Re: [PATCH v6 0/3] IMA: Deferred measurement of keys

From: Mimi Zohar
Date: Fri Jan 03 2020 - 10:48:06 EST

Next message: Guenter Roeck: "Re: [PATCH 5.4 000/191] 5.4.8-stable review"
Previous message: Dan Murphy: "Re: [PATCH v17 12/19] leds: lp55xx: Convert LED class registration to devm_*"
In reply to: Mimi Zohar: "Re: [PATCH v6 0/3] IMA: Deferred measurement of keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2020-01-03 at 10:08 -0500, Mimi Zohar wrote:
> > This change adds support for queuing keys created or updated before
> > a custom IMA policy is loaded. The queued keys are processed when
> > a custom policy is loaded. Keys created or updated after a custom policy
> > is loaded are measured immediately (not queued).
> >
> > If the kernel is built with both CONFIG_IMA and
> > CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE enabled then the IMA policy
> > must be applied as a custom policy for the keys to be measured.
> > If a custom IMA policy is not provided within 5 minutes after
> > IMA is initialized, any queued keys will be freed.
>
> As the merge message, this is too much information. ÂI would extend
> the previous paragraph and drop this one, like:
> "... (not queued).ÂÂIn the case when a custom policy is not loaded
> within 5 minutes of IMA initialization, the queued keys are freed."
>
> > This is by design.
>
> It's unclear what "is by design" refers to. ÂPerhaps expand this
> sentence like: "Measuring the early boot keys, by design, requires
> loading a custom policy.

Instead of including this comment as the last sentence of the cover
letter, it would make a good opening sentence for the second
paragraph.

Mimi

Next message: Guenter Roeck: "Re: [PATCH 5.4 000/191] 5.4.8-stable review"
Previous message: Dan Murphy: "Re: [PATCH v17 12/19] leds: lp55xx: Convert LED class registration to devm_*"
In reply to: Mimi Zohar: "Re: [PATCH v6 0/3] IMA: Deferred measurement of keys"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]