From: Stephen Smalley <stephen.smalley.work@gmail.com>
To: Mimi Zohar <zohar@kernel.org>
Cc: linux-integrity@vger.kernel.org,
William Roberts <bill.c.roberts@gmail.com>
Subject: Re: [PATCH v4 ima-evm-utils] extend ima_measurement --pcrs option to support per-bank pcr files
Date: Mon, 27 Jul 2020 10:34:52 -0400 [thread overview]
Message-ID: <CAEjxPJ66--SytmNQpHF-DOkoWsE3ri-Ni6nA0k3YmY1fqU-0qQ@mail.gmail.com> (raw)
In-Reply-To: <1595859338.4841.116.camel@kernel.org>
On Mon, Jul 27, 2020 at 10:15 AM Mimi Zohar <zohar@kernel.org> wrote:
>
> On Mon, 2020-07-27 at 09:21 -0400, Stephen Smalley wrote:
>
> > ---
> > v4 updates the usage in the README and usage message, reduces MAX_NPCRFILE
> > to 2 (for sha1 and sha256) and changes the buffer size to
> > MAX_DIGEST_SIZE * 2 + 8 for the lines read from the pcrs file(s).
> >
> > One thing that is unclear to me is correct/expected usage of the
> > --verify and --validate options to evmctl ima_measurement. For an
> > appraisal of a remote attestation, when would one NOT want to use
> > --verify (i.e. doesn't lack of --verify render the result insecure)
> > and when would one want to use --validate (i.e. doesn't use of --validate
> > render the result insecure)? And shouldn't the default in both cases
> > be the more secure case (i.e. verify = 1, validate = 0)? The naming of
> > --validate is also confusing since one might expect it to mean
> > to validate/check the result as opposed to ignore violations?
>
> Yes, agreed. Thank you for reviewing and commenting on the code.
>
> While adding support for these features, originally in LTP and the
> standalone version, they should be cleaned up. Should "--verify" just
> be dropped?
Unless there is some reason to not always verify during
ima_measurement, I'd drop the option and just always do it.
> Without a custom policy, with just the builtin
> "ima_policy=tcb" policy, a few files are read while being opened for
> write (e.g. audit, log, print files). Perhaps rename "validate" to
> something like "force-validate".
As long as there isn't a backward compatibility concern, that makes
more sense to me. Or "ignore-violations".
> I forgot to add "evmctl boot_aggregate" to the README. The supplied
> pcrs could also be used to calculate the "boot_aggregate" value(s).
I guess that support is automatically picked up since nothing
restricts usage of the --pcrs option to only ima_measurement and both
call read_tpm_banks(), which includes the pcr file support. So just a
matter of updating the usage message and README? That can be done as
a separate patch IMHO.
next prev parent reply other threads:[~2020-07-27 14:35 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-27 13:21 [PATCH v4 ima-evm-utils] extend ima_measurement --pcrs option to support per-bank pcr files Stephen Smalley
2020-07-27 14:15 ` Mimi Zohar
2020-07-27 14:34 ` Stephen Smalley [this message]
2020-07-27 14:51 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAEjxPJ66--SytmNQpHF-DOkoWsE3ri-Ni6nA0k3YmY1fqU-0qQ@mail.gmail.com \
--to=stephen.smalley.work@gmail.com \
--cc=bill.c.roberts@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).