[RFC V2] IMA Log Snapshotting Design Proposal

Ken Goldman kgold at linux.ibm.com
Tue Oct 31 18:37:19 UTC 2023


On 10/19/2023 2:49 PM, Tushar Sugandhi wrote:
>    f. A new event, "snapshot_aggregate", will be computed and measured
>         in the IMA log as part of this feature.  It should help the
>         remote-attestation client/service to benefit from the IMA log
>         snapshot feature.
>         The "snapshot_aggregate" event is described in more details in
>         section "D.1 Snapshot Aggregate Event" below.

What is the use case for the snapshot aggregate?  My thinking is:

1. The platform must retain the entire measurement list.  Early 
measurements can never be discarded because a new quote verifier
must receive the entire log starting at the first measurement.

In this case, isn't the snapshot aggregate redundant?

2. There is a disadvantage to redundant data.  The verifier must support 
this new event type. It receives this event and must validate the 
aggregate against the snapshot-ed events. This is an attack surface. 
The attacker can send an aggregate and snapshot-ed measurements that do 
not match to exploit a flaw in the verifier.



More information about the Linux-security-module-archive mailing list