On Tue, 2020-01-21 at 09:13 -0800, Lakshmi Ramasubramanian wrote: > Enabling IMA and ASYMMETRIC_PUBLIC_KEY_SUBTYPE configs will > automatically enable the IMA hook to measure asymmetric keys. Keys > created or updated early in the boot process are queued up whether > or not a custom IMA policy is provided. Although the queued keys will > be freed if a custom IMA policy is not loaded within 5 minutes, it > could still cause significant performance impact on smaller systems. What exactly do you expect distributions to do with this? I can tell you that most of them will take the default option, so this gets set to N and you may as well not have got the patches upstream because you won't be able to use them in any distro with this setting. > This patch turns the config IMA_MEASURE_ASYMMETRIC_KEYS off by > default. Since a custom IMA policy that defines key measurement is > required to measure keys, systems that require key measurement can > enable this config option in addition to providing a custom IMA > policy. Well, no they can't ... it's rather rare nowadays for people to build their own kernels. The vast majority of Linux consumers take what the distros give them. Think carefully before you decide a config option is the solution to this problem. James
