[RFC V2] IMA Log Snapshotting Design Proposal
Ken Goldman
kgold at linux.ibm.com
Tue Oct 31 18:37:19 UTC 2023
On 10/19/2023 2:49 PM, Tushar Sugandhi wrote:
> f. A new event, "snapshot_aggregate", will be computed and measured
> in the IMA log as part of this feature. It should help the
> remote-attestation client/service to benefit from the IMA log
> snapshot feature.
> The "snapshot_aggregate" event is described in more details in
> section "D.1 Snapshot Aggregate Event" below.
What is the use case for the snapshot aggregate? My thinking is:
1. The platform must retain the entire measurement list. Early
measurements can never be discarded because a new quote verifier
must receive the entire log starting at the first measurement.
In this case, isn't the snapshot aggregate redundant?
2. There is a disadvantage to redundant data. The verifier must support
this new event type. It receives this event and must validate the
aggregate against the snapshot-ed events. This is an attack surface.
The attacker can send an aggregate and snapshot-ed measurements that do
not match to exploit a flaw in the verifier.
More information about the Linux-security-module-archive
mailing list