|
|
Log in / Subscribe / Register

IMA memory hog

By Jonathan Corbet
October 20, 2010
Dave Chinner recently noticed a problem on one of the kernel.org systems: the slab cache was using well over 2GB of memory, mainly on radix tree nodes. Intrigued, he looked further into the problem. It came down to the integrity measurement architecture (IMA) security code, which uses the hardware TPM to help ensure that files on the system have not been tampered with. IMA, it seems, was using a radix tree to store integrity information, indexed by inode address. Radix trees perform poorly with sparse, unclustered keys, so IMA's usage was causing the creation of a separate node for each inode in the system. That added up to a lot of memory.

A number of questions came after this revelation, including:

  1. Why is IMA using such an inappropriate data structure?
  2. Why is it keeping all this information around even though it was disabled on the system in question?
  3. Why was IMA configured into the kernel in the first place?

The answer to the first question seems to be that the IMA developers, as part of the process of getting the code into the mainline, were not allowed to expand the inode structure at all. So they created a separate tree for per-inode information; it just happens that they chose the wrong type of tree and never noticed how poorly it performed.

Question #2 is answered like this: the IMA code needs to keep track of which files are opened for write access at any time. There is no point in measuring the integrity of files (checksumming them, essentially) when they can be changed at any time. Without tracking the state of all files all the time, IMA can never know which files are opened for write access when it first starts up. The only way to be sure, it seems, is to track all files starting at boot time just in case somebody tries to turn IMA on at some point.

As for #3: kernel.org was running a Fedora kernel, and the Fedora folks turned on the feature because it looked like it might be useful to some people. Nobody expected that it would have such an impact on systems where it was not turned on. Some participants in the discussion have given the Fedora kernel maintainers some grief for not having audited the code before enabling it, but auditing everything in the kernel to that level is a bit larger task than Fedora can really be expected to take on.

Eric Paris has started work on slimming IMA down; his patches work by moving the "open for write" counts into the inode structure itself, eliminating the need to allocate the separate IMA structures most of the time. IMA is also shifted over to a red-black tree when it does need to track those structures. This work eliminates almost all of the memory waste, but at the cost of growing the inode structure slightly. That does not sit well with everybody, especially, it seems, those developers who feel that IMA should not exist in the first place. But it's a clear step in the right direction, so one should expect something along these lines to be merged for 2.6.37.

Index entries for this article
KernelIntegrity measurement architecture

to post comments

IMA memory hog

Posted Oct 21, 2010 1:56 UTC (Thu) by lordsutch (guest, #53) [Link] (1 responses)

Well-played on the title.

IMA memory hog

Posted Oct 21, 2010 14:35 UTC (Thu) by jengelh (subscriber, #33263) [Link]

"今, memory hog(だ)" also works out.

IMA memory hog

Posted Oct 21, 2010 8:10 UTC (Thu) by MisterIO (guest, #36192) [Link] (1 responses)

"This work eliminates almost all of the memory waste, but at the cost of growing the inode structure slightly. That does not sit well with everybody, especially, it seems, those developers who feel that IMA should not exist in the first place."

Well, looking at the patches, it should be said that the inode structure growth is dependent on CONFIG_IMA, thus, if IMA is not enabled, the inode structure doesn't grow at all.

IMA memory hog

Posted Oct 21, 2010 12:53 UTC (Thu) by corbet (editor, #1) [Link]

Yes but...distributors tend to turn on everything that looks like it might be useful for their users, so the chances of CONFIG_IMA being set are fairly good.

IMA memory hog

Posted Oct 21, 2010 13:36 UTC (Thu) by i3839 (guest, #31386) [Link]

They should get rid of the whole lookup thing and add the info to the inode.
If that would bloat the inode too much, perhaps give the inode a variable
size (size determined at startup), or add a pointer to the IMA struct. But
both seem too much complexity for no gain, just disable IMA except when
you're actually using it. And then adding the info to the inode saves more
memory because you don't have to keep around a whole extra tree. The IMA
menuconfig text needs updating of course.

As someone mentioned in the thread, things become simpler when IMA is only
enabled or disabled at boot time, so no need to keep track of writers etc.
when IMA is not used.

distro kernels are made to work for everyone, and be efficient for nobody

Posted Oct 21, 2010 18:23 UTC (Thu) by dlang (guest, #313) [Link]

people need to realize that the distros build their kernels so that no matter what feature someone tries to use, the kernel will support it.

this frequently comes at a cost in startup time, runtime performance, or memory overhead. It's seldom this blatent an issue, but it's very common.

IMA memory hog

Posted Oct 21, 2010 21:01 UTC (Thu) by jzbiciak (guest, #5246) [Link] (6 responses) 

 	if (mode & FMODE_WRITE)
-		iint->writecount++;
+		inode->i_writers++;

Gee, I wonder what happens when I open a file 4 billion times... will IMA notice it later? (On a 32-bit system, at least.)

IMA memory hog

Posted Oct 21, 2010 21:03 UTC (Thu) by corbet (editor, #1) [Link] (4 responses)

If you have a system where you can have 4 billion simultaneously open file descriptors, there might indeed be a problem.

IMA memory hog

Posted Oct 21, 2010 21:09 UTC (Thu) by jzbiciak (guest, #5246) [Link] (3 responses)

Yeah, see my mea culpa followup. I had misinterpreted as "total writers ever" as opposed to "total concurrent writers". I'm curious why they chose "long" for the count though. Seems like even a fairly beefy 64-bit box might find (231-1) active file descriptors a bit challenging, let alone (263-1) on machines where sizeof(long)==8. :-)

IMA memory hog

Posted Oct 22, 2010 12:38 UTC (Fri) by mpr22 (subscriber, #60784) [Link] (2 responses)

"Learned C on an I16 arch" and "were taught C by someone who learned it on an I16 arch" are the obvious possibilities.

IMA memory hog

Posted Oct 22, 2010 13:57 UTC (Fri) by jzbiciak (guest, #5246) [Link] (1 responses)

Hmmm.... wouldn't that be an awful lot of us?

I learned C on an I16 arch (and remember Borland's small, medium, large and huge models, the near/far keywords, and all that fun), and I'm only 35, so not a greybeard just yet.

IMA memory hog

Posted Oct 22, 2010 16:35 UTC (Fri) by nix (subscriber, #2304) [Link]

As a greybeard of 34, I first met C on a BBC B with a ROM chip that gave us a sort of halfhearted C (this was probably in 1988, or something, so pre-standardization in any case). 'short' was 8 bit, 'int' 16, 'long' 32. Borland's Turbo C gave me so much more memory that it felt like being let out of jail (until I used it all up, that is).

IMA memory hog

Posted Oct 21, 2010 21:04 UTC (Thu) by jzbiciak (guest, #5246) [Link]

Never mind... I see the decrement later. Durrh. I had misinterpreted the count as "number of times this file has ever been opened for writing", which doesn't actually seem like a useful thing to have.


Copyright © 2010, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds