tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'integrity-v6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull integrity update from Mimi Zohar:
"A single commit to permit disabling IMA from the boot command line for
just the kdump kernel.

The exception itself sort of makes sense. My concern is that
exceptions do not remain as exceptions, but somehow morph to become
the norm"

* tag 'integrity-v6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
ima: add a knob ima= to allow disabling IMA in kdump kernel

Linus Torvalds 02523d2d 12ed593e

+31
+5
Documentation/admin-guide/kernel-parameters.txt
··· 2212 2212 different crypto accelerators. This option can be used 2213 2213 to achieve best performance for particular HW. 2214 2214 2215 + ima= [IMA] Enable or disable IMA 2216 + Format: { "off" | "on" } 2217 + Default: "on" 2218 + Note that disabling IMA is limited to kdump kernel. 2219 + 2215 2220 indirect_target_selection= [X86,Intel] Mitigation control for Indirect 2216 2221 Target Selection(ITS) bug in Intel CPUs. Updated 2217 2222 microcode is also required for a fix in IBPB.
+26
security/integrity/ima/ima_main.c
··· 27 27 #include <linux/fs.h> 28 28 #include <linux/iversion.h> 29 29 #include <linux/evm.h> 30 + #include <linux/crash_dump.h> 30 31 31 32 #include "ima.h" 32 33 ··· 39 38 40 39 int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1; 41 40 static int hash_setup_done; 41 + static int ima_disabled __ro_after_init; 42 42 43 43 static struct notifier_block ima_lsm_policy_notifier = { 44 44 .notifier_call = ima_lsm_policy_change, 45 45 }; 46 + 47 + static int __init ima_setup(char *str) 48 + { 49 + if (!is_kdump_kernel()) { 50 + pr_info("Warning: ima setup option only permitted in kdump"); 51 + return 1; 52 + } 53 + 54 + if (strncmp(str, "off", 3) == 0) 55 + ima_disabled = 1; 56 + else if (strncmp(str, "on", 2) == 0) 57 + ima_disabled = 0; 58 + else 59 + pr_err("Invalid ima setup option: \"%s\" , please specify ima=on|off.", str); 60 + 61 + return 1; 62 + } 63 + __setup("ima=", ima_setup); 46 64 47 65 static int __init hash_setup(char *str) 48 66 { ··· 1205 1185 static int __init init_ima(void) 1206 1186 { 1207 1187 int error; 1188 + 1189 + /*Note that turning IMA off is intentionally limited to kdump kernel.*/ 1190 + if (ima_disabled && is_kdump_kernel()) { 1191 + pr_info("IMA functionality is disabled"); 1192 + return 0; 1193 + } 1208 1194 1209 1195 ima_appraise_parse_cmdline(); 1210 1196 ima_init_template_list();