Re: [PATCH v6 0/8] IMA: support for measuring kernel integrity critical data

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi!

> > > >How is it supposed to be useful?
> > > >
> > > >I'm pretty sure there are critical data that are not measured by
> > > >proposed module... and that are written under normal circumstances.
> > > >
> > > The goal of this series is to introduce the IMA hook
> > > measure_critical_data() and the necessary policies to use it; and
> > > illustrate that use with one example (SELinux). It is not scalable to
> > > identify and update all the critical data sources to use the proposed
> > > module at once.
> > > 
> > > A piecemeal approach to add more critical data measurement in subsequent
> > > patches would be easy to implement and review.
> > 
> > Basically every other data structure in kernel is "critical" by your
> > definition, and you can't really measure them all; some of them change
> > rather often. Going piecemeal does not really help here.
> 
> Agreed, measuring data structures that change is not really applicable.
> However, measuring data structures that once initialized don't change,
> does make sense (similar concept to __ro_after_init).  The attestation
> server doesn't need to know anything about the measurement, other than
> more than a single measurement is indicative of a problem.

So, why not simply measure everything that is ro_after_init?

But... I really fail to see how this is useful. It is trivial to
"backdoor" kernel w/o modifying anything that is
ro_after_init. (Example: page tables).

								Pavel
-- 
http://www.livejournal.com/~pavelmachek

Attachment: signature.asc
Description: PGP signature


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux