On Fri, 2026-03-20 at 10:24 -0700, steven chen wrote: > On 3/20/2026 10:10 AM, Roberto Sassu wrote: > > On Fri, 2026-03-20 at 09:58 -0700, steven chen wrote: > > > On 3/20/2026 5:41 AM, Mimi Zohar wrote: > > > > On Thu, 2026-03-19 at 14:31 -0700, steven chen wrote: > > > > > > > > > > - Support for deleting N measurement records (and pre-pending the > > > > > > remaining > > > > > > measurement records) > > > > > Is there any problem to bring work of "stage" step together to the > > > > > deletion step? > > > > > > > > > > "Trim N" method does everything that "staged" method can do, right? > > > > > what's the "stage" method can do but "trim N" method can't do? > > > > > > > > > > in user space, if in "staged" state, no other user space agent can > > > > > access the IMA measure list, right? > > > > > > > > > > Could you explain the benefit of bringing the "stage" step? > > > > The performance improvement is because "staging" the IMA measurement > > > > list takes > > > > the lock in order to move the measurement list pointer and then > > > > releases it. > > > > New measurements can then be appended to a new measurement list. > > > > Deleting > > > > records is done without taking the lock to walk the staged measurement > > > > list. > > > > > > > > Without staging the measurement list, walking the measurement list to > > > > trim N > > > > records requires taking and holding the lock. The performance is > > > > dependent on > > > > the size of the measurement list. > > > > > > > > Your question isn't really about "staging" the measurement list > > > > records, but > > > > requiring a userspace signal to delete them. To answer that question, > > > > deleting > > > > N records (third patch) could imply staging all the measurement records > > > > and > > > > immediately deleting N records without an explicit userspace signal. > > > > > > > > I expect the requested "documentation" patch will provide the > > > > motivation for the > > > > delayed deletion of the measurement list. > > > > > > > > Mimi > > > "Staging" is great on reducing kernel IMA measurement list locking time. > > > > > > How about just do "stage N" entries and then delete the staged list in > > > one shot? > > > It means merge two APIs into one API > > > int ima_queue_stage(void) > > > int ima_queue_delete_staged(unsigned long req_value) > > > > > > The kernel lock time will be the same. And user space lock time will be > > > reduced. > > It is not the same. The walk on the staged list is done without holding > > ima_extend_list_mutex. > > > > Roberto > > Is it possible to merge two APIs work into one API? > int ima_queue_stage(void) > int ima_queue_delete_staged(unsigned long req_value)
It will be done transparently for the user. IMA will call both functions for the same securityfs write. Roberto
