Re: [PATCH v6 0/8] IMA: support for measuring kernel integrity critical data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2020-11-23 at 18:18 +0100, Pavel Machek wrote:
> > > Basically every other data structure in kernel is "critical" by your
> > > definition, and you can't really measure them all; some of them change
> > > rather often. Going piecemeal does not really help here.
> > 
> > Agreed, measuring data structures that change is not really applicable.
> > However, measuring data structures that once initialized don't change,
> > does make sense (similar concept to __ro_after_init).  The attestation
> > server doesn't need to know anything about the measurement, other than
> > more than a single measurement is indicative of a problem.
> 
> So, why not simply measure everything that is ro_after_init?

I guess we could, but the original discussion, a long time ago prior to
LSM stacking, was limited to measuring the LSM hooks.

Mimi

--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel




[Index of Archives]     [DM Crypt]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite Discussion]     [KDE Users]     [Fedora Docs]

  Powered by Linux