On Tue, 2020-01-21 at 09:34 -0800, James Bottomley wrote: > On Tue, 2020-01-21 at 09:13 -0800, Lakshmi Ramasubramanian wrote: > > Enabling IMA and ASYMMETRIC_PUBLIC_KEY_SUBTYPE configs will > > automatically enable the IMA hook to measure asymmetric keys. Keys > > created or updated early in the boot process are queued up whether > > or not a custom IMA policy is provided. Although the queued keys will > > be freed if a custom IMA policy is not loaded within 5 minutes, it > > could still cause significant performance impact on smaller systems. > > What exactly do you expect distributions to do with this? I can tell > you that most of them will take the default option, so this gets set to > N and you may as well not have got the patches upstream because you > won't be able to use them in any distro with this setting. > > > This patch turns the config IMA_MEASURE_ASYMMETRIC_KEYS off by > > default. Since a custom IMA policy that defines key measurement is > > required to measure keys, systems that require key measurement can > > enable this config option in addition to providing a custom IMA > > policy. > > Well, no they can't ... it's rather rare nowadays for people to build > their own kernels. The vast majority of Linux consumers take what the > distros give them. Think carefully before you decide a config option > is the solution to this problem. James, up until now IMA could be configured, but there wouldn't be any performance penalty for enabling IMA until a policy was loaded. With IMA and asymmetric keys enabled, whether or not an IMA policy is loaded, certificates will be queued. My concern is: - changing the expected behavior - really small devices/sensors being able to queue certificates This change permits disabling queueing certificates. Whether the default should be "disabled" is a separate question. I'm open to comments/suggestions. Mimi
