[PATCH v2] ima: export the measurement list when needed
Mimi Zohar
zohar at linux.ibm.com
Thu Feb 13 01:03:16 UTC 2020
On Wed, 2020-02-12 at 16:08 -0500, david.safford at gmail.com wrote:
> On Tue, 2020-02-11 at 18:10 -0500, Mimi Zohar wrote:
> > On Tue, 2020-02-11 at 11:10 -0500, david.safford at gmail.com wrote:
>
> > > <snip>
> > >
> > This new feature will require setting up some infrastructure for
> > storing the partial measurement list(s) in order to validate a TPM
> > quote. Userspace already can save partial measurement list(s) without
> > any kernel changes. The entire measurement list does not need to be
> > read each time. lseek can read past the last record previously read.
> > The only new aspect is truncating the in kernel measurement list in
> > order to free kernel memory.
>
> This is a pretty important new feature.
> A lot of people can't use IMA because of the memory issue.
> Also, I really think we need to let administrators choose the tradeoffs
> of keeping the list in memory, on a local file, or only on the
> attestation server, as best fits their use cases.
Dave, I understand that some use cases require the ability of
truncating the measurement list. We're discussing how to truncate the
measurement list. For example, in addition to the existing securityfs
binary_runtime_measurements file, we could define a new securityfs
file indicating the number of records to delete.
> >
> > < snip>
> >
> > Until there is proof that the measurement list can be exported to a
> > file before kexec, instead of carrying the measurement list across
> > kexec, and a TPM quote can be validated after the kexec, there isn't a
> > compelling reason for the kernel needing to truncate the measurement
> > list.
>
> If this approach doesn't work with all the kexec use cases, then it is
> useless, and the ball is in my court to prove that it does. Fortunately
> I have to test that anyway for the coming TLV support.
>
> Working on it...
Testing could be done independently of the TLV support. To verify
that you aren't loosing any measurements, boot with a measurement
policy like "ima_policy=tcb" on the boot command line.
thanks,
Mimi
More information about the Linux-security-module-archive
mailing list