Re: [RFC 0/2] ima: evm: Add kernel cmdline options to disable IMA/EVM

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 2024-12-19 at 17:46 +0000, Song Liu wrote:
> Hi Roberto, 
> 
> Thanks for sharing these information!
> 
> > On Dec 19, 2024, at 7:40 AM, Roberto Sassu <roberto.sassu@xxxxxxxxxxxxxxx> wrote:
> 
> [...]
> 
> > > I didn't know about this history until today. I apologize if this 
> > > RFC/PATCH is moving to the direction against the original agreement. 
> > > I didn't mean to break any agreement. 
> > > 
> > > My motivation is actually the per inode memory consumption of IMA 
> > > and EVM. Once enabled, EVM appends a whole struct evm_iint_cache to 
> > > each inode via i_security. IMA is better on memory consumption, as 
> > > it only adds a pointer to i_security. 
> > > 
> > > It appears to me that a way to disable IMA and EVM at boot time can 
> > > be useful, especially for distro kernels. But I guess there are 
> > > reasons to not allow this (thus the earlier agreement). Could you 
> > > please share your thoughts on this?
> > 
> > Hi Song
> > 
> > IMA/EVM cannot be always disabled for two reasons: (1) for secure and
> > trusted boot, IMA is expected to enforce architecture-specific
> > policies; (2) accidentally disabling them will cause modified files to
> > be rejected when IMA/EVM are turned on again.
> > 
> > If the requirements above are met, we are fine on disabling IMA/EVM.
> 
> I probably missed something, but it appears to me IMA/EVM might be 
> enabled in distro kernels, but the distro by default does not 
> configure IMA/EVM, so they are not actually used. Did I misunderstand 
> something?

If "CONFIG_IMA_ARCH_POLICY" is configured, then the architecture specific policy
is configured and loaded on boot.  For x86 and arm, the architecture specific
policy rules are defined in ima_efi.c.  On power, the rules are defined in
arch/powerpc/kernel/ima_arch.c.  On most systems, the currently enabled IMA
policy rules can be viewed by cat'ing <securityfs>/integrity/ima/policy.

For more information on IMA policies, refer to
https://ima-doc.readthedocs.io/en/latest/ima-policy.html#

Mimi

> 
> > As for reserving space in the inode security blob, please refer to this
> > discussion, where we reached the agreement:
> > 
> > https://lore.kernel.org/linux-integrity/CAHC9VhTTKac1o=RnQadu2xqdeKH8C_F+Wh4sY=HkGbCArwc8JQ@xxxxxxxxxxxxxx/
> 
> AFAICT, the benefit of i_security storage is its ability to be 
> configured at boot time. If IMA/EVM cannot be disabled, it is 
> better to add them to struct inode within a "#ifdef CONFIG_"
> block. 
> 
> Thanks,
> Song
>
[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [NTFS 3]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [NTFS 3]     [Samba]     [Device Mapper]     [CEPH Development]

  Powered by Linux