[RFC] IMA Log Snapshotting Design Proposal

James Bottomley James.Bottomley at HansenPartnership.com
Tue Aug 1 21:21:55 UTC 2023


On Tue, 2023-08-01 at 12:12 -0700, Sush Shringarputale wrote:
[...]
> Truncating IMA log to reclaim memory is not feasible, since it makes
> the log go out of sync with the TPM PCR quote making remote
> attestation fail.

This assumption isn't entirely true.  It's perfectly possible to shard
an IMA log using two TPM2_Quote's for the beginning and end PCR values
to validate the shard.  The IMA log could be truncated in the same way
(replace the removed part of the log with a TPM2_Quote and AK, so the
log still validates from the beginning quote to the end).

If you use a TPM2_Quote mechanism to save the log, all you need to do
is have the kernel generate the quote with an internal AK.  You can
keep a record of the quote and the AK at the beginning of the truncated
kernel log.  If the truncated entries are saved in a file shard it
should have a beginning and end quote and a record of the AK used. 
Since verifiers like Keylime are already using this beginning and end
quote for sharded logs, it's the most natural format to feed to
something externally for verification and it means you don't have to
invent a new format to do the same thing.

Regards,

James



More information about the Linux-security-module-archive mailing list