The Integrity Measurement Architecture (IMA) maintains a measurement list —a record of system events used for integrity verification. The IMA event logs are the entries within this measurement list, each representing a specific event or measurement that contributes to the system's integrity assessment.
This update introduces the ability to trim, or remove, N entries from the current measurement list. Trimming involves deleting N entries from the list and clearing the corresponding entries from the hash table. This action atomically truncates the measurement list, ensuring that no new measurements can be added until the operation is complete. Importantly, only one writer can initiate this trimming process at a time, maintaining consistency and preventing race conditions. A userspace interface, ima_trim_log, has been provided for this purpose. By writing a number N to this interface, userspace can request the kernel to trim N entries from the IMA event logs. When this interface is read, it returns the number of entries trimmed during the last operation. This value is not preserved across kexec soft reboots, as it is not considered important information. To maintain a complete record, userspace is responsible for concatenating and storing the logs before initiating trimming. Userspace can then send the collected data to remote verifiers for validation. After receiving confirmation from the remote verifiers, userspace may instruct the kernel to proceed with trimming the IMA event logs accordingly. The primary benefit of this solution is the ability to free valuable kernel memory by delegating the task of reconstructing the full measurement list from log chunks to userspace. Trust is not required in userspace for the integrity of the measurement list, as its integrity is cryptographically protected by the Trusted Platform Module (TPM). Multiple readers are allowed to access the ima_trim_log interface concurrently, while only one writer can trigger log trimming at any time. During trimming, readers do not see the list and cannot access it while deletion is in progress, ensuring atomicity. Introduce the new kernel option ima_flush_htable to decide whether or not the digests of measurement entries are flushed from the hash table (from reference [2]). The ima_measure_users counter (protected by the ima_measure_lock mutex) has been introduced to protect access to the measurement list part. The open method of all the measurement interfaces has been extended to allow only one writer at a time or, in alternative, multiple readers. The write permission is used to stage/delete the measurements, the read permission to read them. Write requires also the CAP_SYS_ADMIN capability (from reference [2]). New IMA log trim event is added when trimming finish. For kernel soft reboot case, there is no need to transfer extra data from old kernel to new kernel after trimming. The time required for trimming is minimal, and IMA event logs are briefly on hold during this process, preventing read or add operations. This short interruption has no impact on the overall functionality of IMA. A new critical data record "ima_log_trim" is added in this solution. This record logs the trim event with number of entries deleted and time when this happened. User space can get the total number of entries trimmed by checking all "ima_log_trim" event in the measurement list. The following are how user space to use the measurement list and ima_log_trim interface 1. check any read/write measurement list/ima_log_trim operation, if any, wait until released 2. when no app read/write measurement list/ima_log_trim operation, set read/write flag 3. get the PCR quote first 4. read the measurement list file, close the file, send for verification with other IMA information to verifier 5. wait for response from verifier, until get the good response from verifier with number N that matched the PCR quote got in step 3 6. get the number N from the above message 7. write the N to the ima_log_trim interface 8. save total N entries of the measurement list read in step 4 to userspace 9. release read/write flag References: ----------- [1] [PATCH 0/1] Trim N entries of IMA event logs https://lore.kernel.org/linux-integrity/[email protected]/T/#t [2] [RFC][PATCH] ima: Add support for staging measurements for deletion https://lore.kernel.org/linux-integrity/[email protected]/T/#t [3] PATCH v2 0/1] Trim N entries of IMA event logs https://lore.kernel.org/linux-integrity/[email protected]/T/#t Change Log v3: - Incorporated feedback from Mimi on v2 series. - split patch into multiple patches - lock time performance improvement - Updated patch descriptions as necessary. Change Log v2: - Incorporated feedback from the Roberto on v1 series. - Adapted code from Roberto's RFC [Reference 2] - Add IMA log trim event log to record trim event - Updated patch descriptions as necessary. steven chen (3): ima: make ima event log trimming configurable ima: trim N IMA event log records ima: add new critical data record to measure log trimming .../admin-guide/kernel-parameters.txt | 4 + security/integrity/ima/Kconfig | 12 ++ security/integrity/ima/ima.h | 2 + security/integrity/ima/ima_fs.c | 182 +++++++++++++++++- security/integrity/ima/ima_queue.c | 85 ++++++++ 5 files changed, 281 insertions(+), 4 deletions(-) -- 2.43.0
