On Wed, 2026-04-29 at 18:03 +0200, Roberto Sassu wrote: > From: Roberto Sassu <[email protected]> > > Introduce the ability of staging the IMA measurement list and deleting them > with a prompt. > > Staging means moving the current content of the measurement list to a
-> moving the current measurement list records ... > separate location, and allowing users to read and delete it. This causes > the measurement list to be atomically truncated before new measurements can > be added. The wording is a bit off - "before new measurements can be added". One of the main objectives of staging the measurement list is to allow new measurement records to continue to be added to the measurement list, while the staged measurements are exported. > Staging can be done only once at a time. In the event of kexec(), > staging is reverted and staged entries will be carried over to the new > kernel. > > Introduce ascii_runtime_measurements_<algo>_staged and > binary_runtime_measurements_<algo>_staged interfaces to access and delete > the measurements. Also, add write permission to the original measurement > interfaces. Wondering if adding "write" permission to the original measurement interface will change based on your 9/13 comment. The patch, like others in this patch set, are well written. There are a couple of inline comments. I'll defer reviewing the rest of this patch to v6. > > Use 'echo A > <IMA original interface>' and > 'echo D > <IMA _staged interface>' to respectively stage and delete the > entire measurements list. Locking of these interfaces is also mediated with > a call to _ima_measurements_open() and with ima_measurements_release(). > > Implement the staging functionality by introducing the new global > measurements list ima_measurements_staged, and ima_queue_stage() and > ima_queue_staged_delete_all() to respectively move measurements from the > current measurements list to the staged one, and to move staged > measurements to the ima_measurements_trim list for deletion. Introduce > ima_queue_delete() to delete the measurements. > > Finally, introduce the BINARY_STAGED and BINARY_FULL binary measurements > list types, to maintain the counters and the binary size of staged > measurements and the full measurements list (including entries that were > staged). BINARY still represents the current binary measurements list. > > Use the binary size for the BINARY + BINARY_STAGED types in > ima_add_kexec_buffer(), since both measurements list types are copied to > the secondary kernel during kexec. Use BINARY_FULL in > ima_measure_kexec_event(), to generate a critical data record. > > It should be noted that the BINARY_FULL counter is not passed through > kexec. Thus, the number of entries included in the kexec critical data > records refers to the entries since the previous kexec records. > > Note: This code derives from the Alt-IMA Huawei project, whose license is > GPL-2.0 OR MIT. > > Link: https://github.com/linux-integrity/linux/issues/1 > Suggested-by: Gregory Lumen <[email protected]> (staging > revert) > Signed-off-by: Roberto Sassu <[email protected]> > --- > security/integrity/ima/Kconfig | 13 +++ > security/integrity/ima/ima.h | 8 +- > security/integrity/ima/ima_fs.c | 181 ++++++++++++++++++++++++++--- > security/integrity/ima/ima_kexec.c | 24 +++- > security/integrity/ima/ima_queue.c | 97 +++++++++++++++- > 5 files changed, 302 insertions(+), 21 deletions(-) > > diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig > index 862fbee2b174..48c906793efb 100644 > --- a/security/integrity/ima/Kconfig > +++ b/security/integrity/ima/Kconfig > @@ -332,4 +332,17 @@ config IMA_KEXEC_EXTRA_MEMORY_KB > If set to the default value of 0, an extra half page of memory for > those > additional measurements will be allocated. > > +config IMA_STAGING > + bool "Support for staging the measurements list" > + default y Exporting and deleting the IMA measurement list carries an inherent security risk: if the measurements are not durably stored before deletion, they are permanently lost. Deletion should be treated as experimental until a trusted service exists to guarantee safe storage. Please change the default to 'n'. > + help > + Add support for staging the measurements list. > + > + It allows user space to stage the measurements list for deletion and > + to delete the staged measurements after confirmation. > + > + On kexec, staging is reverted and staged measurements are prepended -> staging is aborted and any staged measurement records are .copied .. > + to the current measurements list when measurements are copied to the > + secondary kernel. > + > endif Mimi
