ima: add a knob ima= to allow disabling IMA in kdump kernel

Kdump kernel doesn't need IMA functionality, and enabling IMA will cost
extra memory. It would be very helpful to allow IMA to be disabled for
kdump kernel.

Hence add a knob ima=on|off here to allow turning IMA off in kdump
kernel if needed.

Note that this IMA disabling is limited to kdump kernel, please don't
abuse it in other kernel and thus serious consequences are caused.

Signed-off-by: Baoquan He <bhe@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index f1f2c0874da9ddfc95058c464fdf5dabaf0de713..4b4927ca1df74b1852e77f0139cbb3ddf3a752e2 100644 (file)
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -2212,6 +2212,11 @@
                        different crypto accelerators. This option can be used
                        to achieve best performance for particular HW.
 
+       ima=            [IMA] Enable or disable IMA
+                       Format: { "off" | "on" }
+                       Default: "on"
+                       Note that disabling IMA is limited to kdump kernel.
+
        indirect_target_selection= [X86,Intel] Mitigation control for Indirect
                        Target Selection(ITS) bug in Intel CPUs. Updated
                        microcode is also required for a fix in IBPB.

diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
index f99ab1a3b0f092d965d8eca24ce67086a34b4865..cdd225f65a629555f6a4aaa518073245492abc78 100644 (file)
--- a/security/integrity/ima/ima_main.c
+++ b/security/integrity/ima/ima_main.c
@@ -27,6 +27,7 @@
 #include <linux/fs.h>
 #include <linux/iversion.h>
 #include <linux/evm.h>
+#include <linux/crash_dump.h>
 
 #include "ima.h"
 
@@ -38,11 +39,30 @@ int ima_appraise;
 
 int __ro_after_init ima_hash_algo = HASH_ALGO_SHA1;
 static int hash_setup_done;
+static int ima_disabled __ro_after_init;
 
 static struct notifier_block ima_lsm_policy_notifier = {
        .notifier_call = ima_lsm_policy_change,
 };
 
+static int __init ima_setup(char *str)
+{
+       if (!is_kdump_kernel()) {
+               pr_info("Warning: ima setup option only permitted in kdump");
+               return 1;
+       }
+
+       if (strncmp(str, "off", 3) == 0)
+               ima_disabled = 1;
+       else if (strncmp(str, "on", 2) == 0)
+               ima_disabled = 0;
+       else
+               pr_err("Invalid ima setup option: \"%s\" , please specify ima=on|off.", str);
+
+       return 1;
+}
+__setup("ima=", ima_setup);
+
 static int __init hash_setup(char *str)
 {
        struct ima_template_desc *template_desc = ima_template_desc_current();
@@ -1186,6 +1206,12 @@ static int __init init_ima(void)
 {
        int error;
 
+       /*Note that turning IMA off is intentionally limited to kdump kernel.*/
+       if (ima_disabled && is_kdump_kernel()) {
+               pr_info("IMA functionality is disabled");
+               return 0;
+       }
+
        ima_appraise_parse_cmdline();
        ima_init_template_list();
        hash_setup(CONFIG_IMA_DEFAULT_HASH);