On Tue, 2025-05-27 at 11:25 +0800, Pingfan Liu wrote When responding to kernel mailing lists, please use plain text not Mime encoded.
> On Thu, May 22, 2025 at 10:52 PM Baoquan He <b...@redhat.com> wrote: > > On 05/22/25 at 07:08am, Mimi Zohar wrote: > > > On Thu, 2025-05-22 at 11:24 +0800, Baoquan He wrote: > > > > On 05/21/25 at 08:54am, Mimi Zohar wrote: > > > > > On Fri, 2025-05-16 at 08:22 +0800, Baoquan He wrote: > > > > > > CC kexec list. > > > > > > > > > > > > On 05/16/25 at 07:39am, Baoquan He wrote: > > > > > > > Kdump kernel doesn't need IMA functionality, and enabling IMA will > > > > > > > cost > > > > > > > extra memory. It would be very helpful to allow IMA to be disabled > > > > > > > for > > > > > > > kdump kernel. > > > > > > > > Thanks a lot for careufl reviewing and great suggestions. > > > > > > > > > > > > > > The real question is not whether kdump needs "IMA", but whether not > > > > > enabling > > > > > IMA in the kdump kernel could be abused. The comments below don't > > > > > address > > > > > that question but limit/emphasize, as much as possible, turning IMA > > > > > off is > > > > > limited to the kdump kernel. > > > > > > > > Are you suggesting removing below paragraph from patch log because they > > > > are redundant? I can remove it in v2 if yes. > > > > > > "The comments below" was referring to my comments on the patch, not the > > > next > > > paragraph. "don't address that question" refers to whether the kdump > > > kernel > > > could be abused. > > > > > > We're trying to close integrity gaps, not add new ones. Verifying the > > > UKI's > > > signature addresses the integrity of the initramfs. What about the > > > integrity of > > > the kdump initramfs (or for that matter the kexec initramfs)? If the > > > kdump > > > initramfs was signed, IMA would be able to verify it before the kexec. > > IMHO, from the higher level, if there is a requirement on the integrity of the > initramfs, it should take a similar approach as UKI. And the system admin can > choose whether to disable the unsafe format loader or not. Yes, that is a possibility, probably a good aim, but in the case of kexec/kdump that isn't really necessary. As filesystem(s) support xattrs, IMA policies could be written in terms of "func=KEXEC_INITRAMFS_CHECK" to include the initramfs. > > This other thing is how to make a handy signature on initramfs? It is neither > PE nor ELF. IMA supports signatures stored in the security.ima xattr or as an appended signatures. Mimi
