9mzn0h0bEBVYW8FvM3kNk+myE4l3x8ju5J+iYcz2LSjW2088BwrbK23i3K7V3BdlFUctMkrg4F6x844TqmYARzhUugcb0dTmxRT1E4Lr7QUdv23jbSB0PnbrwYKMg81N4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680225; c=relaxed/simple; bh=81Fy2Hamon6xk/NX9iZdii4c1suCb4zLtovhOcjB9lc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=h/CcOY9KuRvKEfTXmlhuO+UaTM2ktzwIXvXz1GwQmSH5YEItDUVVvr3nz7kj1hsJB0gVU7d50NUCW0OGIAyQRpCCgr0ZX439NVG8y1ZDC0vtS6meWdPys1OkOmg0LiAchS9JjWaqX71mjYtQcm9tVx1JXcJ88rIUKC/ALzwv/C4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=14.137.139.23 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.18.224.235]) by frasgout11.his.huawei.com (SkyGuard) with ESMTPS id 4gX7SG5Y2mz1HC94; Sat, 6 Jun 2026 01:18:22 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.27]) by mail.maildlp.com (Postfix) with ESMTP id 9FA8540572; Sat, 6 Jun 2026 01:23:41 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwBHV43pBSNqZAhlAA--.46721S7; Fri, 05 Jun 2026 18:23:41 +0100 (CET) From: Roberto Sassu To: corbet@lwn.net, skhan@linuxfoundation.org, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, gregorylumen@linux.microsoft.com, chenste@linux.microsoft.com, nramas@linux.microsoft.com, Roberto Sassu Subject: [PATCH v7 05/12] ima: Introduce _ima_measurements_start() and _ima_measurements_next() Date: Fri, 5 Jun 2026 19:22:29 +0200 Message-ID: <20260605172236.2042045-6-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> References: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: GxC2BwBHV43pBSNqZAhlAA--.46721S7 X-Coremail-Antispam: 1UD129KBjvJXoWxWF17Jw1kKr18WF43XF1kZrb_yoW5GF17pa sxua4rCF4kJ3yxWr1xGrWDur4ru39aq3WDWrWUJ34vvF1UJr1v9r43Aw12vrn0y3y8Jr1v vr90gr45Ww4FyaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUPqb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUAV Cq3wA2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0 rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVWUCVW8JwA2z4x0Y4vE2Ix0cI8IcVCY1x0267 AKxVWxJVW8Jr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4A2jsIEc7CjxVAF wI0_Gr1j6F4UJwAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG6I 80ewAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFVCj c4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JM4IIrI8v6xkF7I0E8cxan2IY04v7MxkF7I0En4 kS14v26r1q6r43MxAIw28IcxkI7VAKI48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E 5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVW8ZV WrXwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20xvE14v26r1I6r4UMIIF0xvE2Ix0cI8IcVCY 1x0267AKxVWxJVW8Jr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2jsIE14 v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x 07UZTmfUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAQAPBGoiO0QKbQABsb Content-Type: text/plain; charset="utf-8" From: Roberto Sassu Introduce _ima_measurements_start() and _ima_measurements_next(), renamed from ima_measurements_start() and ima_measurements_next(), to include the list head as an additional parameter, so that iteration on different lists can be implemented by calling those functions. No functional change: ima_measurements_start() and ima_measurements_next() pass the ima_measurements list head, used before. They become wrappers for the new functions. Link: https://github.com/linux-integrity/linux/issues/1 Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/ima/ima_fs.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_f= s.c index fcfcf7b6eae2..dcdc4cb8fa0f 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -72,14 +72,15 @@ static const struct file_operations ima_measurements_co= unt_ops =3D { }; =20 /* returns pointer to hlist_node */ -static void *ima_measurements_start(struct seq_file *m, loff_t *pos) +static void *_ima_measurements_start(struct seq_file *m, loff_t *pos, + struct list_head *head) { loff_t l =3D *pos; struct ima_queue_entry *qe; =20 /* we need a lock since pos could point beyond last element */ rcu_read_lock(); - list_for_each_entry_rcu(qe, &ima_measurements, later) { + list_for_each_entry_rcu(qe, head, later) { if (!l--) { rcu_read_unlock(); return qe; @@ -89,7 +90,13 @@ static void *ima_measurements_start(struct seq_file *m, = loff_t *pos) return NULL; } =20 -static void *ima_measurements_next(struct seq_file *m, void *v, loff_t *po= s) +static void *ima_measurements_start(struct seq_file *m, loff_t *pos) +{ + return _ima_measurements_start(m, pos, &ima_measurements); +} + +static void *_ima_measurements_next(struct seq_file *m, void *v, loff_t *p= os, + struct list_head *head) { struct ima_queue_entry *qe =3D v; =20 @@ -101,7 +108,12 @@ static void *ima_measurements_next(struct seq_file *m,= void *v, loff_t *pos) rcu_read_unlock(); (*pos)++; =20 - return (&qe->later =3D=3D &ima_measurements) ? NULL : qe; + return (&qe->later =3D=3D head) ? NULL : qe; +} + +static void *ima_measurements_next(struct seq_file *m, void *v, loff_t *po= s) +{ + return _ima_measurements_next(m, v, pos, &ima_measurements); } =20 static void ima_measurements_stop(struct seq_file *m, void *v) --=20 2.43.0 From nobody Mon Jun 8 04:27:31 2026 Received: from frasgout13.his.huawei.com (frasgout13.his.huawei.com [14.137.139.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A2C162494F0; Fri, 5 Jun 2026 17:23:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=14.137.139.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680234; cv=none; b=pttp5v6etGrlpfoHLhXp23Zdvh0xn6UtVmfh3hxaANwPpAdUU9AsTx90BMz/aZQdQksCvVxSNr/zYOqctOUKmWrPWQuO92/OM+oVaaquPDQNZf37S9Svo8MjmXqpDudpSK4xwqWJ9DsYL2Re9TFhtxMhhUo5qIa+7ei7erkgPaA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680234; c=relaxed/simple; bh=kwWFz/mirnCJD2wMiUROXV7CE+zEUlUkVnOSOLUeIso=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=cLZxVGuAROIOLlaKeNxu4N4nFoITeKtmw44/p7HowckR8sHGppUCcYWZCXq9QgQqpbszaWF8/vXjERPOaCgM3kBjYI8Pjniga+5cfrulc2FpKysRWrYLqu9Lx6mVJ/5emvCj0nO0xP7yZFO/eiLSgG4ugZxCgG9wdj1qAUGHORc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=14.137.139.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.18.224.196]) by frasgout13.his.huawei.com (SkyGuard) with ESMTPS id 4gX7SV0bNSzpV2C; Sat, 6 Jun 2026 01:18:34 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.27]) by mail.maildlp.com (Postfix) with ESMTP id D86D24056F; Sat, 6 Jun 2026 01:23:49 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwBHV43pBSNqZAhlAA--.46721S8; Fri, 05 Jun 2026 18:23:49 +0100 (CET) From: Roberto Sassu To: corbet@lwn.net, skhan@linuxfoundation.org, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, gregorylumen@linux.microsoft.com, chenste@linux.microsoft.com, nramas@linux.microsoft.com, Roberto Sassu Subject: [PATCH v7 06/12] ima: Mediate open/release method of the measurements list Date: Fri, 5 Jun 2026 19:22:30 +0200 Message-ID: <20260605172236.2042045-7-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> References: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: GxC2BwBHV43pBSNqZAhlAA--.46721S8 X-Coremail-Antispam: 1UD129KBjvJXoW3Jw4kuF1ruFy3WF13XF4fKrg_yoW7WFWDpa 9ak3y8Cr18tr4xWFn7G3W7Zr4F9ayrGa13Wr1DJa4fZF1rAr9F9F4Yyry2krs8tryrGr1I qw4qqrW5Was0yaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUPlb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUAV Cq3wA2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0 rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVWUCVW8JwA2z4x0Y4vE2Ix0cI8IcVCY1x0267 AKxVW8Jr0_Cr1UM28EF7xvwVC2z280aVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv6xkF7I0E 14v26r4UJVWxJr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrV C2j2WlYx0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE 7xkEbVWUJVW8JwACjcxG0xvY0x0EwIxGrwACI402YVCY1x02628vn2kIc2xKxwCY1x0262 kKe7AKxVWUtVW8ZwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s02 6c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_GF v_WrylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUCVW8JwCI42IY6xIIjxv20xvE c7CjxVAFwI0_Gr1j6F4UJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aV AFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxhVjvjDU0xZF pf9x07UZTmfUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAQAPBGoiO0QKbQACsY Content-Type: text/plain; charset="utf-8" From: Roberto Sassu Introduce the ima_measure_users counter, to implement a semaphore-like locking scheme where the binary and ASCII measurements list interfaces can be concurrently opened by multiple readers, or alternatively by a single writer. In addition, allow the same writer to open the other interfaces for write or read/write, so that it can see the same measurement state across all the interfaces. A semaphore cannot be used because the kernel cannot return to user space with a lock held. Introduce the ima_measure_lock() and ima_measure_unlock() primitives, to respectively lock/unlock the interfaces (safely with the ima_measure_users counter, without holding a lock). Finally, introduce _ima_measurements_open() to lock the interface before seq_open(), and call it from ima_measurements_open() and ima_ascii_measurements_open(). And, introduce ima_measurements_release(), to unlock the interface. Require CAP_SYS_ADMIN if the interface is opened for write (not possible for the current measurements interfaces, since they only have read permission). No functional changes: multiple readers are allowed as before. Link: https://github.com/linux-integrity/linux/issues/1 Signed-off-by: Roberto Sassu --- security/integrity/ima/ima_fs.c | 102 ++++++++++++++++++++++++++++++-- 1 file changed, 98 insertions(+), 4 deletions(-) diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_f= s.c index dcdc4cb8fa0f..91bd831d070f 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -25,6 +25,10 @@ #include "ima.h" =20 static DEFINE_MUTEX(ima_write_mutex); +static DEFINE_MUTEX(ima_measure_mutex); +static long ima_measure_users; +static struct task_struct *measure_writer; +static long measure_writer_extra_writes; =20 bool ima_canonical_fmt; static int __init default_canonical_fmt_setup(char *str) @@ -209,16 +213,105 @@ static const struct seq_operations ima_measurments_s= eqops =3D { .show =3D ima_measurements_show }; =20 +static int ima_measure_lock(bool write) +{ + mutex_lock(&ima_measure_mutex); + /* Overflow check. */ + if (!write && ima_measure_users =3D=3D LONG_MAX) { + mutex_unlock(&ima_measure_mutex); + return -ENFILE; + } + + /* Same writer can do additional writes or read/writes. */ + if (write && current =3D=3D measure_writer) { + measure_writer_extra_writes++; + mutex_unlock(&ima_measure_mutex); + return 0; + } + + /* + * ima_measure_users: > 0 open readers + * ima_measure_users: =3D=3D -1 open writer + */ + if ((write && ima_measure_users !