[RFC V2] IMA Log Snapshotting Design Proposal
Ken Goldman
kgold at linux.ibm.com
Wed Dec 20 22:13:47 UTC 2023
I'm still struggling with the "new root of trust" concept.
Something - a user space agent, a third party, etc. - has to
retain the entire log from event 0, because a new verifier
needs all measurements.
Therefore, the snapshot aggregate seems redundant. It has to
be verified to match the snapshotted events.
A redundancy is an attack surface. A badly written verifier
might not do that verification, and this permits snapshotted
events to be forged. No aggregate means the verifier can't
make a mistake.
On 11/22/2023 9:22 AM, Paul Moore wrote:
> I believe the intent is to only pause the measurements while the
> snapshot_aggregate is generated, not for the duration of the entire
> snapshot process. The purpose of the snapshot_aggregate is to
> establish a new root of trust, similar to the boot_aggregate, to help
> improve attestation performance.
More information about the Linux-security-module-archive
mailing list