On 3/16/21 10:21 AM, Petr Vorel wrote:
Hi Petr,
Just a double check does it always work without template=ima-buf for all kernel versions?
Or only for kernels with dea87d0889dd ("ima: select ima-buf template for buffer measurement")
i.e. v5.11-rc1 or backport?
The above change is required. Prior to this change, template has to be
specified in the policy, otherwise the default template would be used.
The default template is ima-ng, right?
Yes: ima-ng is the default template.
From what you write I understand that "measure func=KEY_CHECK
keyrings=.ima|.evm" will work only on newer kernel, thus we should always use
template=ima-buf as the policy example so that it's working also on that few
kernels between <v5.6,v5.10> (which have IMA key functionality, but not
dea87d0889dd), right?
Yes: In the kernels between v5.6 and v5.10, ima-buf template needs to be
specified in the policy for KEY_CHECK.
But we should mention that in the README.md.
Agreed - will update the README.md
thanks,
-lakshmi
