kernel: Assess IMA use in Bottlerocket #2707
Comments
foersleo
added
status/research
|
IMA is a kernel feature that can be used to ensure a file has not been changed from a known good state before executing it. This is done through hashing the file and noting down the known hashes in kernel memory, validating the hash before executing the file. We are currently not using it with Bottlerocket and the overhead is probably not worth the effort given that we are working from an immutable file system, which is going to be further hardened through secure boot validated (#2501). Right now it does not hurt to have ima enabled. Without a policy it will not measure or validate any files. I am not sure if we want to keep it around for possible future runtime validation or if we want to remove it to minimize our built code base. |
foersleo
added
status/icebox
|
Removed IMA with #2789 |
In #2569 we inherited a lot of config changes from our kernel upstream Amazon Linux. While going through these we found some changes to the hashing algorithms and settings for IMA.
As we currently do not use IMA in our bottlerocket configurations we might be better off disabling IMA support for good. As we do not configure ima to be enabled on the command line we do not need to act directly, but track this here for further research.
The text was updated successfully, but these errors were encountered: