Re: [PATCH v8 4/5] IMA: Add support to limit measuring keys

From: Lakshmi Ramasubramanian
Date: Wed Nov 20 2019 - 19:02:59 EST

Next message: Kees Cook: "[PATCH 0/3] docs, parallelism: Rearrange how jobserver reservations are made"
Previous message: Mike Mestnik: "Lenovo E585: Device RTL Bluetooth, O2 sdcard, and rtw88. Broken or issues."
In reply to: Mimi Zohar: "Re: [PATCH v8 4/5] IMA: Add support to limit measuring keys"
Next in thread: Mimi Zohar: "Re: [PATCH v8 4/5] IMA: Add support to limit measuring keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 11/20/2019 3:19 PM, Mimi Zohar wrote:

Hi Mimi,

The above can be used to correlate the key measurement IMA entry,
ima-sig and ima-modsig entries using the same key.

True, but associating the public key measurement with the file
signature requires information from the certificate (e.g. issuer,
serial number, and/or subject, subject keyid).

For a regression test, it would be nice if the key measurement,
itself, contained everything needed in order to validate the file
signatures in the measurement list.

I am just trying to understand your asks - Please clarify:

1, My change includes only the public key and not the entire certificate information in the measured buffer.

Should I update this current patch set to measure the entire cert. Or, can that be done as a separate patch set?

2, Should a regression test be part of this patch set for the key measurement changes to be accepted?

thanks,
-lakshmi

Next message: Kees Cook: "[PATCH 0/3] docs, parallelism: Rearrange how jobserver reservations are made"
Previous message: Mike Mestnik: "Lenovo E585: Device RTL Bluetooth, O2 sdcard, and rtw88. Broken or issues."
In reply to: Mimi Zohar: "Re: [PATCH v8 4/5] IMA: Add support to limit measuring keys"
Next in thread: Mimi Zohar: "Re: [PATCH v8 4/5] IMA: Add support to limit measuring keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]