=3D 0) || + (!write && ima_measure_users < 0)) { + mutex_unlock(&ima_measure_mutex); + return -EBUSY; + } + + if (write) { + ima_measure_users--; + /* Pointer valid, no reuse while the file descriptor is open. */ + measure_writer =3D current; + } else { + ima_measure_users++; + } + mutex_unlock(&ima_measure_mutex); + return 0; +} + +static void ima_measure_unlock(bool write) +{ + mutex_lock(&ima_measure_mutex); + /* Decrement additional writes or read/writes. */ + if (write && current =3D=3D measure_writer && + measure_writer_extra_writes !=3D 0) { + measure_writer_extra_writes--; + mutex_unlock(&ima_measure_mutex); + return; + } + if (write) { + ima_measure_users++; + measure_writer =3D NULL; + } else { + ima_measure_users--; + } + mutex_unlock(&ima_measure_mutex); +} + +static int _ima_measurements_open(struct inode *inode, struct file *file, + const struct seq_operations *seq_ops) +{ + bool write =3D (file->f_mode & FMODE_WRITE); + int ret; + + if (write && !capable(CAP_SYS_ADMIN)) + return -EPERM; + + ret =3D ima_measure_lock(write); + if (ret < 0) + return ret; + + ret =3D seq_open(file, seq_ops); + if (ret < 0) + ima_measure_unlock(write); + + return ret; +} + static int ima_measurements_open(struct inode *inode, struct file *file) { - return seq_open(file, &ima_measurments_seqops); + return _ima_measurements_open(inode, file, &ima_measurments_seqops); +} + +static int ima_measurements_release(struct inode *inode, struct file *file) +{ + bool write =3D (file->f_mode & FMODE_WRITE); + int ret; + + /* seq_release() always returns zero. */ + ret =3D seq_release(inode, file); + + ima_measure_unlock(write); + + return ret; } =20 static const struct file_operations ima_measurements_ops =3D { .open =3D ima_measurements_open, .read =3D seq_read, .llseek =3D seq_lseek, - .release =3D seq_release, + .release =3D ima_measurements_release, }; =20 void ima_print_digest(struct seq_file *m, u8 *digest, u32 size) @@ -283,14 +376,15 @@ static const struct seq_operations ima_ascii_measurem= ents_seqops =3D { =20 static int ima_ascii_measurements_open(struct inode *inode, struct file *f= ile) { - return seq_open(file, &ima_ascii_measurements_seqops); + return _ima_measurements_open(inode, file, + &ima_ascii_measurements_seqops); } =20 static const struct file_operations ima_ascii_measurements_ops =3D { .open =3D ima_ascii_measurements_open, .read =3D seq_read, .llseek =3D seq_lseek, - .release =3D seq_release, + .release =3D ima_measurements_release, }; =20 static ssize_t ima_read_policy(char *path) --=20 2.43.0 From nobody Mon Jun 8 04:27:31 2026 Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com [14.137.139.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BE5E33A3821; Fri, 5 Jun 2026 17:23:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=14.137.139.23 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680241; cv=none; b=NzzcumxfcIZqWD0o7a76hqOfXDYB4gCqh/y3YCOZUFqHqKM/3HdFjUMVWTNkcQqQtKWAcQJbt6P710rQCzR4nSz+Qw7hQXTyw6lIS4XxA+nu6WrDv2sN1XAfW/bKIV9SwdCdZgy+4ZXKGSAB+PKZS7buKmYohGmwxf6Nk2Ii/s4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680241; c=relaxed/simple; bh=/SCGNTUkpB83gHDuC15wfO0maemVG7K75L/GjQ49T3A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=olv0kUSfj17UIcVQXU73og3XVlemZxDxZ+18pAvpnZOfz8YJsDSmDnZExaGQjqpkJw2jEPb424Iu4P4U20am9UJVJfbmDYASWLnc0F2fyjiORGTnLBxI1TgtINeOAqXQYdUR4ot9Hpbz1wodn71NZDAogn9Hg3H+DPM/qDXv//g= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=14.137.139.23 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.18.224.235]) by frasgout11.his.huawei.com (SkyGuard) with ESMTPS id 4gX7Sb1YvZz1HCnM; Sat, 6 Jun 2026 01:18:39 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.27]) by mail.maildlp.com (Postfix) with ESMTP id 16B114056F; Sat, 6 Jun 2026 01:23:58 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwBHV43pBSNqZAhlAA--.46721S9; Fri, 05 Jun 2026 18:23:57 +0100 (CET) From: Roberto Sassu To: corbet@lwn.net, skhan@linuxfoundation.org, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, gregorylumen@linux.microsoft.com, chenste@linux.microsoft.com, nramas@linux.microsoft.com, Roberto Sassu Subject: [PATCH v7 07/12] ima: Use snprintf() in create_securityfs_measurement_lists Date: Fri, 5 Jun 2026 19:22:31 +0200 Message-ID: <20260605172236.2042045-8-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> References: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: GxC2BwBHV43pBSNqZAhlAA--.46721S9 X-Coremail-Antispam: 1UD129KBjvJXoW7tFy5XFWDWw1rtF1kCF43Awb_yoW8tw4rpa ySgF18Crs5J3yxtF93K3Z3uFWS93yagF1UW3ykK3WkAFn5XrZ5KF4vkr12kr95Kr1rtFy8 XwsFqF43C3Z0yaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUPlb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUAV Cq3wA2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0 rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVWUCVW8JwA2z4x0Y4vE2Ix0cI8IcVCY1x0267 AKxVW8Jr0_Cr1UM28EF7xvwVC2z280aVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv6xkF7I0E 14v26r4UJVWxJr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrV C2j2WlYx0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE 7xkEbVWUJVW8JwACjcxG0xvY0x0EwIxGrwACI402YVCY1x02628vn2kIc2xKxwCY1x0262 kKe7AKxVWUtVW8ZwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s02 6c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_GF v_WrylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUCVW8JwCI42IY6xIIjxv20xvE c7CjxVAFwI0_Gr1j6F4UJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aV AFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxhVjvjDU0xZF pf9x07UZTmfUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAPBGoiOzcKkQAAsW Content-Type: text/plain; charset="utf-8" From: Roberto Sassu Use the more secure snprintf() function (accepting the buffer size) in create_securityfs_measurement_lists(). No functional change: sprintf() and snprintf() have the same behavior. Link: https://github.com/linux-integrity/linux/issues/1 Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/ima/ima_fs.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_f= s.c index 91bd831d070f..f6ecee2d7699 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -503,11 +503,13 @@ static int __init create_securityfs_measurement_lists= (void) struct dentry *dentry; =20 if (algo =3D=3D HASH_ALGO__LAST) - sprintf(file_name, "ascii_runtime_measurements_tpm_alg_%x", - ima_tpm_chip->allocated_banks[i].alg_id); + snprintf(file_name, sizeof(file_name), + "ascii_runtime_measurements_tpm_alg_%x", + ima_tpm_chip->allocated_banks[i].alg_id); else - sprintf(file_name, "ascii_runtime_measurements_%s", - hash_algo_name[algo]); + snprintf(file_name, sizeof(file_name), + "ascii_runtime_measurements_%s", + hash_algo_name[algo]); dentry =3D securityfs_create_file(file_name, S_IRUSR | S_IRGRP, ima_dir, (void *)(uintptr_t)i, &ima_ascii_measurements_ops); @@ -515,11 +517,13 @@ static int __init create_securityfs_measurement_lists= (void) return PTR_ERR(dentry); =20 if (algo =3D=3D HASH_ALGO__LAST) - sprintf(file_name, "binary_runtime_measurements_tpm_alg_%x", - ima_tpm_chip->allocated_banks[i].alg_id); + snprintf(file_name, sizeof(file_name), + "binary_runtime_measurements_tpm_alg_%x", + ima_tpm_chip->allocated_banks[i].alg_id); else - sprintf(file_name, "binary_runtime_measurements_%s", - hash_algo_name[algo]); + snprintf(file_name, sizeof(file_name), + "binary_runtime_measurements_%s", + hash_algo_name[algo]); dentry =3D securityfs_create_file(file_name, S_IRUSR | S_IRGRP, ima_dir, (void *)(uintptr_t)i, &ima_measurements_ops); --=20 2.43.0 From nobody Mon Jun 8 04:27:31 2026 Received: from frasgout13.his.huawei.com (frasgout13.his.huawei.com [14.137.139.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 502AD2494F0; Fri, 5 Jun 2026 17:24:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=14.137.139.46 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680254; cv=none; b=ttN5m/WgYsb3BQjXKq/V7VSKbVSx+QzApf6MA0iZghi/TSwkT+Zx1iQKisKsk6ky34kVSH82DYjpoxsw++WAE+muR0V09mqjn2QeHIIroEw4DewWeX1ux+YTaJAY8iK+oVaQYdfErMnz+GClFGcRGfQUeeDIlPGh15NTgpPxbOQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680254; c=relaxed/simple; bh=CY1g+HWSJ1CC4crle0RIsA1WpKR7Aicyhf4LN+xBXbs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=gYMrWeFq88oGscxQkThMuPrNngml1EB4tfMhKa3KBk34BZzYRsAjK+fVygagQ33IYVcxotuflmzyCeon0R+TbanPsz0jKtC3bW22ag1sLRqlrwZ5kULJLxYGKLJI/UCu3ddqzvmgxCsZ1gZCCXcMsu8HbuUZ5c3vqrsS2U141+Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=14.137.139.46 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.18.224.235]) by frasgout13.his.huawei.com (SkyGuard) with ESMTPS id 4gX7Sp4359zpVQ4; Sat, 6 Jun 2026 01:18:50 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.27]) by mail.maildlp.com (Postfix) with ESMTP id 5B39B40573; Sat, 6 Jun 2026 01:24:06 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwBHV43pBSNqZAhlAA--.46721S10; Fri, 05 Jun 2026 18:24:05 +0100 (CET) From: Roberto Sassu To: corbet@lwn.net, skhan@linuxfoundation.org, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, gregorylumen@linux.microsoft.com, chenste@linux.microsoft.com, nramas@linux.microsoft.com, Roberto Sassu Subject: [PATCH v7 08/12] ima: Introduce ima_dump_measurement() Date: Fri, 5 Jun 2026 19:22:32 +0200 Message-ID: <20260605172236.2042045-9-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> References: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: