On Mon, 04 Feb 2019 11:38:19 +0300, Lev Olshvang said: > I learned recently that IMA kernel security subsystem can be integrated with > LSMs, such as SELinux, Smack, ... > https://sourceforge.net/p/linux-ima/wiki/Home/ > > https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy > > It was present in kernel since v3.8 but not google does not know much about > the usability.
Note that although it's been in the tree since v3.8, the ability to stack LSMs is much more recent. That means that if you had IMA running, you couldn't have SELinux or AppArmor active. Thus the lack of usability documentation. You'll need a working and enabled TPM chipset in your system to use this. If your BIOS has a 'secure boot' option, you have a TPM (though secure boot isn't needed for IMA, but if you're deploying IMA, you may as well go the whole way and do secure boot as well). I'm not sure anybody has reliable overhead numbers, as it will be fairly system specific. Also, the sort of people who would run IMA are more concerned about security than throughput..... _______________________________________________ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
