Documentation/security/IMA-export-delete.rst
Source file repositories/reference/linux-study-clean/Documentation/security/IMA-export-delete.rst
File Facts
- System
- Linux kernel
- Corpus path
Documentation/security/IMA-export-delete.rst- Extension
.rst- Size
- 8655 bytes
- Lines
- 204
- Domain
- Support Tooling And Documentation
- Bucket
- Documentation
- Inferred role
- Support Tooling And Documentation: documentation
- Status
- atlas-only
Why This File Exists
Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.
- Repository support layer: documentation, build tooling, samples, user-space helper tools, generated initramfs support, licenses, and validation utilities.
Dependency Surface
- No C-style include directives detected by the generator.
Detected Declarations
- No top-level syscall, struct, function, initcall, or export declaration detected by the generator.
Annotated Snippet
.. SPDX-License-Identifier: GPL-2.0
==================================
IMA Measurements Export and Delete
==================================
Introduction
============
The IMA measurements list is currently stored in the kernel memory. Memory
occupation grows linearly with the number of records, and can become a
problem especially in environments with reduced resources.
While there is an advantage in keeping the IMA measurements list in kernel
memory, so that it is always available for reading from the securityfs
interfaces, storing it elsewhere would make it possible to free precious
memory for other kernel usage.
The IMA measurements list needs to be retained and safely stored for new
attestation servers to validate it. Assuming the IMA measurements list is
properly saved, storing it outside the kernel does not introduce security
issues, since its integrity is anyway protected by the TPM.
Hence, the new IMA staging mechanism is introduced to export IMA
measurements to user space and delete them from kernel space.
Staging consists in atomically moving the current measurements list to a
temporary list, so that measurements can be deleted afterwards. The staging
operation locks the hot path (racing with addition of new measurements) for
a very short time, only for swapping the list pointers. Deletion of the
measurements instead is done locklessly, away from the hot path.
There are two flavors of the staging mechanism. In the staging with prompt,
all current measurements are staged, read and deleted upon confirmation. In
the staging and deleting flavor, N measurements are staged from the
beginning of the current measurements list and immediately deleted without
confirmation.
Management of Staged Measurements
=================================
Since with the staging mechanism measurement records are removed from the
kernel, the staged measurements need to be saved in a storage and
concatenated together, so that they can be presented during remote
attestation as if staging was never done. This task can be accomplished by
a remote attestation agent modified to support staging, or a system
service.
Coordination is necessary in the case where there are multiple actors
requesting measurements to be staged.
In the staging with prompt case, the measurement interfaces can be accessed
only by one actor (writer) at a time, so the others will get an error until
the former closes it. Since the actors don't care about N, when they gain
access to the interface, they will get all the staged measurements at the
time of their request.
In the case of staging and deleting, coordination is more important, since
there is the risk that two actors unaware of each other compute the value N
on the current measurements list and request IMA to stage N twice.
Remote Attestation Agent Workflow
=================================
Remote attestation agents can be configured to always present all the
measurements to the remote verifiers or, alternatively, to only provide the
measurements that have not been verified yet by the remote verifiers.
Annotation
- Atlas domain: Support Tooling And Documentation / Documentation.
- Implementation status: atlas-only.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.