GxC2BwBHV43pBSNqZAhlAA--.46721S10 X-Coremail-Antispam: 1UD129KBjvJXoW7CFyfXrW5CFy7Gw13Aw43Jrb_yoW8Aw4Dpa 9IgFy8Cry8JFyxKrn3GF98Ja1F93y8AF1DW3yDWwn3XF1DJr1q9rn3Cr1Ivr98KrZIyF1x twsIgF4ru3Z0yaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUPlb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUAV Cq3wA2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0 rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVWUCVW8JwA2z4x0Y4vE2Ix0cI8IcVCY1x0267 AKxVW8Jr0_Cr1UM28EF7xvwVC2z280aVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv6xkF7I0E 14v26r4UJVWxJr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrV C2j2WlYx0E2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE 7xkEbVWUJVW8JwACjcxG0xvY0x0EwIxGrwACI402YVCY1x02628vn2kIc2xKxwCY1x0262 kKe7AKxVWUtVW8ZwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s02 6c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_GF v_WrylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUCVW8JwCI42IY6xIIjxv20xvE c7CjxVAFwI0_Gr1j6F4UJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aV AFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxhVjvjDU0xZF pf9x07UZTmfUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAPBGoiOzcKkQABsX Content-Type: text/plain; charset="utf-8" From: Roberto Sassu Introduce ima_dump_measurement() to simplify the code of ima_dump_measurement_list() and to avoid repeating the ima_dump_measurement() code block if iteration occurs on multiple lists. No functional change: only code moved to a separate function. Link: https://github.com/linux-integrity/linux/issues/1 Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar --- security/integrity/ima/ima_kexec.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/im= a_kexec.c index 8dc9459622b3..26d41974429e 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -80,6 +80,17 @@ static int ima_alloc_kexec_file_buf(size_t segment_size) return 0; } =20 +static int ima_dump_measurement(struct ima_kexec_hdr *khdr, + struct ima_queue_entry *qe) +{ + if (ima_kexec_file.count >=3D ima_kexec_file.size) + return -EINVAL; + + khdr->count++; + ima_measurements_show(&ima_kexec_file, qe); + return 0; +} + static int ima_dump_measurement_list(unsigned long *buffer_size, void **bu= ffer, unsigned long segment_size) { @@ -97,13 +108,9 @@ static int ima_dump_measurement_list(unsigned long *buf= fer_size, void **buffer, khdr.version =3D 1; /* This is an append-only list, no need to hold the RCU read lock */ list_for_each_entry_rcu(qe, &ima_measurements, later, true) { - if (ima_kexec_file.count < ima_kexec_file.size) { - khdr.count++; - ima_measurements_show(&ima_kexec_file, qe); - } else { - ret =3D -EINVAL; + ret =3D ima_dump_measurement(&khdr, qe); + if (ret < 0) break; - } } =20 /* --=20 2.43.0 From nobody Mon Jun 8 04:27:31 2026 Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com [14.137.139.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 89BA93A5E77; Fri, 5 Jun 2026 17:24:16 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=14.137.139.23 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680259; cv=none; b=o0hTTxJZLRLuY6tWbdzxiQAM2nfFl4OtdHKiqYdSqGymlQ8ioE6QctnolfMDe+9L1fd3vqHw8ae5XK1kJC0fvHj888JMtPw3P2YShOmvrQQG/hFpR8hwPA0WwdEA6QZ+owIM+hyacvenJ9dokDXx/WuszC5JcWfrpEyFxkJV0sg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680259; c=relaxed/simple; bh=wVMq7a3HR2ObauDSSwbBtqvcsLexPA0eH7sW4s6xBHk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=mZXd75i37HFyK7lwC8HW0K95Ru4ISKLstaXIKhF677+cvk0IY9oXcmn00wvFHsWxR58jCl8Vy7go/TI57SZ9bqOxbhGoDQo4DxawjmEdR58gR8Ksa8QlMS7woMUCSr0fGbehtReoJOtNWyf8ZyDyTo3ZqclSd6z7m9a61y23nNw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=14.137.139.23 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.18.224.196]) by frasgout11.his.huawei.com (SkyGuard) with ESMTPS id 4gX7Sw130pz1HCW8; Sat, 6 Jun 2026 01:18:56 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.27]) by mail.maildlp.com (Postfix) with ESMTP id 04A3B40570; Sat, 6 Jun 2026 01:24:15 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwBHV43pBSNqZAhlAA--.46721S11; Fri, 05 Jun 2026 18:24:14 +0100 (CET) From: Roberto Sassu To: corbet@lwn.net, skhan@linuxfoundation.org, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, gregorylumen@linux.microsoft.com, chenste@linux.microsoft.com, nramas@linux.microsoft.com, Roberto Sassu , Stefan Berger Subject: [PATCH v7 09/12] ima: Add support for staging measurements with prompt Date: Fri, 5 Jun 2026 19:22:33 +0200 Message-ID: <20260605172236.2042045-10-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> References: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: GxC2BwBHV43pBSNqZAhlAA--.46721S11 X-Coremail-Antispam: 1UD129KBjvAXoWfAFW3uF1DWrW5AF45KFWkXrb_yoW8uF4DZo Za9rZ8GF40grn5Cw4UKrsrtFy8WFZ8Wws7tr4rtrs8CF12gr15KayIq3WUZ3WIqw4rW34U G34kA348ZFsFq3Z3n29KB7ZKAUJUUUU8529EdanIXcx71UUUUU7v73VFW2AGmfu7bjvjm3 AaLaJ3UjIYCTnIWjp_UUUOo7kC6x804xWl14x267AKxVWrJVCq3wAFc2x0x2IEx4CE42xK 8VAvwI8IcIk0rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2048vs2IY020E87I2jVAFwI0_JF 0E3s1l82xGYIkIc2x26xkF7I0E14v26ryj6s0DM28lY4IEw2IIxxk0rwA2F7IY1VAKz4vE j48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_JFI_Gr1l84ACjcxK6xIIjxv20xvEc7CjxV AFwI0_Gr1j6F4UJwA2z4x0Y4vEx4A2jsIE14v26r4j6F4UM28EF7xvwVC2z280aVCY1x02 67AKxVW8Jr0_Cr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F4 0Ex7xfMcIj6xIIjxv20xvE14v26r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC 6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFIxGxcIEc7CjxVA2Y2ka0xkIwI1lc7CjxV Aaw2AFwI0_GFv_Wryl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2Iq xVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r 4a6rW5MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_JFI_Gr1lIxAIcVC0I7IYx2IY 6xkF7I0E14v26r4UJVWxJr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2js IE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr1j6F4UJbIYCTnIWIevJa73UjIF yTuYvjxUI-eODUUUU X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAPBGoiOzcKkQACsU Content-Type: text/plain; charset="utf-8" From: Roberto Sassu Introduce the ability of staging the IMA measurement list and deleting them with a prompt. Staging means moving the current measurement list records to a separate location, and allowing users to read and delete it. This causes the current measurement list to be emptied (since records were moved) and new measurements to be added on the empty list. Staging can be done only once at a time. In the event of kexec(), staging is aborted and staged records will be carried over to the new kernel. Introduce ascii_runtime_measurements__staged and binary_runtime_measurements__staged interfaces to access and delete the measurements. Use 'echo A > ' and 'echo D > ' to respectively stage and delete the entire measurements list. Locking of these interfaces is also mediated with a call to _ima_measurements_open() and with ima_measurements_release(). Implement the staging functionality by introducing the new global measurements list ima_measurements_staged, and ima_queue_stage() and ima_queue_staged_delete_all() to respectively move measurements from the current measurements list to the staged one, and to move staged measurements to the ima_measurements_trim list for deletion. Introduce ima_queue_delete() to delete the measurements. Staging is forbidden after measurement is suspended, and between staging and deleting, so that walking the staged and current measurements list can be done locklessly in ima_dump_measurement_list(). Strict ordering of suspending and dumping is enforced by two reboot notifiers with different priority. Refusing to delete staged measurements also signals to user space that those measurements are already carried over to the secondary kernel, so that it does not save them twice. Finally, introduce the BINARY_STAGED and BINARY_FULL binary measurements list types, to maintain the counters and the binary size of staged measurements and the full measurements list (including records that were staged). BINARY still represents the current binary measurements list. Use the binary size for the BINARY + BINARY_STAGED types in ima_add_kexec_buffer(), since both measurements list types are copied to the secondary kernel during kexec. Use BINARY_FULL in ima_measure_kexec_event(), to generate a critical data record. It should be noted that the BINARY_FULL counter is not passed through kexec. Thus, the number of records included in the kexec critical data records refers to the records since the critical data records generated from the previous kexec event. Note: This code derives from the Alt-IMA Huawei project, whose license is GPL-2.0 OR MIT. Link: https://github.com/linux-integrity/linux/issues/1 Suggested-by: Gregory Lumen (staging rev= ert) Signed-off-by: Roberto Sassu Tested-by: Stefan Berger --- security/integrity/ima/Kconfig | 12 ++ security/integrity/ima/ima.h | 7 +- security/integrity/ima/ima_fs.c | 174 ++++++++++++++++++++++++++--- security/integrity/ima/ima_kexec.c | 20 +++- security/integrity/ima/ima_queue.c | 140 ++++++++++++++++++++++- 5 files changed, 333 insertions(+), 20 deletions(-) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 862fbee2b174..02436670f746 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -332,4 +332,16 @@ config IMA_KEXEC_EXTRA_MEMORY_KB If set to the default value of 0, an extra half page of memory for those additional measurements will be allocated. =20 +config IMA_STAGING + bool "Support for staging the measurements list" + default n + help + Add support for staging the measurements list. + + It allows user space to stage the measurements list for deletion and + to delete the staged measurements after confirmation. + + On kexec, staging is aborted and any staged measurement records are + copied to the secondary kernel. + endif diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index c00c133a140f..3892d2a6c2e2 