On 1/21/2020 11:52 AM, James Bottomley wrote:
- really small devices/sensors being able to queue certificates
seems like the answer to this one would be don't queue. I realise it's
after the submit design, but what about measuring when the key is added
if there's a policy otherwise measure the keyring when the policy is
added ... that way no queueing.
Without the "deferred key processing" changes, only keys added at
runtime were measured (if policy permitted).
"deferred key processing" enabled queuing keys added early in the boot
process and measured them when the policy is loaded.
We can make this (the queuing) optional through a config, but leave the
runtime key measurement auto-enabled (as is the config
IMA_MEASURE_ASYMMETRIC_KEYS now).
-lakshmi
