On Thu, Jun 13, 2019 at 9:57 AM Roberto Sassu <roberto.sassu@xxxxxxxxxx> wrote: > > Ok, I see the use case. Now, if you pull a urandom key that early on > > during the boot, the state of the system entropy is at all time low, > > and you are not really protecting against any sort of offline attack > > since the file is created during that boot cycle. Is there really use > > for using such key? Wouldn't it be possible to create a new config > > option, say IMA_ALLOW_EARLY_WRITERS, that would hold the NEW_FILE flag > > until the persistent key becomes available? In other words, it would > > start the measuring at the point when the key becomes online? > > I also thought about similar solutions. Another is for example to keep > the appraisal flags at file close, if security.ima is successfully > added to the file. > > Initializing EVM with a key is not a trivial change, but it seemed > better to me as it does not introduce exceptions in the IMA behavior. Would the appraise actually need any changes, just keep the IMA_NEW_FILE in ima_check_last_writer()? Of course it's not that easy (it never is) as the iint could go away and things like that, but with some tweaks? -- Janne