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -30,9 +30,11 @@ enum tpm_pcrs { TPM_PCR0 =3D 0, TPM_PCR8 =3D 8, TPM_PCR1= 0 =3D 10 }; =20 /* * BINARY: current binary measurements list + * BINARY_STAGED: staged binary measurements list + * BINARY_FULL: binary measurements list since IMA init (lost after kexec) */ enum binary_lists { - BINARY, BINARY__LAST + BINARY, BINARY_STAGED, BINARY_FULL, BINARY__LAST }; =20 /* digest size for IMA, fits SHA1 or MD5 */ @@ -125,6 +127,7 @@ struct ima_queue_entry { struct ima_template_entry *entry; }; extern struct list_head ima_measurements; /* list of all measurements */ +extern struct list_head ima_measurements_staged; /* list of staged meas. */ =20 /* Some details preceding the binary serialized measurement list */ struct ima_kexec_hdr { @@ -315,6 +318,8 @@ struct ima_template_desc *ima_template_desc_current(voi= d); struct ima_template_desc *ima_template_desc_buf(void); struct ima_template_desc *lookup_template_desc(const char *name); bool ima_template_has_modsig(const struct ima_template_desc *ima_template); +int ima_queue_stage(void); +int ima_queue_staged_delete_all(void); int ima_restore_measurement_entry(struct ima_template_entry *entry); int ima_restore_measurement_list(loff_t bufsize, void *buf); int ima_measurements_show(struct seq_file *m, void *v); diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_f= s.c index f6ecee2d7699..96d7503a605b 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -24,6 +24,13 @@ =20 #include "ima.h" =20 +/* + * Requests: + * 'A\n': stage the entire measurements list + * 'D\n': delete all staged measurements + */ +#define STAGED_REQ_LENGTH 21 + static DEFINE_MUTEX(ima_write_mutex); static DEFINE_MUTEX(ima_measure_mutex); static long ima_measure_users; @@ -99,6 +106,11 @@ static void *ima_measurements_start(struct seq_file *m,= loff_t *pos) return _ima_measurements_start(m, pos, &ima_measurements); } =20 +static void *ima_measurements_staged_start(struct seq_file *m, loff_t *pos) +{ + return _ima_measurements_start(m, pos, &ima_measurements_staged); +} + static void *_ima_measurements_next(struct seq_file *m, void *v, loff_t *p= os, struct list_head *head) { @@ -120,6 +132,12 @@ static void *ima_measurements_next(struct seq_file *m,= void *v, loff_t *pos) return _ima_measurements_next(m, v, pos, &ima_measurements); } =20 +static void *ima_measurements_staged_next(struct seq_file *m, void *v, + loff_t *pos) +{ + return _ima_measurements_next(m, v, pos, &ima_measurements_staged); +} + static void ima_measurements_stop(struct seq_file *m, void *v) { } @@ -213,6 +231,13 @@ static const struct seq_operations ima_measurments_seq= ops =3D { .show =3D ima_measurements_show }; =20 +static const struct seq_operations ima_measurments_staged_seqops =3D { + .start =3D ima_measurements_staged_start, + .next =3D ima_measurements_staged_next, + .stop =3D ima_measurements_stop, + .show =3D ima_measurements_show +}; + static int ima_measure_lock(bool write) { mutex_lock(&ima_measure_mutex); @@ -307,6 +332,60 @@ static int ima_measurements_release(struct inode *inod= e, struct file *file) return ret; } =20 +static int ima_measurements_staged_open(struct inode *inode, struct file *= file) +{ + return _ima_measurements_open(inode, file, + &ima_measurments_staged_seqops); +} + +static ssize_t _ima_measurements_write(struct file *file, + const char __user *buf, size_t datalen, + loff_t *ppos, bool staged_interface) +{ + char req[STAGED_REQ_LENGTH]; + int ret; + + if (datalen < 2 || datalen > STAGED_REQ_LENGTH) + return -EINVAL; + + if (copy_from_user(req, buf, datalen) !=3D 0) + return -EFAULT; + + if (req[datalen - 1] !=3D '\n') + return -EINVAL; + + req[datalen - 1] =3D '\0'; + + switch (req[0]) { + case 'A': + if (datalen !=3D 2 || !staged_interface) + return -EINVAL; + + ret =3D ima_queue_stage(); + break; + case 'D': + if (datalen !=3D 2 || !staged_interface) + return -EINVAL; + + ret =3D ima_queue_staged_delete_all(); + break; + default: + ret =3D -EINVAL; + } + + if (ret < 0) + return ret; + + return datalen; +} + +static ssize_t ima_measurements_staged_write(struct file *file, + const char __user *buf, + size_t datalen, loff_t *ppos) +{ + return _ima_measurements_write(file, buf, datalen, ppos, true); +} + static const struct file_operations ima_measurements_ops =3D { .open =3D ima_measurements_open, .read =3D seq_read, @@ -314,6 +393,14 @@ static const struct file_operations ima_measurements_o= ps =3D { .release =3D ima_measurements_release, }; =20 +static const struct file_operations ima_measurements_staged_ops =3D { + .open =3D ima_measurements_staged_open, + .read =3D seq_read, + .write =3D ima_measurements_staged_write, + .llseek =3D seq_lseek, + .release =3D ima_measurements_release, +}; + void ima_print_digest(struct seq_file *m, u8 *digest, u32 size) { u32 i; @@ -387,6 +474,28 @@ static const struct file_operations ima_ascii_measurem= ents_ops =3D { .release =3D ima_measurements_release, }; =20 +static const struct seq_operations ima_ascii_measurements_staged_seqops = =3D { + .start =3D ima_measurements_staged_start, + .next =3D ima_measurements_staged_next, + .stop =3D ima_measurements_stop, + .show =3D ima_ascii_measurements_show +}; + +static int ima_ascii_measurements_staged_open(struct inode *inode, + struct file *file) +{ + return _ima_measurements_open(inode, file, + &ima_ascii_measurements_staged_seqops); +} + +static const struct file_operations ima_ascii_measurements_staged_ops =3D { + .open =3D ima_ascii_measurements_staged_open, + .read =3D seq_read, + .write =3D ima_measurements_staged_write, + .llseek =3D seq_lseek, + .release =3D ima_measurements_release, +}; + static ssize_t ima_read_policy(char *path) { void *data =3D NULL; @@ -490,10 +599,21 @@ static const struct seq_operations ima_policy_seqops = =3D { }; #endif =20 -static int __init create_securityfs_measurement_lists(void) +static int __init create_securityfs_measurement_lists(bool staging) { + const struct file_operations *ascii_ops =3D &ima_ascii_measurements_ops; + const struct file_operations *binary_ops =3D &ima_measurements_ops; + umode_t permissions =3D (S_IRUSR | S_IRGRP); + const char *file_suffix =3D ""; int count =3D NR_BANKS(ima_tpm_chip); =20 + if (staging) { + ascii_ops =3D &ima_ascii_measurements_staged_ops; + binary_ops =3D &ima_measurements_staged_ops; + permissions |=3D (S_IWUSR | S_IWGRP); + file_suffix =3D "_staged"; + } + if (ima_sha1_idx >=3D NR_BANKS(ima_tpm_chip)) count++; =20 @@ -504,29 +624,32 @@ static int __init create_securityfs_measurement_lists= (void) =20 if (algo =3D=3D HASH_ALGO__LAST) snprintf(file_name, sizeof(file_name), - "ascii_runtime_measurements_tpm_alg_%x", - ima_tpm_chip->allocated_banks[i].alg_id); + "ascii_runtime_measurements_tpm_alg_%x%s", + ima_tpm_chip->allocated_banks[i].alg_id, + file_suffix); else snprintf(file_name, sizeof(file_name), - "ascii_runtime_measurements_%s", - hash_algo_name[algo]); - dentry =3D securityfs_create_file(file_name, S_IRUSR | S_IRGRP, + "ascii_runtime_measurements_%s%s", + hash_algo_name[algo], file_suffix); + dentry =3D securityfs_create_file(file_name, permissions, ima_dir, (void *)(uintptr_t)i, - &ima_ascii_measurements_ops); + ascii_ops); if (IS_ERR(dentry)) return PTR_ERR(dentry); =20 if (algo =3D=3D HASH_ALGO__LAST) snprintf(file_name, sizeof(file_name), - "binary_runtime_measurements_tpm_alg_%x", - ima_tpm_chip->allocated_banks[i].alg_id); + "binary_runtime_measurements_tpm_alg_%x%s", + ima_tpm_chip->allocated_banks[i].alg_id, + file_suffix); else snprintf(file_name, sizeof(file_name), - "binary_runtime_measurements_%s", - hash_algo_name[algo]); - dentry =3D securityfs_create_file(file_name, S_IRUSR | S_IRGRP, + "binary_runtime_measurements_%s%s", + hash_algo_name[algo], file_suffix); + + dentry =3D securityfs_create_file(file_name, permissions, ima_dir, (void *)(uintptr_t)i, - &ima_measurements_ops); + binary_ops); if (IS_ERR(dentry)) return PTR_ERR(dentry); } @@ -534,6 +657,23 @@ static int __init create_securityfs_measurement_lists(= void) return 0; } =20 +static int __init create_securityfs_staging_links(void) +{ + struct dentry *dentry; + + dentry =3D securityfs_create_symlink("binary_runtime_measurements_staged", + ima_dir, "binary_runtime_measurements_sha1_staged", NULL); + if (IS_ERR(dentry)) + return PTR_ERR(dentry); + + dentry =3D securityfs_create_symlink("ascii_runtime_measurements_staged", + ima_dir, "ascii_runtime_measurements_sha1_staged", NULL); + if (IS_ERR(dentry)) + return PTR_ERR(dentry); + + return 0; +} + /* * ima_open_policy: sequentialize access to the policy file */ @@ -626,7 +766,13 @@ int __init ima_fs_init(void) goto out; } =20 - ret =3D create_securityfs_measurement_lists(); + ret =3D create_securityfs_measurement_lists(false); + if (ret =3D=3D 0 && IS_ENABLED(CONFIG_IMA_STAGING)) { + ret =3D create_securityfs_measurement_lists(true); + if (ret =3D=3D 0) + ret =3D create_securityfs_staging_links(); + } + if (ret !