[PATCH v2 00/15] ima: digest list feature

Ken Goldman kgold at linux.vnet.ibm.com
Tue Dec 5 22:03:15 UTC 2017

On 11/7/2017 5:36 AM, Roberto Sassu wrote:
> Digest lists aim at mitigating these issues. A digest list is a list of
> digests that are taken by IMA as reference measurements and loaded before
> files are accessed. Then, IMA compares calculated digests of accessed files
> with digests from loaded digest lists. If the digest is found, measurement,
> appraisal and audit are not performed.

If you don't do measurements (the extends), then the remote appraiser
can't determine what's running.  Doesn't that break the whole point of 
remote attestation?

> Digest lists address the first issue because the TPM is used only if the
> digest of a measured file is unknown. On a minimal system, 10 of 1400
> measurements are unknown because of mutable files (e.g. log files).
> Digest lists mitigate the second issue because, since digest lists do not
> change, they don't have to be sent at every remote attestation. Sending
> unknown measurements and a reference to digest lists would be sufficient.

Typically, one would not send the entire log at every attestation.  The
algorithm I use is:

- if it's the first quote after a reboot, send the entire log, else
- if PCRs haven't changed, don't send anything, else
- send a delta since the last attestation.

Even without this obvious optimization, the transmit time is negligible 
compared to the quote signature generation time.

To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

More information about the Linux-security-module-archive mailing list