On Fri, 2019-10-04 at 17:10 -0700, Lakshmi Ramasubramanian wrote: > On 10/4/19 2:58 PM, Mimi Zohar wrote: > > > The measurements could be added to an IMA pending measurement > > workqueue, until the TPM is enabled, assuming there is a TPM, and then > > processed. All of this code would be within IMA. > > Good point. I will look into this. > > >> I prefer gathering data on trusted keys in ima_init, but gate it by IMA > >> policy and follow the other coding guidelines you have suggested earlier > >> (similar to the approach taken for kexec_cmdline measurement). > > > > So your intention is only to measure the initial keys added to these > > keyrings, not anything subsequently added to the secondary keyring? > > I am currently measuring only the initial keys. But I think including > the ones added subsequently is a good idea. > > > Defining an LSM/IMA hook to measure keys, based on policy, seems > > cleaner and more useful. > > I agree. As defining an early IMA workqueue and measuring keys are independent of each other, they should be posted, reviewed, and upstreamed as separate patch sets. Mimi