=3D 0) goto out; =20 diff --git a/security/integrity/ima/ima_kexec.c b/security/integrity/ima/im= a_kexec.c index 26d41974429e..0d845693a1f7 100644 --- a/security/integrity/ima/ima_kexec.c +++ b/security/integrity/ima/ima_kexec.c @@ -42,8 +42,8 @@ void ima_measure_kexec_event(const char *event_name) long len; int n; =20 - buf_size =3D ima_get_binary_runtime_size(BINARY); - len =3D atomic_long_read(&ima_num_records[BINARY]); + buf_size =3D ima_get_binary_runtime_size(BINARY_FULL); + len =3D atomic_long_read(&ima_num_records[BINARY_FULL]); =20 n =3D scnprintf(ima_kexec_event, IMA_KEXEC_EVENT_LEN, "kexec_segment_size=3D%lu;ima_binary_runtime_size=3D%lu;" @@ -106,13 +106,24 @@ static int ima_dump_measurement_list(unsigned long *b= uffer_size, void **buffer, =20 memset(&khdr, 0, sizeof(khdr)); khdr.version =3D 1; - /* This is an append-only list, no need to hold the RCU read lock */ - list_for_each_entry_rcu(qe, &ima_measurements, later, true) { + /* + * Lockless walks possible due to strict ordering of the reboot + * notifiers, suspending measurement before dump, and forbidding + * staging/deleting (list mutations) after suspend. + */ + list_for_each_entry(qe, &ima_measurements_staged, later) { ret =3D ima_dump_measurement(&khdr, qe); if (ret < 0) break; } =20 + list_for_each_entry(qe, &ima_measurements, later) { + if (!ret) + ret =3D ima_dump_measurement(&khdr, qe); + if (ret < 0) + break; + } + /* * fill in reserved space with some buffer details * (eg. version, buffer size, number of measurements) @@ -167,6 +178,7 @@ void ima_add_kexec_buffer(struct kimage *image) extra_memory =3D CONFIG_IMA_KEXEC_EXTRA_MEMORY_KB * 1024; =20 binary_runtime_size =3D ima_get_binary_runtime_size(BINARY) + + ima_get_binary_runtime_size(BINARY_STAGED) + extra_memory; =20 if (binary_runtime_size >=3D ULONG_MAX - PAGE_SIZE) diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/im= a_queue.c index 618694d5c082..cdc21e1b929b 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -26,6 +26,7 @@ static struct tpm_digest *digests; =20 LIST_HEAD(ima_measurements); /* list of all measurements */ +LIST_HEAD(ima_measurements_staged); /* list of staged measurements */ #ifdef CONFIG_IMA_KEXEC static unsigned long binary_runtime_size[BINARY__LAST]; #else @@ -42,7 +43,7 @@ atomic_long_t ima_num_violations =3D ATOMIC_LONG_INIT(0); /* key: inode (before secure-hashing a file) */ struct hlist_head __rcu *ima_htable; =20 -/* mutex protects atomicity of extending measurement list +/* mutex protects atomicity of extending and staging measurement list * and extending the TPM PCR aggregate. Since tpm_extend can take * long (and the tpm driver uses a mutex), we can't use the spinlock. */ @@ -171,12 +172,16 @@ static int ima_add_digest_entry(struct ima_template_e= ntry *entry, lockdep_is_held(&ima_extend_list_mutex)); =20 atomic_long_inc(&ima_num_records[BINARY]); + atomic_long_inc(&ima_num_records[BINARY_FULL]); + if (update_htable) { key =3D ima_hash_key(entry->digests[ima_hash_algo_idx].digest); hlist_add_head_rcu(&qe->hnext, &htable[key]); } =20 ima_update_binary_runtime_size(entry, BINARY); + ima_update_binary_runtime_size(entry, BINARY_FULL); + return 0; } =20 @@ -277,6 +282,139 @@ int ima_add_template_entry(struct ima_template_entry = *entry, int violation, return result; } =20 +/** + * ima_queue_stage - Stage all measurements + * + * If the staged measurements list is empty, the current measurements list= is + * not empty, and measurement is not suspended, move the measurements from= the + * current list to the staged one, and update the number of records and bi= nary + * run-time size accordingly. + * + * Do not allow staging after measurement is suspended, so that dumping + * measurements can be done in a lockless way. + * + * Return: Zero on success, a negative value otherwise. + */ +int ima_queue_stage(void) +{ + int ret =3D 0; + + mutex_lock(&ima_extend_list_mutex); + if (!list_empty(&ima_measurements_staged)) { + ret =3D -EEXIST; + goto out_unlock; + } + + if (list_empty(&ima_measurements)) { + ret =3D -ENOENT; + goto out_unlock; + } + + if (ima_measurements_suspended) { + ret =3D -EACCES; + goto out_unlock; + } + + list_replace(&ima_measurements, &ima_measurements_staged); + INIT_LIST_HEAD(&ima_measurements); + + atomic_long_set(&ima_num_records[BINARY_STAGED], + atomic_long_read(&ima_num_records[BINARY])); + atomic_long_set(&ima_num_records[BINARY], 0); + + if (IS_ENABLED(CONFIG_IMA_KEXEC)) { + binary_runtime_size[BINARY_STAGED] =3D + binary_runtime_size[BINARY]; + binary_runtime_size[BINARY] =3D 0; + } +out_unlock: + mutex_unlock(&ima_extend_list_mutex); + return ret; +} + +static void ima_queue_delete(struct list_head *head); + +/** + * ima_queue_staged_delete_all - Delete staged measurements + * + * Move staged measurements to a temporary list, ima_measurements_trim, up= date + * the number of records and the binary run-time size accordingly. Finally, + * delete measurements in the temporary list. + * + * Refuse to delete staged measurements if measurement is suspended, so th= at + * dump can be done in a lockless way and user space is notified about sta= ged + * measurements being carried over to the secondary kernel, so that it doe= s not + * save them twice. + * + * Return: Zero on success, a negative value otherwise. + */ +int ima_queue_staged_delete_all(void) +{ + LIST_HEAD(ima_measurements_trim); + + mutex_lock(&ima_extend_list_mutex); + if (list_empty(&ima_measurements_staged)) { + mutex_unlock(&ima_extend_list_mutex); + return -ENOENT; + } + + if (ima_measurements_suspended) { + mutex_unlock(&ima_extend_list_mutex); + return -ESTALE; + } + + list_replace(&ima_measurements_staged, &ima_measurements_trim); + INIT_LIST_HEAD(&ima_measurements_staged); + + atomic_long_set(&ima_num_records[BINARY_STAGED], 0); + + if (IS_ENABLED(CONFIG_IMA_KEXEC)) + binary_runtime_size[BINARY_STAGED] =3D 0; + + mutex_unlock(&ima_extend_list_mutex); + + ima_queue_delete(&ima_measurements_trim); + return 0; +} + +/** + * ima_queue_delete - Delete measurements + * @head: List head measurements are deleted from + * + * Delete the measurements from the passed list head completely if the + * hash table is not enabled, or partially (only the template data), if the + * hash table is used. + */ +static void ima_queue_delete(struct list_head *head) +{ + struct ima_queue_entry *qe, *qe_tmp; + unsigned int i; + + list_for_each_entry_safe(qe, qe_tmp, head, later) { + /* + * Safe to free template_data here without synchronize_rcu() + * because the only htable reader, ima_lookup_digest_entry(), + * accesses only entry->digests, not template_data. If new + * htable readers are added that access template_data, a + * synchronize_rcu() is required here. + */ + for (i =3D 0; i < qe->entry->template_desc->num_fields; i++) { + kfree(qe->entry->template_data[i].data); + qe->entry->template_data[i].data =3D NULL; + qe->entry->template_data[i].len =3D 0; + } + + list_del(&qe->later); + + /* No leak if condition is false, referenced by ima_htable. */ + if (IS_ENABLED(CONFIG_IMA_DISABLE_HTABLE)) { + kfree(qe->entry->digests); + kfree(qe->entry); + kfree(qe); + } + } +} + int ima_restore_measurement_entry(struct ima_template_entry *entry) { int result =3D 0; --=20 2.43.0 From nobody Mon Jun 8 04:27:31 2026 Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com [14.137.139.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F0AA02E1C4E; Fri, 5 Jun 2026 17:25:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=14.137.139.23 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680332; cv=none; b=KtyVJ8Nqi2CIvK5exoGZDOrF/dse5rJFIuAVN76v0fq7DTr8+YHNvRyV8Z4duP62mqsv0ltZWaokogkYL6y3YwhVdehk7J2QgPO9z1ELdvyw0riCb0lSrElMmgKovBoA8tkDmAu/+hn8ucsj6teShK31c1/LpvutC2AGkJIeXD4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680332; c=relaxed/simple; bh=bPsLEKrxo7kb4mmKUifLcQG4QcpBQdceyt/4me/F/rw=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=WhnQTECVPnoT8uHEHVvEuT605ygJF7bTxDBxDLYAGBGm+jyvMtSWBFNFKiHHeWBuoX9po5qUsVFygwjjnP+m0JCYT9tUdlVjC54sq3eu9POUyK9W1NaZpBKmsglBR+UOZcpGMsUvpqU12RJWM0QnQ7ZlGm8UPtrwsHXo4zhlqyQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=14.137.139.23 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.18.224.196]) by frasgout11.his.huawei.com (SkyGuard) with ESMTPS id 4gX7VK4993z1HCnT; Sat, 6 Jun 2026 01:20:09 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.27]) by mail.maildlp.com (Postfix) with ESMTP id 70ADB4056F; Sat, 6 Jun 2026 01:25:28 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwCXWY9+BiNqCg9lAA--.44013S2; Fri, 05 Jun 2026 18:25:27 +0100 (CET) From: Roberto Sassu To: corbet@lwn.net, skhan@linuxfoundation.org, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, gregorylumen@linux.microsoft.com, chenste@linux.microsoft.com, nramas@linux.microsoft.com, Roberto Sassu Subject: [PATCH v7 10/12] ima: Add support for flushing the hash table when staging measurements Date: Fri, 5 Jun 2026 19:22:34 +0200 Message-ID: <20260605172236.2042045-11-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> References: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: GxC2BwCXWY9+BiNqCg9lAA--.44013S2 X-Coremail-Antispam: 1UD129KBjvJXoWxCF1kGF4DXF1fCryDCrWxJFb_yoW7Jw4Upa 4kW34xK3s5JFn3K348J3ykCry3uw4kJF17Grs5G3s5J3W5Xr1j9r1akryfZFs5Kr95tF4r tr4aqr4Yya1rtFJanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvvb4IE77IF4wAFF20E14v26ryj6rWUM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4 vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Gr0_Xr1l84ACjcxK6xIIjxv20xvEc7Cj xVAFwI0_Gr1j6F4UJwA2z4x0Y4vEx4A2jsIE14v26r4j6F4UM28EF7xvwVC2z280aVCY1x 0267AKxVW8Jr0_Cr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02 F40Ex7xfMcIj6xIIjxv20xvE14v26r106r15McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4I kC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2Ij64vIr41lFIxGxcIEc7CjxVA2Y2ka0xkIwI1lc7Cj xVAaw2AFwI0_Jw0_GFyl42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2 IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v2 6r4a6rW5MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Gr0_Xr1lIxAIcVC0I7IYx2 IY6xkF7I0E14v26r4UJVWxJr1lIxAIcVCF04k26cxKx2IYs7xG6r1j6r1xMIIF0xvEx4A2 jsIE14v26r4j6F4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr1j6F4UJbIYCTnIWIevJa73Uj IFyTuYvjxUoYFADUUUU X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAPBGoiOzcKkQADsV Content-Type: text/plain; charset="utf-8" From: Roberto Sassu During staging and delete, measurements are not completely deallocated. Their entry digest portion is kept and is still reachable with the hash table to detect duplicate records. If the number of records is significant, this reduces the memory saving benefit of staging. Some users might be interested in achieving the best memory saving (the measurements are completely deallocated) at the cost of having duplicate records across the staged measurement lists. Duplicate records are still avoided within the current measurement list. Introduce the