Re: [PATCH v11 0/6] KEYS: Measure keys when they are created or updated

From: Lakshmi Ramasubramanian
Date: Thu Dec 12 2019 - 11:58:08 EST

Next message: Marc Gonzalez: "Re: [PATCH v1] clk: Convert managed get functions to devm_add_action API"
Previous message: Lakshmi Ramasubramanian: "Re: [PATCH v2 1/2] IMA: Define workqueue for early boot "key" measurements"
In reply to: Mimi Zohar: "Re: [PATCH v11 0/6] KEYS: Measure keys when they are created or updated"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12/12/19 6:28 AM, Mimi Zohar wrote:

Hi Lakshmi,

On Wed, 2019-12-11 at 08:47 -0800, Lakshmi Ramasubramanian wrote:

Keys created or updated in the system are currently not measured.
Therefore an attestation service, for instance, would not be able to
attest whether or not the trusted keys keyring(s), for instance, contain
only known good (trusted) keys.

IMA measures system files, command line arguments passed to kexec,
boot aggregate, etc. It can be used to measure keys as well.
But there is no mechanism available in the kernel for IMA to
know when a key is created or updated.

This change aims to address measuring keys created or updated
in the system.

Thank you! ÂThis patch set is now queued in the next-integrity-testing
branch ofÂhttps://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-
integrity.git/.

Mimi

Thanks Mimi.

-lakshmi

Next message: Marc Gonzalez: "Re: [PATCH v1] clk: Convert managed get functions to devm_add_action API"
Previous message: Lakshmi Ramasubramanian: "Re: [PATCH v2 1/2] IMA: Define workqueue for early boot "key" measurements"
In reply to: Mimi Zohar: "Re: [PATCH v11 0/6] KEYS: Measure keys when they are created or updated"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]