[RFC] IMA Log Snapshotting Design Proposal - aggregate

Ken Goldman kgold at linux.ibm.com
Wed Aug 30 18:12:27 UTC 2023


On 8/1/2023 3:12 PM, Sush Shringarputale wrote:
> - A user-mode process will trigger the snapshot by opening a file in SysFS
>    say /sys/kernel/security/ima/snapshot (referred to as 
> sysk_ima_snapshot_file
>    here onwards).
> - The Kernel will get the current TPM PCR values and PCR update counter [2]
>    and store them as template data in a new IMA event "snapshot_aggregate".

If this is relying on a user-mode process, is there a concern that the 
process doesn't run. Might it be safer to have the kernel trigger the
snapshot.

PCR reads are not atomic, with each other and with event log appends. 
Is this an issue?

The PCR update counter can change between PCR reads.  What is its purpose?

What is the purpose of the snapshot aggregate?  Since the entire event 
log has to be retained and sent to the verifier, is the aggregate redundant?



More information about the Linux-security-module-archive mailing list