new kernel option ima_flush_htable to decide whether or not the digests of staged measurement records are flushed from the hash table, when they are deleted, to achieve the maximum memory saving. When the option is enabled, replace the old hash table with a new one, by calling ima_alloc_replace_htable(), and completely delete the measurements records. Note: This code derives from the Alt-IMA Huawei project, whose license is GPL-2.0 OR MIT. Link: https://github.com/linux-integrity/linux/issues/1 Signed-off-by: Roberto Sassu --- .../admin-guide/kernel-parameters.txt | 6 +++ security/integrity/ima/ima_queue.c | 41 ++++++++++++++++--- 2 files changed, 41 insertions(+), 6 deletions(-) diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentatio= n/admin-guide/kernel-parameters.txt index 4d0f545fb3ec..aad318803f82 100644 --- a/Documentation/admin-guide/kernel-parameters.txt +++ b/Documentation/admin-guide/kernel-parameters.txt @@ -2343,6 +2343,12 @@ Kernel parameters Use the canonical format for the binary runtime measurements, instead of host native format. =20 + ima_flush_htable [IMA] + Flush the IMA hash table when deleting all the + staged measurement records, to achieve maximum + memory saving at the cost of having duplicate + records across the staged measurement lists. + ima_hash=3D [IMA] Format: { md5 | sha1 | rmd160 | sha256 | sha384 | sha512 | ... } diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/im= a_queue.c index cdc21e1b929b..df1e81ea7a36 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -22,6 +22,20 @@ =20 #define AUDIT_CAUSE_LEN_MAX 32 =20 +static bool ima_flush_htable; + +static int __init ima_flush_htable_setup(char *str) +{ + if (IS_ENABLED(CONFIG_IMA_DISABLE_HTABLE)) { + pr_warn("Hash table not enabled, ignoring request to flush\n"); + return 1; + } + + ima_flush_htable =3D true; + return 1; +} +__setup("ima_flush_htable", ima_flush_htable_setup); + /* pre-allocated array of tpm_digest structures to extend a PCR */ static struct tpm_digest *digests; =20 @@ -332,7 +346,7 @@ int ima_queue_stage(void) return ret; } =20 -static void ima_queue_delete(struct list_head *head); +static void ima_queue_delete(struct list_head *head, bool flush_htable); =20 /** * ima_queue_staged_delete_all - Delete staged measurements @@ -350,6 +364,7 @@ static void ima_queue_delete(struct list_head *head); */ int ima_queue_staged_delete_all(void) { + struct hlist_head *old_queue =3D NULL; LIST_HEAD(ima_measurements_trim); =20 mutex_lock(&ima_extend_list_mutex); @@ -371,21 +386,35 @@ int ima_queue_staged_delete_all(void) if (IS_ENABLED(CONFIG_IMA_KEXEC)) binary_runtime_size[BINARY_STAGED] =3D 0; =20 + if (ima_flush_htable) { + old_queue =3D ima_alloc_replace_htable(); + if (IS_ERR(old_queue)) { + mutex_unlock(&ima_extend_list_mutex); + return PTR_ERR(old_queue); + } + } + mutex_unlock(&ima_extend_list_mutex); =20 - ima_queue_delete(&ima_measurements_trim); + if (ima_flush_htable) { + synchronize_rcu(); + kfree(old_queue); + } + + ima_queue_delete(&ima_measurements_trim, ima_flush_htable); return 0; } =20 /** * ima_queue_delete - Delete measurements * @head: List head measurements are deleted from + * @flush_htable: Whether or not the hash table is being flushed * * Delete the measurements from the passed list head completely if the - * hash table is not enabled, or partially (only the template data), if the - * hash table is used. + * hash table is not enabled or is being flushed, or partially (only the + * template data), if the hash table is used. */ -static void ima_queue_delete(struct list_head *head) +static void ima_queue_delete(struct list_head *head, bool flush_htable) { struct ima_queue_entry *qe, *qe_tmp; unsigned int i; @@ -407,7 +436,7 @@ static void ima_queue_delete(struct list_head *head) list_del(&qe->later); =20 /* No leak if condition is false, referenced by ima_htable. */ - if (IS_ENABLED(CONFIG_IMA_DISABLE_HTABLE)) { + if (IS_ENABLED(CONFIG_IMA_DISABLE_HTABLE) || flush_htable) { kfree(qe->entry->digests); kfree(qe->entry); kfree(qe); --=20 2.43.0 From nobody Mon Jun 8 04:27:31 2026 Received: from frasgout11.his.huawei.com (frasgout11.his.huawei.com [14.137.139.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4F19433893D; Fri, 5 Jun 2026 17:25:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=14.137.139.23 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680340; cv=none; b=k05uj8dp3T082RNG+UxZPBjbnJe3hfMuO/Isj6kTDTg7TbVSuWvV+e3Ic6TX7mHWLxLP26jrPSpSNqYPsT26hUXwOIsHHKcqJmOKNGXsQb3dDOsYXETxOnnJ56kuw87rbKSNLZSLzOmiRZK+WG3UAZoShQNEe5kOoGFXpdfusMM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680340; c=relaxed/simple; bh=FDGfuAGYylimIGqrbY7iUdj5DzPRO9Yhk1c3hXVf35c=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=qVwKr4QW2TpjV2nOha43RJxybJVOlSYCK5t6itFzkSiepNz/9g5rjulOUBwYYdheNObBXGyWva+2r17egMJGx5WHfDX+gt5AKoRJHUMKI1bmN8cIM+AH8OYE0BNxrhXJXJJGqJSq3D8DpcOtv8/+Op/EZWqginZS+d1StnV+Q2s= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=14.137.139.23 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.18.224.196]) by frasgout11.his.huawei.com (SkyGuard) with ESMTPS id 4gX7VT6qJ3z1HCnS; Sat, 6 Jun 2026 01:20:17 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.27]) by mail.maildlp.com (Postfix) with ESMTP id CBD424056C; Sat, 6 Jun 2026 01:25:36 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwCXWY9+BiNqCg9lAA--.44013S3; Fri, 05 Jun 2026 18:25:36 +0100 (CET) From: Roberto Sassu To: corbet@lwn.net, skhan@linuxfoundation.org, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, gregorylumen@linux.microsoft.com, chenste@linux.microsoft.com, nramas@linux.microsoft.com, Roberto Sassu Subject: [PATCH v7 11/12] ima: Support staging and deleting N measurements records Date: Fri, 5 Jun 2026 19:22:35 +0200 Message-ID: <20260605172236.2042045-12-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> References: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: GxC2BwCXWY9+BiNqCg9lAA--.44013S3 X-Coremail-Antispam: 1UD129KBjvJXoWxKFykWFyrKr15JFW3ZFy7Wrg_yoWfXw1xpa 9aga4rGr18J34fKrn7Ga1Dur4ru3ykKF4UWr45Ga42yF1rXryj9r45Cry2yFs8KryrJr18 twsIqr45Can8taDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUPqb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUGw A2048vs2IY020Ec7CjxVAFwI0_Gr0_Xr1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVW8JVW5JwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV W8Jr0_Cr1UM28EF7xvwVC2z280aVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv6xkF7I0E14v2 6r4UJVWxJr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2 WlYx0E2Ix0cI8IcVAFwI0_JrI_JrylYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkE bVWUJVW8JwACjcxG0xvY0x0EwIxGrwACI402YVCY1x02628vn2kIc2xKxwCY1x0262kKe7 AKxVWUtVW8ZwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02 F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_GFv_Wr ylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVW8JVW5JwCI42IY6xIIjxv20xvEc7Cj xVAFwI0_Gr1j6F4UJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI 0_Gr0_Cr1lIxAIcVC2z280aVCY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxhVjvjDU0xZFpf9x 07jjuWdUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAQAPBGoiO0QKbwAAsY Content-Type: text/plain; charset="utf-8" From: Roberto Sassu Add support for sending a value N between 1 and ULONG_MAX to the IMA original measurement interface. This value represents the number of measurements that should be deleted from the current measurements list. In this case, measurements are staged in an internal non-user visible list, and immediately deleted. This staging method allows the remote attestation agents to easily separate the measurements that were verified (staged and deleted) from those that weren't due to the race between taking a TPM quote and reading the measurements list. In order to minimize the locking time of ima_extend_list_mutex, deleting N records is realized by doing a lockless walk in the current measurements list to determine the N-th entry to cut, to cut the current measurements list under the lock, and by deleting the excess records after releasing the lock. Flushing the hash table is not supported for N records, since it would require removing the N records one by one from the hash table under the ima_extend_list_mutex lock, which would increase the locking time. Link: https://github.com/linux-integrity/linux/issues/1 Co-developed-by: Steven Chen Signed-off-by: Steven Chen Signed-off-by: Roberto Sassu --- security/integrity/ima/Kconfig | 3 ++ security/integrity/ima/ima.h | 2 + security/integrity/ima/ima_fs.c | 32 +++++++++++++-- security/integrity/ima/ima_queue.c | 65 +++++++++++++++++++++++++++++- 4 files changed, 98 insertions(+), 4 deletions(-) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 02436670f746..f4d25e045808 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -341,6 +341,9 @@ config IMA_STAGING It allows user space to stage the measurements list for deletion and to delete the staged measurements after confirmation. =20 + Or, alternatively, it allows user space to specify N measurements + records to stage internally, so that they can be immediately deleted. + On kexec, staging is aborted and any staged measurement records are copied to the secondary kernel. =20 diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h index 3892d2a6c2e2..caaedd4b58fd 100644 --- a/security/integrity/ima/ima.h +++ b/security/integrity/ima/ima.h @@ -320,6 +320,7 @@ struct ima_template_desc *lookup_template_desc(const ch= ar *name); bool ima_template_has_modsig(const struct ima_template_desc *ima_template); int ima_queue_stage(void); int ima_queue_staged_delete_all(void); +int ima_queue_delete_partial(unsigned long req_value); int ima_restore_measurement_entry(struct ima_template_entry *entry); int ima_restore_measurement_list(loff_t bufsize, void *buf); int ima_measurements_show(struct seq_file *m, void *v); @@ -342,6 +343,7 @@ extern atomic_long_t ima_num_records[BINARY__LAST]; /* Total number of violations