So enabling this consumes an extra sizeof(atomic_t) bytes per inode. Instrumenting the kernel with it enabled we see:
* To boot a system: 0.113 MB allocated + 23 x 4K slabs in iint_cache, total: 0.203 MB consumed for ~1288 cached file entries. * Install kernel + headers: 0.401 MB allocated + 37 x 4K slabs in iint_cache, total: 0.547 MB consumed for ~2072 cached file entries * Build a kernel (as root, stress test): 12.945MB allocated + 1023 x 4K slabs in iint_cache, total: 16.941 MB consumed for ~57344 cached file entries. So, typically we are seeing ~310 bytes per cached IMA file entry consumed in the iint_cache slab and misc IMA file metadata. Looking at the file system benchmarks, IMA built in but not enabled does impact ext2, ext3 performance, but other file systems seem to run w/o any impact. I may re-test the ext2/ext3 and also look at why we are seeing the impact on ext2, ext3 if we enabled IMA. File system performance impact on IOZONE tests with IMA appraise enabled: http://kernel.ubuntu.com/~cking/ima/ima-appraise/html_out_ima_ext2 http://kernel.ubuntu.com/~cking/ima/ima-appraise/html_out_ima_ext3 http://kernel.ubuntu.com/~cking/ima/ima-appraise/html_out_ima_ext4 http://kernel.ubuntu.com/~cking/ima/ima-appraise/html_out_ima_xfs http://kernel.ubuntu.com/~cking/ima/ima-appraise/html_out_ima_btrfs -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel Status in “linux” package in Ubuntu: Fix Committed Status in “linux” source package in Trusty: Fix Committed Bug description: I would be doubly happy if this also went into the raring backport kernel. I chatted with apw and kees on #ubuntu-kernel earlier in the week. From a security engineer on our team: so I was mistaken. if CONFIG_IMA=y, the default policy is NULL unless you boot with ima_tcb=on. without ima_tcb=y, nothing is measured, nothing is audited, no performance/memory hit is incurred. Same is true for CONFIG_IMA_APPRAISE, except with the ima_appraise_tcb=on commandline parameter. ima appraise gives us the ability to sign binaries at installation time and check the signature at runtime. So we are asking that you enable CONFIG_IMA, but to not enable it via the kernel command line options. IMA would boot with an empty policy and should incur no overhead. Enterprising folks who want to run IMA can enable it in grub at their option. CONFIG_IMA=y and possibly: CONFIG_IMA_MEASURE_PCR_IDX=10 CONFIG_IMA_AUDIT=y CONFIG_IMA_LSM_RULES=y -A To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
