[PATCH v2 00/15] ima: digest list feature
Ken Goldman
kgold at linux.vnet.ibm.com
Tue Dec 5 22:03:15 UTC 2017
On 11/7/2017 5:36 AM, Roberto Sassu wrote:
>
> Digest lists aim at mitigating these issues. A digest list is a list of
> digests that are taken by IMA as reference measurements and loaded before
> files are accessed. Then, IMA compares calculated digests of accessed files
> with digests from loaded digest lists. If the digest is found, measurement,
> appraisal and audit are not performed.
If you don't do measurements (the extends), then the remote appraiser
can't determine what's running. Doesn't that break the whole point of
remote attestation?
> Digest lists address the first issue because the TPM is used only if the
> digest of a measured file is unknown. On a minimal system, 10 of 1400
> measurements are unknown because of mutable files (e.g. log files).
>
> Digest lists mitigate the second issue because, since digest lists do not
> change, they don't have to be sent at every remote attestation. Sending
> unknown measurements and a reference to digest lists would be sufficient.
Typically, one would not send the entire log at every attestation. The
algorithm I use is:
- if it's the first quote after a reboot, send the entire log, else
- if PCRs haven't changed, don't send anything, else
- send a delta since the last attestation.
Even without this obvious optimization, the transmit time is negligible
compared to the quote signature generation time.
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list