since hard boot. */ extern atomic_long_t ima_num_violations; extern struct hlist_head __rcu *ima_htable; +extern bool ima_flush_htable; =20 static inline unsigned int ima_hash_key(u8 *digest) { diff --git a/security/integrity/ima/ima_fs.c b/security/integrity/ima/ima_f= s.c index 96d7503a605b..174a94740da1 100644 --- a/security/integrity/ima/ima_fs.c +++ b/security/integrity/ima/ima_fs.c @@ -28,6 +28,7 @@ * Requests: * 'A\n': stage the entire measurements list * 'D\n': delete all staged measurements + * '[1, ULONG_MAX]\n' delete N measurements records */ #define STAGED_REQ_LENGTH 21 =20 @@ -343,6 +344,7 @@ static ssize_t _ima_measurements_write(struct file *fil= e, loff_t *ppos, bool staged_interface) { char req[STAGED_REQ_LENGTH]; + unsigned long req_value; int ret; =20 if (datalen < 2 || datalen > STAGED_REQ_LENGTH) @@ -370,7 +372,24 @@ static ssize_t _ima_measurements_write(struct file *fi= le, ret =3D ima_queue_staged_delete_all(); break; default: - ret =3D -EINVAL; + if (staged_interface) + return -EINVAL; + + if (ima_flush_htable) { + pr_debug("Deleting staged N measurements not supported when flushing th= e hash table is requested\n"); + return -EINVAL; + } + + ret =3D kstrtoul(req, 10, &req_value); + if (ret < 0) + return ret; + + if (req_value =3D=3D 0) { + pr_debug("Must delete at least one entry\n"); + return -EINVAL; + } + + ret =3D ima_queue_delete_partial(req_value); } =20 if (ret < 0) @@ -379,6 +398,12 @@ static ssize_t _ima_measurements_write(struct file *fi= le, return datalen; } =20 +static ssize_t ima_measurements_write(struct file *file, const char __user= *buf, + size_t datalen, loff_t *ppos) +{ + return _ima_measurements_write(file, buf, datalen, ppos, false); +} + static ssize_t ima_measurements_staged_write(struct file *file, const char __user *buf, size_t datalen, loff_t *ppos) @@ -389,6 +414,7 @@ static ssize_t ima_measurements_staged_write(struct fil= e *file, static const struct file_operations ima_measurements_ops =3D { .open =3D ima_measurements_open, .read =3D seq_read, + .write =3D ima_measurements_write, .llseek =3D seq_lseek, .release =3D ima_measurements_release, }; @@ -470,6 +496,7 @@ static int ima_ascii_measurements_open(struct inode *in= ode, struct file *file) static const struct file_operations ima_ascii_measurements_ops =3D { .open =3D ima_ascii_measurements_open, .read =3D seq_read, + .write =3D ima_measurements_write, .llseek =3D seq_lseek, .release =3D ima_measurements_release, }; @@ -603,14 +630,13 @@ static int __init create_securityfs_measurement_lists= (bool staging) { const struct file_operations *ascii_ops =3D &ima_ascii_measurements_ops; const struct file_operations *binary_ops =3D &ima_measurements_ops; - umode_t permissions =3D (S_IRUSR | S_IRGRP); + umode_t permissions =3D (S_IRUSR | S_IRGRP | S_IWUSR | S_IWGRP); const char *file_suffix =3D ""; int count =3D NR_BANKS(ima_tpm_chip); =20 if (staging) { ascii_ops =3D &ima_ascii_measurements_staged_ops; binary_ops =3D &ima_measurements_staged_ops; - permissions |=3D (S_IWUSR | S_IWGRP); file_suffix =3D "_staged"; } =20 diff --git a/security/integrity/ima/ima_queue.c b/security/integrity/ima/im= a_queue.c index df1e81ea7a36..f89f0ca3d4ed 100644 --- a/security/integrity/ima/ima_queue.c +++ b/security/integrity/ima/ima_queue.c @@ -22,7 +22,7 @@ =20 #define AUDIT_CAUSE_LEN_MAX 32 =20 -static bool ima_flush_htable; +bool ima_flush_htable; =20 static int __init ima_flush_htable_setup(char *str) { @@ -405,6 +405,69 @@ int ima_queue_staged_delete_all(void) return 0; } =20 +/** + * ima_queue_delete_partial - Delete current measurements + * @req_value: Number of measurements to delete + * + * Delete the requested number of measurements from the current measuremen= ts + * list, and update the number of records and the binary run-time size + * accordingly. + * + * Refuse to delete current measurements if measurement is suspended, so t= hat + * dump can be done in a lockless way and user space is notified about cur= rent + * measurements being carried over to the secondary kernel, so that it doe= s not + * save them twice. + * + * Return: Zero on success, a negative value otherwise. + */ +int ima_queue_delete_partial(unsigned long req_value) +{ + unsigned long req_value_copy =3D req_value; + unsigned long size_to_remove =3D 0, num_to_remove =3D 0; + LIST_HEAD(ima_measurements_trim); + struct ima_queue_entry *qe; + int ret =3D 0; + + /* + * list_for_each_entry_rcu() without rcu_read_lock() is fine because + * only list append can happen concurrently. No list replace due to the + * staging/delete writers mutual exclusion. + */ + list_for_each_entry_rcu(qe, &ima_measurements, later, true) { + size_to_remove +=3D get_binary_runtime_size(qe->entry); + num_to_remove++; + + if (--req_value_copy =3D=3D 0) + break; + } + + /* Not enough records to delete. */ + if (req_value_copy > 0) + return -ENOENT; + + mutex_lock(&ima_extend_list_mutex); + if (ima_measurements_suspended) { + mutex_unlock(&ima_extend_list_mutex); + return -ESTALE; + } + + /* + * qe remains valid because ima_fs.c enforces single-writer exclusion. + */ + __list_cut_position(&ima_measurements_trim, &ima_measurements, + &qe->later); + + atomic_long_sub(num_to_remove, &ima_num_records[BINARY]); + + if (IS_ENABLED(CONFIG_IMA_KEXEC)) + binary_runtime_size[BINARY] -=3D size_to_remove; + + mutex_unlock(&ima_extend_list_mutex); + + ima_queue_delete(&ima_measurements_trim, false); + return ret; +} + /** * ima_queue_delete - Delete measurements * @head: List head measurements are deleted from --=20 2.43.0 From nobody Mon Jun 8 04:27:31 2026 Received: from frasgout12.his.huawei.com (frasgout12.his.huawei.com [14.137.139.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B5C092F7EE1; Fri, 5 Jun 2026 17:25:52 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=14.137.139.154 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680355; cv=none; b=kRzgDWwo52p816CCBg+MlZLjG6xJ7zhFO6yyDWyboO4QCNewjtH8kP5mLKJttwOqeK9S3KBdviOsEuWLDD9f7htmGuYbPKsc+5UhgP7hS5iOopeiuoLNd5At4ovLIsAldpgykbGcMZsDIo10Xt7bpfGCAHYFblPPJjn0cRgxwbs= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780680355; c=relaxed/simple; bh=L0gUMkOe3CEUdn9+ggxOpmkji8Fi1cuMFRNBlHHMXgs=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Kx7KxEIAxNJK56YQoBL+u4/c205v8nU80K19n5Hdy1UyvsKdXncuPkNXO1nXmCAbS7HamViQQsPY9crgGBxyVhBWt0vytmGOafz9rENvmIyCj3p0MbIQUVmeYelblS+tHq+0RATTh1InFsJJQxzkkMC7e7o8e0bnXBKXsAB+bJQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com; spf=pass smtp.mailfrom=huaweicloud.com; arc=none smtp.client-ip=14.137.139.154 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=huaweicloud.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=huaweicloud.com Received: from mail.maildlp.com (unknown [172.18.224.235]) by frasgout12.his.huawei.com (SkyGuard) with ESMTPS id 4gX7W20GvKzsT0g; Sat, 6 Jun 2026 01:20:46 +0800 (CST) Received: from mail02.huawei.com (unknown [7.182.16.27]) by mail.maildlp.com (Postfix) with ESMTP id 35BFA40572; Sat, 6 Jun 2026 01:25:45 +0800 (CST) Received: from huaweicloud.com (unknown [10.204.63.22]) by APP2 (Coremail) with SMTP id GxC2BwCXWY9+BiNqCg9lAA--.44013S4; Fri, 05 Jun 2026 18:25:44 +0100 (CET) From: Roberto Sassu To: corbet@lwn.net, skhan@linuxfoundation.org, zohar@linux.ibm.com, dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com, paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com Cc: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, gregorylumen@linux.microsoft.com, chenste@linux.microsoft.com, nramas@linux.microsoft.com, Roberto Sassu Subject: [PATCH v7 12/12] doc: security: Add documentation of exporting and deleting IMA measurements Date: Fri, 5 Jun 2026 19:22:36 +0200 Message-ID: <20260605172236.2042045-13-roberto.sassu@huaweicloud.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> References: <20260605172236.2042045-1-roberto.sassu@huaweicloud.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-CM-TRANSID: GxC2BwCXWY9+BiNqCg9lAA--.44013S4 X-Coremail-Antispam: 1UD129KBjvJXoW3Cr48GrW7JFWrJF4UJFW8JFb_yoWDKw1rpa 9aga4Ikwn5Ja4fAw1kJw1xJr4rZ3yrKa1UGrn3Jw1xAFn8Wryvyr4akrWY9FZxKr1vvryj v3ZFvr45Aa1qqaDanT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUPqb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28IrcIa0xkI8VA2jI8067AKxVWUXw A2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK0II2c7xJM28CjxkF64kEwVA0rcxS w2x7M28EF7xvwVC0I7IYx2IY67AKxVW8JVW5JwA2z4x0Y4vE2Ix0cI8IcVCY1x0267AKxV W8Jr0_Cr1UM28EF7xvwVC2z280aVAFwI0_Gr0_Cr1l84ACjcxK6I8E87Iv6xkF7I0E14v2 6r4UJVWxJr1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2 WlYx0E2Ix0cI8IcVAFwI0_JrI_JrylYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkE bVWUJVW8JwACjcxG0xvY0x0EwIxGrwACI402YVCY1x02628vn2kIc2xKxwCY1x0262kKe7 AKxVWUtVW8ZwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7xkEbVWUJVW8JwC20s026c02 F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E67AF67kF1VAFwI0_GFv_Wr ylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVW8JVW5JwCI42IY6xIIjxv20xvEc7Cj xVAFwI0_Gr1j6F4UJwCI42IY6xAIw20EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI 0_Gr0_Cr1lIxAIcVC2z280aVCY1x0267AKxVW8Jr0_Cr1UYxBIdaVFxhVjvjDU0xZFpf9x 07Ud5rcUUUUU= X-CM-SenderInfo: purev21wro2thvvxqx5xdzvxpfor3voofrz/1tbiAgAPBGoiOzcKlQAAsS Content-Type: text/plain; charset="utf-8" From: Roberto Sassu Add the documentation of exporting and deleting IMA measurements in Documentation/security/IMA-export-delete.rst. Also add the missing Documentation/security/IMA-templates.rst file in MAINTAINERS. Link: https://github.com/linux-integrity/linux/issues/1 Signed-off-by: Roberto Sassu --- Documentation/security/IMA-export-delete.rst | 203 +++++++++++++++++++ Documentation/security/index.rst | 1 + MAINTAINERS | 2 + 3 files changed, 206 insertions(+) create mode 100644 Documentation/security/IMA-export-delete.rst diff --git a/Documentation/security/IMA-export-delete.rst b/Documentation/s= ecurity/IMA-export-delete.rst new file mode 100644 index 