ima: use of radix tree cache indexing == massive waste of memory?

Ingo Molnar mingo at elte.hu
Sun Oct 17 05:40:08 UTC 2010 

* Christoph Hellwig <hch at infradead.org> wrote:

> On Sat, Oct 16, 2010 at 02:10:29PM -0700, H. Peter Anvin wrote:
>
> > "Christoph Hellwig" <hch at infradead.org> wrote:
> >
> > > Besides the algorithmic problems with ima, why is kernel.org using 
> > > IMA to start with?  Except for IBM looking for a reason to jusity 
> > > why TPM isn't a completely waster of ressources it's pointless.  
> > > And it was only merged under the premise that it would not affect 
> > > innocent normal users.
> >
> > I'm confused ... what makes you think we are?  This might have been 
> > an unintentional misconfiguration...
> 
> I didn't mean to imply you enabled it intentionally.  In fact it looks 
> like the inode tracking in IMA is always on once it's compiled in, 
> which totally defeats the purpose of doing it's on iternal inode 
> tracking instead of bloating the inode what they originally proposed.  
> IMA really needs a kernel parameter to only enabled this crap when 
> people actually use it.

That is true.

> And whoever turned it on in Fedora needs some serious wahcking.

And that is false.

This security feature was merged upstream last year, it's not in 
drivers/staging/ and the Kconfig help text does not contain any warning 
that this is 'crap', so how were the Fedora people supposed to know?

If you are suggesting that distribution kernel maintainers should not 
trust upstream kernel feature decisions and are expected to do a line by 
line review of the ~40,000 commits that go upstream every year, to make 
sure there's no hidden 'crap' in them (and failing that be labeled 
incompetent idiots), then you are out of your mind.

It's just not possible to do that nor is it reasonable or efficient: 
crap should be caught via hierarchical filtering: when the developer 
posts the first patches to lkml, or when it merged into a maintainer 
tree, or when it goes upstream or when it is upstream and then, as the 
very last (and most expensive) line of defense, it will be caught when 
it gets exposure in distributions. Which seems to be precisely what 
happened here.

Fact is that Kyle did Linux a _favor_ by enabling the feature in Fedora, 
as it allowed the bug/inefficiency/crap to be found by Dave. Linux got 
richer as a result as we learned about a bug that affects many people. 
Your gratuitous insults against him are highly misguided.

Thanks,

	Ingo

More information about the kernel mailing list