On Tue, Dec 24, 2019 at 5:35 PM <david.safford@xxxxxxxxx> wrote: > > That is a good question. I went this way as it did not feel right to > > me that the kernel would depend on periodic, reliable userspace > > functionality to stay running (we would have a circular dependency). > > The thing is, once the kernel starts to run low on memory, it may > > kill > > that periodic daemon flushing the data for reasons unrelated to IMA. > > > > I'm happy with either way (kernel writing, or userspace reading) the > data, but with the v1 patch, there is no way for userspace to force > that the list be flushed - it only flushes on full. I think it is > important for userspace to be able to trigger a flush, such as just > prior to a kexec, or prior to an attestation. Indeed, will add in v2. > Perhaps you could simply remove the length test in ima_export_list(), > and export anytime the filename is provided? This could simplify > attestation clients, which could ask for different files each time > (list.1, list.2...), for automatic log maintenance. Since the template > format does not have sequence numbers, this would also help keep > track which records have already been seen. Yes, will do something like this. Holidays cause some latency here, but I will send an update next week. -- Janne
