On Mon, 2021-08-02 at 08:14 +0000, Roberto Sassu wrote: > > From: Roberto Sassu [mailto:roberto.sassu@xxxxxxxxxx] > > Sent: Friday, July 30, 2021 4:25 PM > > > From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx] > > > Sent: Friday, July 30, 2021 4:03 PM > > > Hi Roberto, > > > > > > On Fri, 2021-07-30 at 13:16 +0000, Roberto Sassu wrote: > > > > > From: Mimi Zohar [mailto:zohar@xxxxxxxxxxxxx] > > > > > Sent: Friday, July 30, 2021 2:40 PM > > > > > > > > "critical data", in this context, should probably be used for verifying > > > > > the in memory file digests and other state information haven't been > > > > > compromised. > > > > > > > > Actually, this is what we are doing currently. To keep the > > > > implementation simple, once the file or the buffer are uploaded > > > > to the kernel, they will not be modified, just accessed through > > > > the indexes. > > > > > > My main concern about digest lists is their integrity, from loading the > > > digest lists to their being stored in memory. A while back, there was > > > some work on defining a write once memory allocator. I don't recall > > > whatever happened to it. This would be a perfect usecase for that > > > memory allocator. > > > > Adding Igor in CC. > > > > Regarding loading, everything uploaded to the kernel is carefully > > evaluated. This should not be a concern. Regarding making them > > read-only, probably if you can subvert digest lists you can also > > remove the read-only protection (unless you use an hypervisor). > > I briefly talked with Igor. He also agreed with that, and added that > it could make it more difficult for an attacker to also disable the > protection. However, he is not planning to submit an update soon, > so I wouldn't consider this an option for now. Hi Roberto, Greg, As long as others understand and agree to the risk, the IMA details can be worked out. thanks, Mimi
