Re: [PATCH 0/3] support for duplicate measurement of integrity critical data
From: Tushar Sugandhi
Date: Tue Feb 09 2021 - 15:35:36 EST
Thank you Mimi for reviewing this series.
On 2021-02-08 1:10 p.m., Mimi Zohar wrote:
Hi Tushar,
On Mon, 2021-02-08 at 15:22 -0500, Mimi Zohar wrote:
On Fri, 2021-01-29 at 16:45 -0800, Tushar Sugandhi wrote:
IMA does not measure duplicate buffer data since TPM extend is a very
expensive operation. However, in some cases for integrity critical
data, the measurement of duplicate data is necessary to accurately
determine the current state of the system. Eg, SELinux state changing
from 'audit', to 'enforcing', and back to 'audit' again. In this
example, currently, IMA will not measure the last state change to
'audit'. This limits the ability of attestation services to accurately
determine the current state of the integrity critical data on the
system.
This series addresses this gap by providing the ability to measure
duplicate entries for integrity critical data, driven by policy.
The same reason for re-measuring buffer data is equally applicable to
files. In both cases, the file or the buffer isn't re-measured if it
already exists in the htable. Please don't limit this patch set to
just buffer data.
Agreed. I wasn't sure if you wanted the support for files, or other
buffer measurement scenarios, except critical data. So I started the
implementation with supporting just critical data. Happy to extend it
to files and other buffer measurement scenarios as you suggested.
Instead of making the change on a per measurement rule basis, disabling
"htable" would be the simplest way of forcing re-measurements. All
that would be needed is a new Kconfig (e.g. CONFIG_IMA_DISABLE_HTABLE)
and the associated test in ima_add_template_entry().
Agreed. Earlier I wasn't sure if you wanted allow_dup support for all
the scenarios. Now that it is clear, I will implement it as you
suggested. Thank you so much for the pointers. Appreciate it.
Thanks,
Tushar
thanks,
Mimi