Hi Tushar,
thank you for answering my questions and looking at my suggestions.
> I can update the verity_status() to measure if v->signature_key_desc is
> set.
>
> Something like:
> DMEMIT("signature_key_desc_present=%c,", v->signature_key_desc ? 'y' :
> 'n');
If my understanding that this entry is only set if the signature was validated
is correct then this should work.
> Please note – even if we measure signature_key_desc (full string or just
> its presence): in order to use it with the keyrings, the IMA policy also
> needs to be set to measure key rings (using "measure func=KEY_CHECK
> ..."). It is independent from measuring the device mapper data (which is
> measured when the policy is set to “measure func=CRITICAL_DATA
> label=device-mapper ...").
>
> Therefore measuring keyrings together (i.e. in the same IMA log) with DM
> data is not always guaranteed, since it is dictated by how the IMA
> policy is configured.
Thanks for pointing that out. Currently we don't measure the keyrings but when
we enable remote attestation for dm-verity we'll make sure that our IMA policy
also measures the keyrings.
Regards,
Thore
