Re: [PATCH v5 0/2] IMA: Deferred measurement of keys

[Lakshmi Ramasubramanian]

On 12/20/2019 11:01 AM, Mimi Zohar wrote:

Hi Mimi,

> > If the kernel is built with both CONFIG_IMA and
> > CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE enabled then the IMA policy
> > must be applied as a custom policy. Not providing a custom policy
> > in the above configuration would result in asymmeteric keys being queued
> > until a custom policy is loaded. This is by design.
>
> I didn't notice the "This is by design" here, referring to the memory
> never being freed.ÂÂ"This is by design" was suppose to refer to
> requiring a custom policy for measuring keys.
>
> For now, these two patches are queued in the next-integrity-testing
> branch, but I would appreciate your addressing not freeing the memory
> associated with the keys, if a custom policy is not loaded.
>
> Please note that I truncated the 2/2 patch description, as it repeats
> the existing verification example in commit ("2b60c0ecedf8 IMA: Read
> keyrings= option from the IMA policy").
>
> thanks,
>
> Mimi

Sure - I am fine with truncating the 2/2 patch description. Thanks for 
doing that.

Regarding "Freeing the queued keys if custom policy is not loaded":

Shall I create a new patch set to address that and have that be reviewed 
independent of this patch set?

Like you'd suggested earlier, we can wait for a certain time, after IMA 
is initialized, and free the queue if a custom policy was not loaded.

Please let me know.

thanks,
 -lakshmi