| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250515233953.14685-1-bhe@redhat.com>
Date: Fri, 16 May 2025 07:39:53 +0800
From: Baoquan He <bhe@...hat.com>
To: linux-integrity@...r.kernel.org
Cc: linux-kernel@...r.kernel.org,
zohar@...ux.ibm.com,
pmenzel@...gen.mpg.de,
coxu@...hat.com,
ruyang@...hat.com,
chenste@...ux.microsoft.com,
Baoquan He <bhe@...hat.com>
Subject: [PATCH] ima: add a knob ima= to make IMA be able to be disabled
Kdump kernel doesn't need IMA functionality, and enabling IMA will cost
extra memory. It would be very helpful to allow IMA to be disabled for
kdump kernel.
And Coiby also mentioned that for kdump kernel incorrect ima-policy loaded
by systemd could cause kdump kernel hang, and it's possible the booting
process may be stopped by a strict, albeit syntax-correct policy and users
can't log into the system to fix the policy. In these cases, allowing to
disable IMA is very helpful too for kdump kernel.
Hence add a knob ima=on|off here to allow people to disable IMA in kdump
kenrel if needed.
Signed-off-by: Baoquan He <bhe@...hat.com>
---
.../admin-guide/kernel-parameters.txt | 5 +++++
security/integrity/ima/ima_main.c | 22 +++++++++++++++++++
2 files changed, 27 insertions(+)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index d9fd26b95b34..762fb6ddcc24 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2202,6 +2202,11 @@
different crypto accelerators. This option can be used
to achieve best performance for particular HW.
+ ima= [IMA] Enable or disable IMA
+ Format: { "off" | "on" }
+ Default: "on"
+ Note that this is only useful for kdump kernel.
+
init= [KNL]
Format: <full_path>
Run specified binary instead of /sbin/init as init
diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index f3e7ac513db3..07af5c6af138 100644
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -27,6 +27,7 @@
#include <linux/fs.h>
#include <linux/iversion.h>
#include <linux/evm.h>
+#include <linux/crash_dump.h>
#include "ima.h"
@@ -38,11 +39,27 @@ int ima_appraise;
int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;
static int hash_setup_done;
+static int ima_disabled;
static struct notifier_block ima_lsm_policy_notifier = {
.notifier_call = ima_lsm_policy_change,
};
+static int __init ima_setup(char *str)
+{
+ if (strncmp(str, "off", 3) == 0)
+ ima_disabled = 1;
+ else if (strncmp(str, "on", 2) == 0)
+ ima_disabled = 0;
+ else
+ pr_err("Invalid ima setup option: \"%s\" , please specify ima=on|off.", str);
+
+ return 1;
+}
+__setup("ima=", ima_setup);
+
+
+
static int __init hash_setup(char *str)
{
struct ima_template_desc *template_desc = ima_template_desc_current();
@@ -1184,6 +1201,11 @@ static int __init init_ima(void)
{
int error;
+ if (ima_disabled && is_kdump_kernel()) {
+ pr_info("IMA functionality is disabled");
+ return 0;
+ }
+
ima_appraise_parse_cmdline();
ima_init_template_list();
hash_setup(CONFIG_IMA_DEFAULT_HASH);
--
2.41.0
Powered by blists - more mailing lists