On Fri, 2020-01-03 at 10:08 -0500, Mimi Zohar wrote: > > This change adds support for queuing keys created or updated before > > a custom IMA policy is loaded. The queued keys are processed when > > a custom policy is loaded. Keys created or updated after a custom policy > > is loaded are measured immediately (not queued). > > > > If the kernel is built with both CONFIG_IMA and > > CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE enabled then the IMA policy > > must be applied as a custom policy for the keys to be measured. > > If a custom IMA policy is not provided within 5 minutes after > > IMA is initialized, any queued keys will be freed. > > As the merge message, this is too much information. I would extend > the previous paragraph and drop this one, like: > "... (not queued). In the case when a custom policy is not loaded > within 5 minutes of IMA initialization, the queued keys are freed." > > > This is by design. > > It's unclear what "is by design" refers to. Perhaps expand this > sentence like: "Measuring the early boot keys, by design, requires > loading a custom policy. Instead of including this comment as the last sentence of the cover letter, it would make a good opening sentence for the second paragraph. Mimi
