From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
zohar@linux.ibm.com, linux-integrity@vger.kernel.org
Cc: sashal@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default
Date: Tue, 21 Jan 2020 09:34:50 -0800 [thread overview]
Message-ID: <1579628090.3390.28.camel@HansenPartnership.com> (raw)
In-Reply-To: <20200121171302.4935-1-nramas@linux.microsoft.com>
On Tue, 2020-01-21 at 09:13 -0800, Lakshmi Ramasubramanian wrote:
> Enabling IMA and ASYMMETRIC_PUBLIC_KEY_SUBTYPE configs will
> automatically enable the IMA hook to measure asymmetric keys. Keys
> created or updated early in the boot process are queued up whether
> or not a custom IMA policy is provided. Although the queued keys will
> be freed if a custom IMA policy is not loaded within 5 minutes, it
> could still cause significant performance impact on smaller systems.
What exactly do you expect distributions to do with this? I can tell
you that most of them will take the default option, so this gets set to
N and you may as well not have got the patches upstream because you
won't be able to use them in any distro with this setting.
> This patch turns the config IMA_MEASURE_ASYMMETRIC_KEYS off by
> default. Since a custom IMA policy that defines key measurement is
> required to measure keys, systems that require key measurement can
> enable this config option in addition to providing a custom IMA
> policy.
Well, no they can't ... it's rather rare nowadays for people to build
their own kernels. The vast majority of Linux consumers take what the
distros give them. Think carefully before you decide a config option
is the solution to this problem.
James
next prev parent reply other threads:[~2020-01-21 17:34 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-21 17:13 [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default Lakshmi Ramasubramanian
2020-01-21 17:34 ` James Bottomley [this message]
2020-01-21 18:00 ` Lakshmi Ramasubramanian
2020-01-21 19:13 ` Mimi Zohar
2020-01-21 19:52 ` James Bottomley
2020-01-21 20:38 ` Lakshmi Ramasubramanian
2020-01-22 20:02 ` Mimi Zohar
2020-01-22 20:05 ` Lakshmi Ramasubramanian
2020-01-22 20:54 ` Mimi Zohar
2020-01-22 12:23 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1579628090.3390.28.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=sashal@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).