On Tue, 2020-01-21 at 12:38 -0800, Lakshmi Ramasubramanian wrote: > On 1/21/2020 11:52 AM, James Bottomley wrote: > > >> - really small devices/sensors being able to queue certificates > > > > seems like the answer to this one would be don't queue. I realise it's > > after the submit design, but what about measuring when the key is added > > if there's a policy otherwise measure the keyring when the policy is > > added ... that way no queueing. > > Without the "deferred key processing" changes, only keys added at > runtime were measured (if policy permitted). > > "deferred key processing" enabled queuing keys added early in the boot > process and measured them when the policy is loaded. > > We can make this (the queuing) optional through a config, but leave the > runtime key measurement auto-enabled (as is the config > IMA_MEASURE_ASYMMETRIC_KEYS now). Thanks, Lakshmi. This requires moving the code around. Instead of doing this on the current code base, I suggest posting a v9 version of the entire "IMA: Deferred measurement of keys". I suggest making the switch from spinlock to mutex, as you had it originally, before posting v9. The commit history will then be a lot cleaner. thanks, Mimi
