On 12/20/2019 11:01 AM, Mimi Zohar wrote:
Hi Mimi,
If the kernel is built with both CONFIG_IMA and
CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE enabled then the IMA policy
must be applied as a custom policy. Not providing a custom policy
in the above configuration would result in asymmeteric keys being queued
until a custom policy is loaded. This is by design.
I didn't notice the "This is by design" here, referring to the memory
never being freed. "This is by design" was suppose to refer to
requiring a custom policy for measuring keys.
For now, these two patches are queued in the next-integrity-testing
branch, but I would appreciate your addressing not freeing the memory
associated with the keys, if a custom policy is not loaded.
Please note that I truncated the 2/2 patch description, as it repeats
the existing verification example in commit ("2b60c0ecedf8 IMA: Read
keyrings= option from the IMA policy").
thanks,
Mimi
Sure - I am fine with truncating the 2/2 patch description. Thanks for
doing that.
Regarding "Freeing the queued keys if custom policy is not loaded":
Shall I create a new patch set to address that and have that be reviewed
independent of this patch set?
Like you'd suggested earlier, we can wait for a certain time, after IMA
is initialized, and free the queue if a custom policy was not loaded.
Please let me know.
thanks,
-lakshmi
