[PATCH v6 0/8] IMA: support for measuring kernel integrity critical data

Mimi Zohar zohar at linux.ibm.com
Mon Nov 23 19:49:10 UTC 2020


On Mon, 2020-11-23 at 18:18 +0100, Pavel Machek wrote:
> > > Basically every other data structure in kernel is "critical" by your
> > > definition, and you can't really measure them all; some of them change
> > > rather often. Going piecemeal does not really help here.
> > 
> > Agreed, measuring data structures that change is not really applicable.
> > However, measuring data structures that once initialized don't change,
> > does make sense (similar concept to __ro_after_init).  The attestation
> > server doesn't need to know anything about the measurement, other than
> > more than a single measurement is indicative of a problem.
> 
> So, why not simply measure everything that is ro_after_init?

I guess we could, but the original discussion, a long time ago prior to
LSM stacking, was limited to measuring the LSM hooks.

Mimi



More information about the Linux-security-module-archive mailing list