On Mon, 2025-04-07 at 09:34 +0800, Baoquan He wrote:
> On 04/03/25 at 04:03pm, Mimi Zohar wrote:
> > On Wed, 2025-04-02 at 19:49 +0800, Baoquan He wrote:
> > > On 04/02/25 at 04:43pm, Coiby Xu wrote:
> > > > On Tue, Apr 01, 2025 at 11:30:09PM -0400, Mimi Zohar wrote:
> > > > > On Wed, 2025-04-02 at 09:47 +0800, RuiRui Yang wrote:
> > > > [...]
> > > > > > > > that. Please don't make it generic like this.
> > > > > > > >
> > > > > > > > Please refer to ima_appraise_parse_cmdline().
> > > > > > >
> > > > > > > Hi Mimi,
> > > > > > >
> > > > > > > To save memory for kdump, it seems init_ima has been to be
> > > > > > > skipped thus
> > > > > > > ima=off is necessary (ima_appraise=off won't serve the purpose).
> > > > > > > Or do
> > > > > > > you have any specific concerns in mind?
> > > > > >
> > > > > > I think as Mimi said see below logic enforces the IMA even with the
> > > > > > cmdline disabling, see ima_appraise_parse_cmdline:
> > > > > > if (sb_state) {
> > > > > > if (!(appraisal_state & IMA_APPRAISE_ENFORCE))
> > > > > > pr_info("Secure boot enabled: ignoring
> > > > > > ima_appraise=%s option",
> > > > > > str);
> > > > > > } else {
> > > > > > ima_appraise = appraisal_state;
> > > > > > }
> > > >
> > > > Thanks for pointing me to the above code! Note with the whole IMA
> > > > disabled as done by this patch, the above code will not run so IMA
> > > > (appraisal) won't be enforced.
> > > >
> > > > >
> > > > > Thanks, RuiRui.
> > > > >
> > > >
> > > > Mimi, so do I understand it correctly that your want IMA-appraisal to be
> > > > always enabled as long as secure boot is enabled even if users choose to
> > > > disable IMA?
> >
> > Secure boot is not the only reason. Based on policy IMA-appraisal and EVM
> > calculate and store file hashes and HMAC's in their respective security
> > xattrs.
> > Normally the usage of file hashes and HMAC's is limited to mutable files.
> > Disabling IMA-appraisal could result in not properly updating the security
> > xattrs, which would result in not being able to verify the file's integrity
> > on
> > reboot.
> >
> > On systems where the RPM includes file signatures, file signatures of
> > immutable
> > files can be safely restored. Although it is possible to walk the
> > filesystem(s)
> > "fixing" the xattrs of mutable files, it defeats the purpose. "fix" mode
> > should
> > only be enabled in a trusted environment.
> >
> > > > I wonder what security issue will it bring if this promise
> > > > gets broken considering other LSMs can SELinux can be disabled when
> > > > secure boot is enabled?
> >
> > The builtin IMA policy rules are not defined in terms of SELinux labels.
> > If the
> > initial IMA custom policy defines rules based on SELinux labels and SELinux
> > is
> > not enabled, the policy will fail to be loaded.
> >
> > > > > Coiby, would disabling just IMA-measurement, as opposed to
> > > > > IMA-appraisal, save
> > > > > sufficient memory for kdump?
> > > >
> > > > For disabling just IMA-measurement, do you mean not enabling any measure
> > > > rules? The more memory reserved for the kdump kernel, the less memory
> > > > can be used by the 1st kernel. So from the perfective of kdump, we try
> > > > to make the memory footprint as smaller as possible.
> >
> > Got it.
> >
> > > > Baoquan, do you have any statistics about the memory overhead of IMA?
> > >
> > > I am getting a system to check that. I think there are two aspects of
> > > IMA functionality we want to disable. One is disable the IMA-measurement
> > > copying from 1st kernel to 2nd kernel, this is only needed by kexec
> > > reboot; the other is IMA is not needed at all in kdump kernel, means we
> > > don't want to call ima_init() to initialize
> > > ima_keyring/crypto/template/digests/fs etc.
> > >
> > > With my shallow knowledge about IMA, I don't know how to imitate
> > > appraisal cmdline to disable IMA partially in kdump kernel case.
>
> Thanks for detailed explanations. Just back from holiday, sorry for late
> reply.
>
> >
> > The IMA policy controls how much or how little IMA measures and appraises.
> > Most
> > of the memory usage is the IMA measurement list, itself, and the per file
> > cache
> > info. (The per file cache info limits re-measuring or re-appraising files.)
>
> In Steve Chen's kexec supporting ima patchset, kdump kernel loading
> should skip ima_kexec buffers allocating and storing via checking if
> (image->type == KEXEC_TYPE_CRASH).
> >
> > Similarly my knowledge of kdump is very limited. Is there a way for the
> > kernel
> > to differentiate between kexec and kdump? If we need a mechanism to disable
> > IMA-measurement, I'd *really* prefer it be limited to kdump.
>
> Yes, function is_kdump_kernel() is provided for checking if the current
> kernel is in kdump kernel.
>
> As said in earlier reply, for kdump kernel, there are two things we
> should do:
> 1) when loading 2nd kernel to prepare for switching, we should not
> allocate buffer and store IMA measurement list;
> 2) when switched into kdump kernel, we should not call ima_init() to do
> kinds of init which is useless.
>
> My personnal opinion.
Thanks for pointing out the KEXEC_TYPE_CRASH check and is_kdump_kernel(). Both
changes sound reasonable.
Mimi
