2
0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-04 20:19:47 +08:00

integrity-v6.17

-----BEGIN PGP SIGNATURE-----
 
 iIoEABYKADIWIQQdXVVFGN5XqKr1Hj7LwZzRsCrn5QUCaItL7xQcem9oYXJAbGlu
 dXguaWJtLmNvbQAKCRDLwZzRsCrn5TduAQDu7W14clgQiJNwYo2hN5cEnfKZVkRI
 6PJGyxV+g+cMOQEA4Aepo2EL86kQJH33iAUmzi0bvyQl4cPTuKqpw5CgjQg=
 =eGra
 -----END PGP SIGNATURE-----

Merge tag 'integrity-v6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity

Pull integrity update from Mimi Zohar:
 "A single commit to permit disabling IMA from the boot command line for
  just the kdump kernel.

  The exception itself sort of makes sense. My concern is that
  exceptions do not remain as exceptions, but somehow morph to become
  the norm"

* tag 'integrity-v6.17' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity:
  ima: add a knob ima= to allow disabling IMA in kdump kernel
This commit is contained in:
Linus Torvalds 2025-07-31 11:42:11 -07:00
commit 02523d2d93
2 changed files with 31 additions and 0 deletions

View File

@ -2212,6 +2212,11 @@
different crypto accelerators. This option can be used different crypto accelerators. This option can be used
to achieve best performance for particular HW. to achieve best performance for particular HW.
ima= [IMA] Enable or disable IMA
Format: { "off" | "on" }
Default: "on"
Note that disabling IMA is limited to kdump kernel.
indirect_target_selection= [X86,Intel] Mitigation control for Indirect indirect_target_selection= [X86,Intel] Mitigation control for Indirect
Target Selection(ITS) bug in Intel CPUs. Updated Target Selection(ITS) bug in Intel CPUs. Updated
microcode is also required for a fix in IBPB. microcode is also required for a fix in IBPB.

View File

@ -27,6 +27,7 @@
#include <linux/fs.h> #include <linux/fs.h>
#include <linux/iversion.h> #include <linux/iversion.h>
#include <linux/evm.h> #include <linux/evm.h>
#include <linux/crash_dump.h>
#include "ima.h" #include "ima.h"
@ -38,11 +39,30 @@ int ima_appraise;
int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1; int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;
static int hash_setup_done; static int hash_setup_done;
static int ima_disabled __ro_after_init;
static struct notifier_block ima_lsm_policy_notifier = { static struct notifier_block ima_lsm_policy_notifier = {
.notifier_call = ima_lsm_policy_change, .notifier_call = ima_lsm_policy_change,
}; };
static int __init ima_setup(char *str)
{
if (!is_kdump_kernel()) {
pr_info("Warning: ima setup option only permitted in kdump");
return 1;
}
if (strncmp(str, "off", 3) == 0)
ima_disabled = 1;
else if (strncmp(str, "on", 2) == 0)
ima_disabled = 0;
else
pr_err("Invalid ima setup option: \"%s\" , please specify ima=on|off.", str);
return 1;
}
__setup("ima=", ima_setup);
static int __init hash_setup(char *str) static int __init hash_setup(char *str)
{ {
struct ima_template_desc *template_desc = ima_template_desc_current(); struct ima_template_desc *template_desc = ima_template_desc_current();
@ -1186,6 +1206,12 @@ static int __init init_ima(void)
{ {
int error; int error;
/*Note that turning IMA off is intentionally limited to kdump kernel.*/
if (ima_disabled && is_kdump_kernel()) {
pr_info("IMA functionality is disabled");
return 0;
}
ima_appraise_parse_cmdline(); ima_appraise_parse_cmdline();
ima_init_template_list(); ima_init_template_list();
hash_setup(CONFIG_IMA_DEFAULT_HASH); hash_setup(CONFIG_IMA_DEFAULT_HASH);