On Wed, 2026-04-29 at 18:03 +0200, Roberto Sassu wrote: > From: Roberto Sassu <[email protected]> > > Introduction > ============ > > The IMA measurements list is currently stored in the kernel memory. > Memory occupation grows linearly with the number of entries, and can > become a problem especially in environments with reduced resources. > > While there is an advantage in keeping the IMA measurements list in > kernel memory, so that it is always available for reading from the > securityfs interfaces, storing it elsewhere would make it possible to > free precious memory for other kernel components.
-> for other kernel usage. Prefix the following paragraph with: The IMA measurement list needs to be retained and safely stored for new attestation servers to validate the entire measurement list. Assuming the IMA measurement list is properly saved, storing ... > Storing the IMA measurements list outside the kernel does not introduce > security issues, since its integrity is anyway protected by the TPM. > > Hence, the new IMA staging mechanism is introduced to allow user space > to remove the desired portion of the measurements list from the kernel. "desired portion" could be misconstrued as any subset of the measurement list. -> to remove the entire or a portion of the measurement list ... > > Usage > ===== > The IMA staging mechanism can be enabled from the kernel configuration > with the CONFIG_IMA_STAGING option. Continue with: This option prevents inadvertently removing the IMA measurement list on systems which do not properly save it. > > If it is enabled, IMA duplicates the current measurements interfaces -> duplicates the current securityfs measurement list interfaces > (both binary and ASCII), by adding the _staged file suffix. Both the > original and the staging interfaces gain the write permission for the > root user and group, but require the process to have CAP_SYS_ADMIN set. > > The staging mechanism supports two flavors. > > Staging with prompt > ~~~~~~~~~~~~~~~~~~~ > > The current measurements list is moved to a temporary staging area, and > staged measurements are deleted upon confirmation. -> The current measurement list is moved to a temporary staging area, allowing it to be saved to external storage, before being deleted upon confirmation. > > This staging process is achieved with the following steps. > > 1. echo A > <original interface>: the user requests IMA to stage the > entire measurements list; > 2. cat <_staged interface>: the user reads the staged measurements; > 3. echo D > <_staged interface>: the user requests IMA to delete > staged measurements. > > Staging and deleting > ~~~~~~~~~~~~~~~~~~~~ > > N measurements are staged to a temporary staging area, and immediately > deleted without further confirmation. > > This staging process is achieved with the following steps. > > 1. cat <original interface>: the user reads the current measurements > list and determines what the value N for staging should be; > 2. echo N > <original interface>: the user requests IMA to delete N > measurements from the current measurements list. > > > Management of Staged Measurements > ================================= > > Since with the staging mechanism measurement entries are removed from > the kernel, the user needs to save the staged ones in a storage and > concatenate them together, so that it can present them to remote > attestation agents as if staging was never done. "the user needs to save the staged ones" -> the staged measurements need to be saved .... Please mention this could be a system service. thanks, Mimi
