Enabling IMA and ASYMMETRIC_PUBLIC_KEY_SUBTYPE configs will automatically enable the IMA hook to measure asymmetric keys. Keys created or updated early in the boot process are queued up whether or not a custom IMA policy is provided. Although the queued keys will be freed if a custom IMA policy is not loaded within 5 minutes, it could still cause significant performance impact on smaller systems. This patch turns the config IMA_MEASURE_ASYMMETRIC_KEYS off by default. Since a custom IMA policy that defines key measurement is required to measure keys, systems that require key measurement can enable this config option in addition to providing a custom IMA policy. Signed-off-by: Lakshmi Ramasubramanian <nramas@xxxxxxxxxxxxxxxxxxx> --- security/integrity/ima/Kconfig | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 355754a6b6ca..8e678219ee9e 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -312,7 +312,19 @@ config IMA_APPRAISE_SIGNED_INIT This option requires user-space init to be signed. config IMA_MEASURE_ASYMMETRIC_KEYS - bool + bool "Enable asymmetric keys measurement on key create or update" depends on IMA depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y - default y + default n + help + This option enables measuring asymmetric keys when the key + is created or updated. Additionally a custom IMA policy that + defines key measurement should also be loaded. + + If this option is enabled, keys created or updated early in + the boot process are queued up. The queued keys are processed + when a custom IMA policy is loaded. But if a custom IMA policy + is not loaded within 5 minutes after IMA subsystem is initialized, + any queued keys are just freed. Keys created or updated after + a custom IMA policy is loaded will be processed immediately and + not queued. -- 2.17.1
