On Wed, 2026-04-29 at 18:03 +0200, Roberto Sassu wrote: > From: Roberto Sassu <[email protected]> > > Add support for sending a value N between 1 and ULONG_MAX to the IMA > original measurement interface. This value represents the number of > measurements that should be deleted from the current measurements list. In > this case, measurements are staged in an internal non-user visible list, > and immediately deleted. > > This staging method allows the remote attestation agents to easily separate > the measurements that were verified (staged and deleted) from those that > weren't due to the race between taking a TPM quote and reading the > measurements list.
The reason for removing records from the IMA measurement list is to free kernel memory. However, the level of precision in removing only those measurements needed for the quote seems necessary only if the measurement records are not being saved. Upstreaming a feature to remove measurement records from the IMA measurement list is to address the kernel memory issue — clearly not to drop measurement records and break attestation. > > In order to minimize the locking time of ima_extend_list_mutex, deleting > N entries is realized by doing a lockless walk in the current measurements > list to determine the N-th entry to cut, to cut the current measurements > list under the lock, and by deleting the excess entries after releasing the > lock. > > Flushing the hash table is not supported for N entries, since it would > require removing the N entries one by one from the hash table under the > ima_extend_list_mutex lock, which would increase the locking time. > > The ima_extend_list_mutex lock is necessary in ima_dump_measurement_list() > because ima_queue_delete_partial() uses __list_cut_position() to modify > ima_measurements, for which no RCU-safe variant exists. For the staging > with prompt flavor alone, list_replace_rcu() could have been used instead, > but since both flavors share the same kexec serialization path, the mutex > is required regardless. Thank you for the clear explanation for the changes and limitations required to support this feature. The changes needed for supporting "stage and delete N" measurement records should be limited to this patch. Patch 9/13 should have used list_replace_rcu(), without the mutex_lock. > > Link: https://github.com/linux-integrity/linux/issues/1 > Suggested-by: Steven Chen <[email protected]> > Signed-off-by: Roberto Sassu <[email protected]> Otherwise, Reviewed-by: Mimi Zohar <[email protected]>
