On Thu, Feb 13, 2020 at 3:03 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > This is a pretty important new feature. > > A lot of people can't use IMA because of the memory issue. > > Also, I really think we need to let administrators choose the tradeoffs > > of keeping the list in memory, on a local file, or only on the > > attestation server, as best fits their use cases. > > Dave, I understand that some use cases require the ability of > truncating the measurement list. We're discussing how to truncate the > measurement list. For example, in addition to the existing securityfs > binary_runtime_measurements file, we could define a new securityfs > file indicating the number of records to delete. I don't have strong opinions either way, just let me know how to adapt the patch and we will get it done asap. I'd prefer a solution where the kernel can initiate the flush, but if not then not. Thanks everyone for all the help. -- Janne
