On Tue, 2020-08-04 at 17:43 -0700, Lakshmi Ramasubramanian wrote: > Critical data structures of security modules are currently not measured. > Therefore an attestation service, for instance, would not be able to > attest whether the security modules are always operating with the policies > and configuration that the system administrator had setup. The policies > and configuration for the security modules could be tampered with by > malware by exploiting kernel vulnerabilities or modified through some > inadvertent actions on the system. Measuring such critical data would > enable an attestation service to better assess the state of the system. >From a high level review, "Critical data structures" should be the focus of this patch set. Measuring "critical data structures" should be independent of measuring the "policy" being loaded. The in memory policy hash could be an example of data included in the "critical data structures". Keep this patch set simple. Mimi