On Wed, Jun 12, 2019 at 7:33 PM Roberto Sassu <roberto.sassu@xxxxxxxxxx> wrote: > > That's a pretty big change for the userland IMHO. Quite a few > > configurations out there will break, including mine I believe, so I > > hope there is a solid reason asking people to change their stuff. I'm > > fine holding off all writing until it is safe to do so for now.. > > The goal of appraisal is to allow access only to files with a valid > signature or HMAC. With the current behavior, that cannot be guaranteed. > > Unfortunately, dracut-state.sh is created very early. It could be > possible to unseal the key before, but this probably means modifying > systemd. Ok, I see the use case. Now, if you pull a urandom key that early on during the boot, the state of the system entropy is at all time low, and you are not really protecting against any sort of offline attack since the file is created during that boot cycle. Is there really use for using such key? Wouldn't it be possible to create a new config option, say IMA_ALLOW_EARLY_WRITERS, that would hold the NEW_FILE flag until the persistent key becomes available? In other words, it would start the measuring at the point when the key becomes online? -- Janne
