On Fri, 2019-12-20 at 17:52 -0800, Lakshmi Ramasubramanian wrote: > keys queued for measurement should still be processed even if > a custom IMA policy was not loaded. Otherwise, the keys will > remain queued forever consuming kernel memory. > > This patch defines a timer to handle the above scenario. The timer > is setup to expire 5 minutes after IMA initialization is completed. > > If a custom IMA policy is loaded before the timer expires, the timer > is removed and any queued keys are processed. But if a custom policy > was not loaded, on timer expiration any queued keys are processed. > > On timer expiration the keys are still processed. This will enable > keys to be measured in case the built-in IMA policy defines a key > measurement rule. If there was a built-in policy rule for measuring the early boot keys, then there wouldn't be a need for queueing the "key" measurements. Just free the queued keys. Mimi
