Hi! > > > >How is it supposed to be useful? > > > > > > > >I'm pretty sure there are critical data that are not measured by > > > >proposed module... and that are written under normal circumstances. > > > > > > > The goal of this series is to introduce the IMA hook > > > measure_critical_data() and the necessary policies to use it; and > > > illustrate that use with one example (SELinux). It is not scalable to > > > identify and update all the critical data sources to use the proposed > > > module at once. > > > > > > A piecemeal approach to add more critical data measurement in subsequent > > > patches would be easy to implement and review. > > > > Basically every other data structure in kernel is "critical" by your > > definition, and you can't really measure them all; some of them change > > rather often. Going piecemeal does not really help here. > > Agreed, measuring data structures that change is not really applicable. > However, measuring data structures that once initialized don't change, > does make sense (similar concept to __ro_after_init). The attestation > server doesn't need to know anything about the measurement, other than > more than a single measurement is indicative of a problem. So, why not simply measure everything that is ro_after_init? But... I really fail to see how this is useful. It is trivial to "backdoor" kernel w/o modifying anything that is ro_after_init. (Example: page tables). Pavel -- http://www.livejournal.com/~pavelmachek
Attachment:
signature.asc
Description: PGP signature
