On Wed, 2 Apr 2025 at 09:41, Coiby Xu <c...@redhat.com> wrote:
>
> On Mon, Mar 31, 2025 at 08:15:08AM -0400, Mimi Zohar wrote:
> >On Mon, 2025-03-31 at 14:16 +0800, Baoquan He wrote:
> >> It doesn't make sense to run IMA functionality in kdump kernel, and that
> >> will cost extra memory. It would be great to allow IMA to be disabled on
> >> purpose, e.g for kdump kernel.
> >>
> >> Hence add a knob here to allow people to disable IMA if needed.
> >>
> >> Signed-off-by: Baoquan He <b...@redhat.com>
> >> ---
> >> security/integrity/ima/ima_main.c | 21 +++++++++++++++++++++
> >> 1 file changed, 21 insertions(+)
> >>
> >> diff --git a/security/integrity/ima/ima_main.c
> >> b/security/integrity/ima/ima_main.c
> >> index 28b8b0db6f9b..5d677d1389fe 100644
> >> --- a/security/integrity/ima/ima_main.c
> >> +++ b/security/integrity/ima/ima_main.c
> >> @@ -38,11 +38,27 @@ int ima_appraise;
> >>
> >> int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;
> >> static int hash_setup_done;
> >> +static int ima_disabled = 0;
> >>
> >> static struct notifier_block ima_lsm_policy_notifier = {
> >> .notifier_call = ima_lsm_policy_change,
> >> };
> >>
> >> +static int __init ima_setup(char *str)
> >> +{
> >> + if (strncmp(str, "off", 3) == 0)
> >> + ima_disabled = 1;
> >> + else if (strncmp(str, "on", 2) == 0)
> >> + ima_disabled = 0;
> >> + else
> >> + pr_err("invalid ima setup option: \"%s\" ", str);
> >> +
> >> + return 1;
> >> +}
> >> +__setup("ima=", ima_setup);
> >
> >I understand your wanting to disable IMA for Kdump, but this goes way beyond
> >that. Please don't make it generic like this.
> >
> >Please refer to ima_appraise_parse_cmdline().
>
> Hi Mimi,
>
> To save memory for kdump, it seems init_ima has been to be skipped thus
> ima=off is necessary (ima_appraise=off won't serve the purpose). Or do
> you have any specific concerns in mind?
I think as Mimi said see below logic enforces the IMA even with the
cmdline disabling, see ima_appraise_parse_cmdline:
if (sb_state) {
if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
pr_info("Secure boot enabled: ignoring
ima_appraise=%s option",
str);
} else {
ima_appraise = appraisal_state;
}
>
> >
> >Mimi
> >
> >> +
> >> +
> >> +
> >> static int __init hash_setup(char *str)
> >> {
> >> struct ima_template_desc *template_desc = ima_template_desc_current();
> >> @@ -1176,6 +1192,11 @@ static int __init init_ima(void)
> >> {
> >> int error;
> >>
> >> + if (ima_disabled) {
> >> + pr_info("IMA functionality is disabled on purpose!");
> >> + return 0;
> >> + }
> >> +
> >> ima_appraise_parse_cmdline();
> >> ima_init_template_list();
> >> hash_setup(CONFIG_IMA_DEFAULT_HASH);
> >
> >
>
> --
> Best regards,
> Coiby
>
>
