Re: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default

From: Lakshmi Ramasubramanian
Date: Tue Jan 21 2020 - 15:38:48 EST

Next message: Saeed Mahameed: "Re: [PATCH] net/mlx5e: Fix printk format warning"
Previous message: Jann Horn: "Re: [RFC PATCH v1] pin_on_cpu: Introduce thread CPU pinning system call"
In reply to: James Bottomley: "Re: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default"
Next in thread: Mimi Zohar: "Re: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 1/21/2020 11:52 AM, James Bottomley wrote:

- really small devices/sensors being able to queue certificates

seems like the answer to this one would be don't queue. I realise it's
after the submit design, but what about measuring when the key is added
if there's a policy otherwise measure the keyring when the policy is
added ... that way no queueing.

Without the "deferred key processing" changes, only keys added at runtime were measured (if policy permitted).

"deferred key processing" enabled queuing keys added early in the boot process and measured them when the policy is loaded.

We can make this (the queuing) optional through a config, but leave the runtime key measurement auto-enabled (as is the config IMA_MEASURE_ASYMMETRIC_KEYS now).

-lakshmi

Next message: Saeed Mahameed: "Re: [PATCH] net/mlx5e: Fix printk format warning"
Previous message: Jann Horn: "Re: [RFC PATCH v1] pin_on_cpu: Introduce thread CPU pinning system call"
In reply to: James Bottomley: "Re: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default"
Next in thread: Mimi Zohar: "Re: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]