From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.ibm.com>, Sasha Levin <sashal@kernel.org>
Cc: linux-integrity@vger.kernel.org,
Matthew Garrett <mjg59@google.com>,
jamorris@linux.microsoft.com, kgoldman@us.ibm.com, "Wiseman,
Monty (GE Global Research, US)" <monty.wiseman@ge.com>,
Roberto Sassu <roberto.sassu@huawei.com>,
Greg KH <gregkh@linuxfoundation.org>
Subject: Re: [PATCH 0/1] KEYS: Measure keys in trusted keyring
Date: Fri, 4 Oct 2019 12:29:07 -0700 [thread overview]
Message-ID: <1dfc7a83-3fcb-1356-958e-2afb7c6f1285@linux.microsoft.com> (raw)
In-Reply-To: <1568913178.4733.89.camel@linux.ibm.com>
On 9/19/19 10:12 AM, Mimi Zohar wrote:
Hi Mimi,
> On 9/1 I commented on this patch set from a technical perspective,
> saying: >
> IMA measures, appraises, and audits files based on policy[1]. If
> you're going to measure keys, all of the code should be within the IMA
> subdirectory. The only code outside of the IMA subdirectory is either
> an LSM or IMA hook. If an LSM hook already exists, use it. If an LSM
> hook doesn't exist and the location is generic that other LSMs would
> be interested, define a new LSM hook, otherwise define a new IMA hook.
I am having trouble addressing the above feedback. Appreciate if you
could provide guidance:
The key(s) in the trusted keys keyring (builtin, secondary, etc.) are
added early in the kernel boot process. But IMA is initialized later.
If I have a LSM\IMA hook, that gets called when key(s) are added to the
trusted keys keyring, I won't be able to invoke IMA on "key add" since
IMA is not yet initialized.
Right now, I have the key measurement function in ima_init. I can gate
that based on policy (similar to how Prakhar has done kexec_cmdline
measurement) and follow the coding guidelines you have pointed to.
But it would still have to call keyring function to get the list of keys
in the trusted keys keyring.
Are you fine if I take the above approach?
If not, could you please suggest a better way to handle it that meets
the kernel layering guidelines?
Thanks,
-lakshmi
next prev parent reply other threads:[~2019-10-04 19:29 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-28 0:27 [PATCH 0/1] KEYS: Measure keys in trusted keyring Lakshmi Ramasubramanian
2019-08-28 0:27 ` [PATCH 1/1] " Lakshmi Ramasubramanian
2019-09-02 22:04 ` Mimi Zohar
2019-08-29 1:11 ` [PATCH 0/1] " Mimi Zohar
2019-08-30 2:43 ` Lakshmi Ramasubramanian
2019-08-30 18:41 ` Mimi Zohar
2019-09-03 15:54 ` Lakshmi Ramasubramanian
2019-09-09 13:31 ` Mimi Zohar
2019-09-09 21:34 ` James Morris
2019-09-19 13:18 ` Sasha Levin
2019-09-19 17:12 ` Mimi Zohar
2019-10-04 19:29 ` Lakshmi Ramasubramanian [this message]
2019-10-04 19:57 ` Mimi Zohar
2019-10-04 20:10 ` Lakshmi Ramasubramanian
2019-10-04 21:58 ` Mimi Zohar
2019-10-05 0:10 ` Lakshmi Ramasubramanian
2019-10-06 13:17 ` Mimi Zohar
2019-10-07 15:03 ` Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1dfc7a83-3fcb-1356-958e-2afb7c6f1285@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=gregkh@linuxfoundation.org \
--cc=jamorris@linux.microsoft.com \
--cc=kgoldman@us.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=mjg59@google.com \
--cc=monty.wiseman@ge.com \
--cc=roberto.sassu@huawei.com \
--cc=sashal@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).