Re: [PATCH v11 0/6] KEYS: Measure keys when they are created or updated

From: Lakshmi Ramasubramanian
Date: Thu Dec 12 2019 - 11:58:08 EST

On 12/12/19 6:28 AM, Mimi Zohar wrote:

Hi Lakshmi,

On Wed, 2019-12-11 at 08:47 -0800, Lakshmi Ramasubramanian wrote:
Keys created or updated in the system are currently not measured.
Therefore an attestation service, for instance, would not be able to
attest whether or not the trusted keys keyring(s), for instance, contain
only known good (trusted) keys.

IMA measures system files, command line arguments passed to kexec,
boot aggregate, etc. It can be used to measure keys as well.
But there is no mechanism available in the kernel for IMA to
know when a key is created or updated.

This change aims to address measuring keys created or updated
in the system.

Thank you! ÂThis patch set is now queued in the next-integrity-testing
branch ofÂ


Thanks Mimi.