On Fri, 2019-10-04 at 13:10 -0700, Lakshmi Ramasubramanian wrote: > On 10/4/19 12:57 PM, Mimi Zohar wrote: > > > > > IMA is late because it is waiting for the TPM to be available. > > > > Another option would be to queue the measurements and then replay > > them once the TPM and IMA are available. > > > > I'm not sure I like this approach any better. > > I agree - I too don't like this approach (queue the measurements and > then replay). Even in that approach IMA will have to invoke functions > outside of IMA to retrieve the stored measurements. The measurements could be added to an IMA pending measurement workqueue, until the TPM is enabled, assuming there is a TPM, and then processed. All of this code would be within IMA. > > I prefer gathering data on trusted keys in ima_init, but gate it by IMA > policy and follow the other coding guidelines you have suggested earlier > (similar to the approach taken for kexec_cmdline measurement). So your intention is only to measure the initial keys added to these keyrings, not anything subsequently added to the secondary keyring? > Please let me know if you agree - I can send the new patch set by next week. Defining an LSM/IMA hook to measure keys, based on policy, seems cleaner and more useful. Mimi