[PATCH v6 1/3] IMA: Add KEY_CHECK func to measure keys
Lakshmi Ramasubramanian
nramas at linux.microsoft.com
Wed Nov 13 20:21:56 UTC 2019
On 11/13/2019 12:14 PM, Mimi Zohar wrote:
>> @@ -655,6 +655,13 @@ void process_buffer_measurement(const void *buf, int size,
>> int action = 0;
>> u32 secid;
>>
>> + /*
>> + * If IMA is not yet initialized or IMA policy is empty
>> + * then there is no need to measure.
>> + */
>> + if (!ima_policy_flag)
>> + return;
>> +
>
> This addition has nothing to do with defining a new IMA hook and
> should be a separate patch. This can be posted independently of this
> patch set.
>
> Mimi
I'll move this change to a different patch,
but it has to be either part of this patch set or the above change alone
needs to be taken before this patch set for the following reason:
The IMA hook gets called early in the boot process (for example, when
builtin_trusted_keys are added). If the above check is not there,
ima_get_action() is called and causes kernel panic (since IMA is not yet
initialized).
thanks,
-lakshmi
More information about the Linux-security-module-archive
mailing list