On Wed, 2019-05-15 at 11:17 -0700, Lakshmi wrote: > Hi Mimi, > > I would like to make sure I understood your feedback. > > > > > Why duplicate the certificate info on each record in the measurement > > list? Why not add the certificate info once, as the key is loaded > > onto the .ima and .platform keyrings? > > > > key_create_or_update function in security/keys/key.c is called to > add\update a key to a keyring. Are you suggesting that an IMA function > be called from here to add the certificate info to the IMA log? There's an existing LSM hook in alloc_key(), but the keyring isn't being passed. Again a decision would need to be made as to whether this needs to be an LSM or IMA hook. > > Our requirement is that the key information is available in the IMA log > which is TPM backed. > There's some confusion as to why adding the keys to the measurement list is needed. Could you respond to Ken's questions please? Mimi
