git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Roberto Sassu <roberto.sassu@huawei.com>
	Fri, 5 Jun 2026 17:22:34 +0000 (19:22 +0200)
committer	Mimi Zohar <zohar@linux.ibm.com>
	Mon, 8 Jun 2026 15:43:30 +0000 (11:43 -0400)
commit	c26d9d9246cc66e3472a2bbd186152d0572d7aab
tree	c191f31534c9ee91af8cf4d995a411e94fa1d461	tree \| snapshot
parent	e9b491e27bf6b9401e2e521955787a7a6e2bf808	commit \| diff

ima: Add support for flushing the hash table when staging measurements

During staging and delete, measurements are not completely deallocated.
Their entry digest portion is kept and is still reachable with the hash
table to detect duplicate records. If the number of records is significant,
this reduces the memory saving benefit of staging.

Some users might be interested in achieving the best memory saving (the
measurements are completely deallocated) at the cost of having duplicate
records across the staged measurement lists. Duplicate records are still
avoided within the current measurement list.

Introduce the new kernel option ima_flush_htable to decide whether or not
the digests of staged measurement records are flushed from the hash table,
when they are deleted, to achieve the maximum memory saving.

When the option is enabled, replace the old hash table with a new one,
by calling ima_alloc_replace_htable(), and completely delete the
measurements records.

Note: This code derives from the Alt-IMA Huawei project, whose license is
GPL-2.0 OR MIT.

Link: https://github.com/linux-integrity/linux/issues/1
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>

Documentation/admin-guide/kernel-parameters.txt		diff \| blob \| blame \| history
security/integrity/ima/ima_queue.c		diff \| blob \| blame \| history