[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
@pkern-k @pkern @smu-u @antarus It just occurred to me that you might not be aware that the 3.13 *(that now has the CONFIG_IMA) kernel available in 14.04 will be available in the update archives for precise shortly after 14.04 release. That's less than 3 months away. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
Hi Philipp, 12.04.4 is just the first appearance of the saucy kernel in the install media. As soon as a package is in main, it is supported. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
@pkern-l linux-generic-lts-saucy is available and supported in precise. The source base between linux-generic-lts-saucy and kernels in saucy are built from the same sources. As for creating a new flavor, creating additional flavors is avoided at all cost. Each additional flavor requires additional testing and other maintenance. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
Would there be a chance to create a -ima flavor of the kernel instead of enabling it in the stock kernel flavor? This should allow for it to go into Trusty and into Saucy as a SRU, if I understand correctly, since it provides a new binary package instead of modifying an existing one (no regression for existing installs, conscious decision of the user required to install it). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
** Changed in: linux (Ubuntu Saucy) Assignee: Chris J Arges (arges) = Dave Chiluk (chiluk) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
As cking noted in #4 this would cause a performance impact for ext2/3. That alone prevents it from moving into the stable saucy kernel. Additionally this is a significant enough change that it would not satisfy the SRU requirements for pushing into the saucy kernel. Please see https://wiki.ubuntu.com/StableReleaseUpdates#Why ** Changed in: linux (Ubuntu Saucy) Status: Triaged = Opinion -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
Could this be enabled in the saucy LTS backport kernel in precise as well, please? It will take a while until the trusty kernel becomes available there and this blocks our switch to the saucy kernel. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
** Changed in: linux (Ubuntu Saucy) Assignee: (unassigned) = Chris J Arges (arges) ** Changed in: linux (Ubuntu Saucy) Importance: Undecided = Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
Fixed in 3.13.0-1.16 ** Changed in: linux (Ubuntu Trusty) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
Investigations and benchmarking are ongoing to confirm/deny that turning this on without enabling is cheap enough to enable in the default configurations. ** Changed in: linux (Ubuntu) Status: Triaged = In Progress ** Changed in: linux (Ubuntu) Assignee: (unassigned) = Colin King (colin-king) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
So enabling this consumes an extra sizeof(atomic_t) bytes per inode. Instrumenting the kernel with it enabled we see: * To boot a system: 0.113 MB allocated + 23 x 4K slabs in iint_cache, total: 0.203 MB consumed for ~1288 cached file entries. * Install kernel + headers: 0.401 MB allocated + 37 x 4K slabs in iint_cache, total: 0.547 MB consumed for ~2072 cached file entries * Build a kernel (as root, stress test): 12.945MB allocated + 1023 x 4K slabs in iint_cache, total: 16.941 MB consumed for ~57344 cached file entries. So, typically we are seeing ~310 bytes per cached IMA file entry consumed in the iint_cache slab and misc IMA file metadata. Looking at the file system benchmarks, IMA built in but not enabled does impact ext2, ext3 performance, but other file systems seem to run w/o any impact. I may re-test the ext2/ext3 and also look at why we are seeing the impact on ext2, ext3 if we enabled IMA. File system performance impact on IOZONE tests with IMA appraise enabled: http://kernel.ubuntu.com/~cking/ima/ima-appraise/html_out_ima_ext2 http://kernel.ubuntu.com/~cking/ima/ima-appraise/html_out_ima_ext3 http://kernel.ubuntu.com/~cking/ima/ima-appraise/html_out_ima_ext4 http://kernel.ubuntu.com/~cking/ima/ima-appraise/html_out_ima_xfs http://kernel.ubuntu.com/~cking/ima/ima-appraise/html_out_ima_btrfs -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
** Also affects: linux (Ubuntu Trusty) Importance: Medium Assignee: Colin King (colin-king) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
** Changed in: linux (Ubuntu Trusty) Status: In Progress = Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
For making sure IMA isn't enabled at boot by default, here's some details From http://sourceforge.net/p/linux-ima/wiki/Home/ Enabling IMA IMA was first included in the 2.6.30 kernel. For distros that enable IMA by default in their kernels, collecting IMA measurements simply requires rebooting the kernel with the boot command line parameter 'ima_tcb'. (Fedora/RHEL may also require the boot command line parameter 'ima=on'.) To determine if your distro enables IMA by default, mount securityfs (mount -t securityfs security /sys/kernel/security), if it isn't already mounted, and then check if '/integrity/ima' exists. If it exists, IMA is indeed enabled. On systems without IMA enabled, recompile the kernel with the config option 'CONFIG_IMA' enabled. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
** Tags removed: raring ** Tags added: saucy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
** Also affects: linux (Ubuntu Saucy) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Saucy) Status: New = Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: linux-meta-lts-saucy (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-meta-lts-saucy/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
** Changed in: linux (Ubuntu) Importance: Undecided = Medium ** Tags added: kernel-da-key raring trusty ** Changed in: linux (Ubuntu) Status: Confirmed = Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1244627] Re: Please enable CONFIG_IMA in the ubuntu kernel
Moving to main linux package. Waiting for memory benchmark comparison of: - without CONFIG_IMA - with CONFIG_IMA - with CONFIG_IMG + policy ** Package changed: linux-meta-lts-saucy (Ubuntu) = linux (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1244627 Title: Please enable CONFIG_IMA in the ubuntu kernel To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1244627/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
