Re: [PATCH] IMA: Handle early boot data measurement

From: Mimi Zohar
Date: Tue Aug 25 2020 - 11:40:45 EST


On Fri, 2020-08-21 at 16:12 -0700, Lakshmi Ramasubramanian wrote:
> The current implementation of early boot measurement in
> the IMA subsystem is very specific to asymmetric keys. It does not
> handle early boot measurement of data from other subsystems such as
> Linux Security Module (LSM), Device-Mapper, etc. As a result data,
> provided by these subsystems during system boot are not measured by IMA.
>
> Update the early boot key measurement to handle any early boot data.
> Refactor the code from ima_queue_keys.c to a new file ima_queue_data.c.
> Rename the kernel configuration CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS to
> CONFIG_IMA_QUEUE_EARLY_BOOT_DATA so it can be used for enabling any
> early boot data measurement. Since measurement of asymmetric keys is
> the first consumer of early boot measurement, this kernel configuration
> is enabled if IMA_MEASURE_ASYMMETRIC_KEYS and SYSTEM_TRUSTED_KEYRING are
> both enabled.
>
> Update the IMA hook ima_measure_critical_data() to utilize early boot
> measurement support.

Please limit the changes in this patch to renaming the functions and/or
files. For example, adding "measure_payload_hash" should be a separate
patch, not hidden here.

Mimi