[PATCH v6 0/8] IMA: support for measuring kernel integrity critical data
Mimi Zohar
zohar at linux.ibm.com
Mon Nov 23 13:41:35 UTC 2020
Hi Pavel,
On Sun, 2020-11-22 at 22:00 +0100, Pavel Machek wrote:
> Hi!
>
> > >How is it supposed to be useful?
> > >
> > >I'm pretty sure there are critical data that are not measured by
> > >proposed module... and that are written under normal circumstances.
> > >
> > The goal of this series is to introduce the IMA hook
> > measure_critical_data() and the necessary policies to use it; and
> > illustrate that use with one example (SELinux). It is not scalable to
> > identify and update all the critical data sources to use the proposed
> > module at once.
> >
> > A piecemeal approach to add more critical data measurement in subsequent
> > patches would be easy to implement and review.
>
> Basically every other data structure in kernel is "critical" by your
> definition, and you can't really measure them all; some of them change
> rather often. Going piecemeal does not really help here.
Agreed, measuring data structures that change is not really applicable.
However, measuring data structures that once initialized don't change,
does make sense (similar concept to __ro_after_init). The attestation
server doesn't need to know anything about the measurement, other than
more than a single measurement is indicative of a problem.
Mimi
> Example of critical data structure: page table entries for process I
> own.
More information about the Linux-security-module-archive
mailing list