On 11/20/2019 3:19 PM, Mimi Zohar wrote:
Hi Mimi,
The above can be used to correlate the key measurement IMA entry,
ima-sig and ima-modsig entries using the same key.
True, but associating the public key measurement with the file
signature requires information from the certificate (e.g. issuer,
serial number, and/or subject, subject keyid).
For a regression test, it would be nice if the key measurement,
itself, contained everything needed in order to validate the file
signatures in the measurement list.
I am just trying to understand your asks - Please clarify:
1, My change includes only the public key and not the entire certificate
information in the measured buffer.
Should I update this current patch set to measure the entire cert. Or,
can that be done as a separate patch set?
2, Should a regression test be part of this patch set for the key
measurement changes to be accepted?
thanks,
-lakshmi