On 11/7/19 12:53 PM, Mimi Zohar wrote:
The measurement decision is not based on whether the keyring is a
trusted one or an untrusted one. As long as the IMA policy allows
(through the "keyrings=" option) the key will be measured.
We should be able to measure all keys being loaded onto any keyring or
onto a specific "keyring=". This shouldn't be any different than any
other policy rule. Once you have this basic feature working, you
would address loading keys during early boot.
Perfect - that's exactly how I have implemented it right now. Will
continue to test it.
Do you want only trusted keyrings to be allowed in the measurement?
In my opinion, that decision should be deferred to whoever is setting up
the IMA policy.
Right, but it shouldn't be limited to just "trusted" keyrings. This
way you can first test loading keys onto any keyring.
Thank you.
Queuing the keys should be independent of measuring the keys.
Initially you would start with just measuring the key. From a high
level it would look like:
ima_post_key_create_or_update(...)
{
"measure key based on
policy(key, keyring, ...)"
}
This requires the IMA "keyring=" policy option support be defined
first.
Subsequently you would add key queuing support, and then update
ima_post_key_create_or_update(). It would look like:
ima_post_key_create_or_update(...)
{
if (custom policy is loaded)
"measure key based on policy(key, keyring, ...)"
else
"queue key(key, keyring)"
}
Mimi
Yes - I have the above change working. Will continue testing.
thanks,
-lakshmi
