Hi Roberto, On Wed, 2026-03-11 at 18:19 +0100, Roberto Sassu wrote: > From: Roberto Sassu <[email protected]> > > Introduce the ability of staging the IMA measurement list for deletion. > Staging means moving the current content of the measurement list to a > separate location, and allowing users to read and delete it. This causes > the measurement list to be atomically truncated before new measurements can > be added.
I really like this design of atomically moving and subsequently deleting the measurement list. However this is a solution, not the motivation for the patch. Please include the motivation for the patch, before describing the solution. > Staging can be done only once at a time. In the event of kexec(), > staging is reverted and staged entries will be carried over to the new > kernel. > > Staged measurements can be deleted entirely, or partially, with the > non-deleted ones added back to the IMA measurements list. This patch description is really long, which is an indication that the patch needs to be split up. Adding support for partially deleting the measurement list records, by prepending the remaining measurement records, should be a separate patch. > This allows the > remote attestation agents to easily separate the measurements that where > verified (staged and deleted) from those that weren't due to the race > between taking a TPM quote and reading the measurements list. > > User space is responsible to concatenate the staged IMA measurements list > portions (excluding the measurements added back to the IMA measurements > list) following the temporal order in which the operations were done, > together with the current measurement list. Then, it can send the collected > data to the remote verifiers. This belongs in a Documentation patch. > > The benefit of staging and deleting is the ability to free precious kernel > memory, This is the motivation for the patch. > in exchange of delegating user space to reconstruct the full > measurement list from the chunks. No trust needs to be given to user space, > since the integrity of the measurement list is protected by the TPM. Agreed the measurement list, itself, is protected by the TPM. However, relying on userspace to reassemble the chunks is another concern. Support for staging and deleting the measurement list should be configurable. Defining a Kconfig should be part of this initial patch. > By default, staging the measurements list does not alter the hash table. > When staging and deleting are done, IMA is still able to detect collisions > on the staged and later deleted measurement entries, by keeping the entry > digests (only template data are freed). > > However, since during the measurements list serialization only the SHA1 > digest is passed, and since there are no template data to recalculate the > other digests from, the hash table is currently not populated with digests > from staged/deleted entries after kexec(). > > Introduce the new kernel option ima_flush_htable to decide whether or not > the digests of staged measurement entries are flushed from the hash table, > when they are deleted. Flushing the hash table is supported only when > deleting all the staged measurements, since in that case the old hash table > can be quickly swapped with a blank one (otherwise entries would have to be > removed one by one for partial deletion). Allowing the hash table to be deleted would be an example of another patch. > > Then, introduce ascii_runtime_measurements_<algo>_staged and > binary_runtime_measurements_<algo>_staged interfaces to stage and delete > the measurements. Use 'echo A > <IMA interface>' and > 'echo D > <IMA interface>' to respectively stage and delete the entire > measurements list. Use 'echo N > <IMA interface>', with N between 1 and > ULONG_MAX - 1, to delete the selected staged portion of the measurements > list. > > The ima_measure_users counter (protected by the ima_measure_mutex mutex) > has been introduced to protect access to the measurements list and the > staged part. The open method of all the measurement interfaces has been > extended to allow only one writer at a time or, in alternative, multiple > readers. The write permission is used to stage and delete the measurements, > the read permission to read them. Write requires also the CAP_SYS_ADMIN > capability. Yes, this is part of the initial patch that adds support for staging the measurement list. > > Finally, introduce the binary_lists enum and make binary_runtime_size > and ima_num_entries as arrays, to keep track of their values for the > current IMA measurements list (BINARY), current list plus staged > measurements (BINARY_STAGED) and the cumulative list since IMA > initialization (BINARY_FULL). > > Use BINARY in ima_show_measurements_count(), BINARY_STAGED in > ima_add_kexec_buffer() and BINARY_FULL in ima_measure_kexec_event(). > > It should be noted that the BINARY_FULL counter is not passed through > kexec. Thus, the number of entries included in the kexec critical data > records refers to the entries since the previous kexec records. > > Note: This code derives from the Alt-IMA Huawei project, whose license is > GPL-2.0 OR MIT. > > Link: https://github.com/linux-integrity/linux/issues/1 > Signed-off-by: Roberto Sassu <[email protected]> The design looks good. As I mentioned above, this patch description is quite long, which is an indication that the patch needs to be split up. One method of breaking it up would be: - (Basic) support for staging measurements for deletion (based on a Kconfig) - Support for removing the hash table - Support for deleting N measurement records (and pre-pending the remaining measurement records) - Adding documentation thanks, Mimi