000000000000..1600ead03b03 --- /dev/null +++ b/Documentation/security/IMA-export-delete.rst @@ -0,0 +1,203 @@ +.. SPDX-License-Identifier: GPL-2.0 + +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D +IMA Measurements Export and Delete +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + + +Introduction +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +The IMA measurements list is currently stored in the kernel memory. Memory +occupation grows linearly with the number of records, and can become a +problem especially in environments with reduced resources. + +While there is an advantage in keeping the IMA measurements list in kernel +memory, so that it is always available for reading from the securityfs +interfaces, storing it elsewhere would make it possible to free precious +memory for other kernel usage. + +The IMA measurements list needs to be retained and safely stored for new +attestation servers to validate it. Assuming the IMA measurements list is +properly saved, storing it outside the kernel does not introduce security +issues, since its integrity is anyway protected by the TPM. + +Hence, the new IMA staging mechanism is introduced to export IMA +measurements to user space and delete them from kernel space. + +Staging consists in atomically moving the current measurements list to a +temporary list, so that measurements can be deleted afterwards. The staging +operation locks the hot path (racing with addition of new measurements) for +a very short time, only for swapping the list pointers. Deletion of the +measurements instead is done locklessly, away from the hot path. + +There are two flavors of the staging mechanism. In the staging with prompt, +all current measurements are staged, read and deleted upon confirmation. In +the staging and deleting flavor, N measurements are staged from the +beginning of the current measurements list and immediately deleted without +confirmation. + + +Management of Staged Measurements +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D + +Since with the staging mechanism measurement records are removed from the +kernel, the staged measurements need to be saved in a storage and +concatenated together, so that they can be presented during remote +attestation as if staging was never done. This task can be accomplished by +a remote attestation agent modified to support staging, or a system +service. + +Coordination is necessary in the case where there are multiple actors +requesting measurements to be staged. + +In the staging with prompt case, the measurement interfaces can be accessed +only by one actor (writer) at a time, so the others will get an error until +the former closes it. Since the actors don't care about N, when they gain +access to the interface, they will get all the staged measurements at the +time of their request. + +In the case of staging and deleting, coordination is more important, since +there is the risk that two actors unaware of each other compute the value N +on the current measurements list and request IMA to stage N twice. + + +Remote Attestation Agent Workflow +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D + +Remote attestation agents can be configured to always present all the +measurements to the remote verifiers or, alternatively, to only provide the +measurements that have not been verified yet by the remote verifiers. + +In the latter case, determining which measurements need to be sent and +verified must solely depend on the remote verifier. The remote attestation +agent can proactively send partial measurements, at the condition that they +are the ones that the remote verifier needs. + +An agent can rely on one of the supported staging methods to proactively +send to a remote verifier the measurements since the previous request up +to the ones that verify the TPM quote obtained in the current request. +The workflow with each staging method is the following. + +With staging with prompt, the agent stages the current measurements list, +reads and stores the measurements in a storage and immediately requests +IMA to delete the staged measurements from kernel memory. Afterwards, it +calculates N by replaying the PCR extend on the stored measurements until +the calculated PCRs match the quoted PCRs. It then keeps the measurements +in excess for the next attestation request. + +At the next attestation request, the agent performs the same steps above, +and concatenates the new measurements to the ones in excess from the +previous request. Also in this case, the agent replays the PCR extend until +it matches the currently quoted PCRs, keeps the measurements in excess and +presents the new N measurement records to the remote attestation server. + +With the staging and deleting method, the agent reads the current +measurements list, calculates N and requests IMA to delete only those. The +measurements in excess are kept in the IMA measurements list and can be +retrieved at the next remote attestation request. + +While keeping only the excess measurements in the storage could be +sufficient to serve the requests of a remote verifier, it is advised to +keep all the obtained measurements locally, as they might be needed for the +attestation with a different remote verifier. + + +Usage +=3D=3D=3D=3D=3D + +The IMA staging mechanism can be enabled from the kernel configuration with +the CONFIG_IMA_STAGING option. This option prevents inadvertently removing +the IMA measurement list on systems which do not properly save it. + +If the option is enabled, IMA duplicates the current securityfs +measurements interfaces (both binary and ASCII), by adding the ``_staged`` +file suffix. Both the original and the staging interfaces gain the write +permission for the root user and group, but require the process to have +CAP_SYS_ADMIN set. + +The staging mechanism supports two flavors. + + +Staging with prompt +~~~~~~~~~~~~~~~~~~~ + +The current measurements list is moved to a temporary staging area, +allowing it to be saved to external storage, before being deleted upon +confirmation. + +This staging process is achieved with the following steps. + + 1. ``echo A > <_staged interface>``: the user requests IMA to stage the + entire measurements list; + 2. ``cat <_staged interface>``: the user reads the staged measurements; + 3. ``echo D > <_staged interface>``: the user requests IMA to delete + staged measurements. + + +Staging and deleting +~~~~~~~~~~~~~~~~~~~~ + +N measurements are staged to a temporary staging area, and immediately +deleted without further confirmation. + +This staging process is achieved with the following steps. + + 1. ``cat ``: the user reads the current measurements + list and determines what the value N for staging should be; + 2. ``echo N > ``: the user requests IMA to delete N + measurements from the current measurements list. + + +Interface Access +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +In order to avoid the IMA measurements list being suddenly truncated by the +staging mechanism during a read, or having multiple concurrent staging, a +semaphore-like locking scheme has been implemented on all the measurements +list interfaces. + +Multiple readers can access concurrently the original and staged +interfaces, and they can be in mutual exclusion with one writer. In order +to see the same state across all the measurement interfaces, the same +writer is allowed to open multiple interfaces for write or read/write. + +If an illegal access occurs, the open to the measurements list interface is +denied. + + +Kexec +=3D=3D=3D=3D=3D + +In the event a kexec() system call occurs between staging and deleting, the +staged measurement records are marshalled before the current measurements +list, so that they are both available when the secondary kernel starts. + +If measurement is suspended before requesting to delete staged or current +measurements, IMA returns an error to user space to let it know that +marshalling is already in progress, so that it does not save the +measurements twice. + +IMA also disallows staging when suspending measurement, to avoid the +situation where neither measurements are carried over to the secondary +kernel, nor they are saved by user space to the storage. + + +Hash table +=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D + +By default, the template digest of staged measurement records are kept in +kernel memory (only template data are freed), to be able to detect +duplicate records independently of staging. + +The new kernel option ``ima_flush_htable`` has been introduced to +explicitly request a complete deletion of the staged measurements, for +maximum kernel memory saving. If the option has been specified, duplicate +records are still avoided on records of the current measurements list, +but there can be duplicates between different groups of staged +measurements. + +Flushing the hash table is supported only for the staging with prompt +flavor. For the staging and deleting flavor, it would have been necessary +to lock the hot path adding new measurements for the time needed to remove +each selected measurement individually. diff --git a/Documentation/security/index.rst b/Documentation/security/inde= x.rst index 3e0a7114a862..00650dcf38cb 100644 --- a/Documentation/security/index.rst +++ b/Documentation/security/index.rst @@ -8,6 +8,7 @@ Security Documentation credentials snp-tdx-threat-model IMA-templates + IMA-export-delete keys/index lsm lsm-development diff --git a/MAINTAINERS b/MAINTAINERS index 461a3eed6129..70ff6bae3493 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -12752,6 +12752,8 @@ R: Eric Snowberg L: linux-integrity@vger.kernel.org S: Supported T: git git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity= .git +F: Documentation/security/IMA-export-delete.rst +F: Documentation/security/IMA-templates.rst F: include/linux/secure_boot.h F: security/integrity/ F: security/integrity/ima/ --=20 2.43.0