Re: [Linux-ima-devel] [PATCH 11/12] ima: don't report measurements if digests are included in the loaded lists

From: Ken Goldman
Date: Wed Aug 09 2017 - 16:35:34 EST

Next message: Dmitry Vyukov: "Re: kvm: WARNING in kvm_arch_vcpu_ioctl_run"
Previous message: Daniel Borkmann: "Re: [RFC PATCH 2/2] bpf: Initialise mod[] in bpf_trace_printk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 7/25/2017 11:44 AM, Roberto Sassu wrote:

Don't report measurements if the file digest has been included in
an uploaded digest list.

The advantage of this solution is that the boot time overhead, when
a TPM is available, is very small because a PCR is extended only
for unknown files. The disadvantage is that verifiers do not know
anymore which and when files are accessed (they must assume that
the worst case happened, i.e. all files have been accessed).

Am I reading this correctly that you want to measure certain files, but not ones that have been included in a "digest list", which sounds like a white list of sorts.

If so, I have two concerns:

1 - How would the client get this digest list? Shouldn't it be up to the relying party to decide what is trusted and not trusted, not the client?

What of the case with two different relying parties that have a different list of trusted applications? E.g., one trusts any version of program X, while the other trusts only version 3.1 and up?

2 - What about files on the digest list that were not run? The relying party may want to know if a program wasn't run? E.g., antivirus or a firewall.

If the rule is "don't measure if it's on the digest list", how does the relying party know if it was run?

Next message: Dmitry Vyukov: "Re: kvm: WARNING in kvm_arch_vcpu_ioctl_run"
Previous message: Daniel Borkmann: "Re: [RFC PATCH 2/2] bpf: Initialise mod[] in bpf_trace_printk"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]