Re: [PATCH v4 01/10] IMA: Defined an IMA hook to measure keys on key create or update

[Lakshmi Ramasubramanian]

On 11/7/19 12:53 PM, Mimi Zohar wrote:

> > The measurement decision is not based on whether the keyring is a
> > trusted one or an untrusted one. As long as the IMA policy allows
> > (through the "keyrings=" option) the key will be measured.
>
> We should be able to measure all keys being loaded onto any keyring or
> onto a specific "keyring=". Â This shouldn't be any different than any
> other policy rule. ÂOnce you have this basic feature working, you
> would address loading keys during early boot.
Perfect - that's exactly how I have implemented it right now. Will 
continue to test it.

> > Do you want only trusted keyrings to be allowed in the measurement?
> > In my opinion, that decision should be deferred to whoever is setting up
> > the IMA policy.
>
> Right, but it shouldn't be limited to just "trusted" keyrings. ÂThis
> way you can first test loading keys onto any keyring.
Thank you.

> Queuing the keys should be independent of measuring the keys.
>  ÂInitially you would start with just measuring the key. ÂFrom a high
> level it would look like:
>
>      ima_post_key_create_or_update(...)
>      {
>      Â Â"measure key based on
>      policy(key, keyring, ...)"
>      }
>
> This requires the IMA "keyring=" policy option support be defined
> first.
>
> Subsequently you would add key queuing support, and then update
> ima_post_key_create_or_update(). ÂIt would look like:
>
>          ima_post_key_create_or_update(...)
>          {
>              if (custom policy is loaded)
>              Â Â"measure key based on policy(key, keyring, ...)"
>              else
>                  "queue key(key, keyring)"
>          }
>
> Mimi

Yes - I have the above change working. Will continue testing.

thanks,
 -lakshmi