On Tue, 2023-11-21 at 17:01 -0800, Tushar Sugandhi wrote: > Hi Mimi, > To address your concern about pausing the measurements - > We are not proposing to pause the measurements for the entire duration > of UM <--> Kernel interaction while taking a snapshot. > > We are simply proposing to pause the measurements when we get the TPM > PCR quotes to add them to "snapshot_aggregate". (which should be a very > small time window). IMA already has this mechanism when two separate > modules try to add entry to IMA log - by using > mutex_lock(&ima_extend_list_mutex); in ima_add_template_entry. > > > We plan to use this existing locking functionality. > Hope this addresses your concern about pausing extending the measurement > list. Each TPM PCR read is a separate TPM command. Have you done any performance anlaysis to see how long it actually takes to calculate the "snapshot_aggregate" with a physical TPM? The "snapshot_aggregate" is a new critical-data and should be upstreamed independently of this patch set. -- thanks, Mimi
