Hi Roberto, Thanks for sharing these information! > On Dec 19, 2024, at 7:40 AM, Roberto Sassu <roberto.sassu@xxxxxxxxxxxxxxx> wrote: [...] >> I didn't know about this history until today. I apologize if this >> RFC/PATCH is moving to the direction against the original agreement. >> I didn't mean to break any agreement. >> >> My motivation is actually the per inode memory consumption of IMA >> and EVM. Once enabled, EVM appends a whole struct evm_iint_cache to >> each inode via i_security. IMA is better on memory consumption, as >> it only adds a pointer to i_security. >> >> It appears to me that a way to disable IMA and EVM at boot time can >> be useful, especially for distro kernels. But I guess there are >> reasons to not allow this (thus the earlier agreement). Could you >> please share your thoughts on this? > > Hi Song > > IMA/EVM cannot be always disabled for two reasons: (1) for secure and > trusted boot, IMA is expected to enforce architecture-specific > policies; (2) accidentally disabling them will cause modified files to > be rejected when IMA/EVM are turned on again. > > If the requirements above are met, we are fine on disabling IMA/EVM. I probably missed something, but it appears to me IMA/EVM might be enabled in distro kernels, but the distro by default does not configure IMA/EVM, so they are not actually used. Did I misunderstand something? > As for reserving space in the inode security blob, please refer to this > discussion, where we reached the agreement: > > https://lore.kernel.org/linux-integrity/CAHC9VhTTKac1o=RnQadu2xqdeKH8C_F+Wh4sY=HkGbCArwc8JQ@xxxxxxxxxxxxxx/ AFAICT, the benefit of i_security storage is its ability to be configured at boot time. If IMA/EVM cannot be disabled, it is better to add them to struct inode within a "#ifdef CONFIG_" block. Thanks, Song
