[RFC] IMA Log Snapshotting Design Proposal - network bandwidth
Tushar Sugandhi
tusharsu at linux.microsoft.com
Fri Sep 1 21:20:26 UTC 2023
Thanks a lot Ken for looking at the proposal, and sharing your thoughts.
On 8/30/23 11:06, Ken Goldman wrote:
>
>
> On 8/1/2023 3:12 PM, Sush Shringarputale wrote:
>> In addition, a large IMA log can add pressure on the network bandwidth
>> when
>> the attestation client sends it to remote-attestation-service.
>
> I would not worry too much about network bandwidth.
Our bandwidth concerns are about scaled out system.
When IMA log size increases in the range of megabytes, and when the
number of client devices increases, it makes an impact on the overall
network bandwidth.
>
> 1. Every solution eventually realizes that sending the entire log each
> time hurts performance. The verifier will ask the attestor, "give me
> everything since record n", and the number of new entries approaches zero.
>
Completely agreed. IMA log snapshotting (this proposed feature) is a
solution in that direction.
> 2. My benchmarks show that
>
> On the client, the TPM quote time swamps everything else.
> On the server, verifying the IMA entry signatures swamps everything else.
>
> The network transfer time is negligible.
Agreed, it is true in the context of an individual client device.
Our network bandwidth concerns are for the overall traffic on the scaled
out system. It impacts the network bandwidth when the IMA log is large
(MBs). And the issue is compounded when there are large number of
client devices.
Thanks,
Tushar
More information about the Linux-security-module-archive
mailing list