Re: [PATCH 2/3] IMA: add policy to support measuring critical data from kernel components

From: Tushar Sugandhi
Date: Mon Aug 17 2020 - 18:27:32 EST

Next message: Paul E. McKenney: "Re: [RFC-PATCH 1/2] mm: Add __GFP_NO_LOCKS flag"
Previous message: Lubomir Rintel: "[PATCH v2 0/4] media: marvell-ccic: Add support for runtime PM"
In reply to: Mimi Zohar: "Re: [PATCH 2/3] IMA: add policy to support measuring critical data from kernel components"
Next in thread: Mimi Zohar: "Re: [PATCH 2/3] IMA: add policy to support measuring critical data from kernel components"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2020-08-17 1:43 p.m., Mimi Zohar wrote:

On Wed, 2020-08-12 at 12:31 -0700, Tushar Sugandhi wrote:

There would be several candidate kernel components suitable for IMA
measurement. Not all of them would be enlightened for IMA measurement.
Also, system administrators may not want to measure data for all of
them, even when they are enlightened for IMA measurements. An IMA policy
specific to various kernel components is needed to measure their
respective critical data.

Add a new IMA policy CRITICAL_DATA+data_sources to support measuring
various critical kernel components. This policy would enable the
system administrators to limit the measurement to the components,
if the components are enlightened for IMA measurement.

"enlightened", really? Please find a different term, maybe something
like "supported".

Thanks for the feedback Mimi. Will do.

Before posting a patch set, please look at the patches line by line,
like anyone reviewing the code needs to do. Please minimize code
change. Unnecessary formatting changes are unacceptible. For
example, like the "#define", below, or in 3/3 the

Thanks for the feedback Mimi.
We extensively reviewed the patches internally before submitting for
upstream review.
We believed adding an extra tab was necessary so that all the previous
values were aligned with the new one - #define IMA_DATA_SOURCES.
We can certainly revert back to only IMA_DATA_SOURCES to have an extra
tab.

"process_buffer_measurement()" change from void to int.

This was also intentional, and was reviewed internally.
The feedback was we should let the consumers of
process_buffer_measurement() decide whether to use the return
value or not. With void, we are not giving them any choice.

scripts/Lindent isn't as prevalent as it used to be, but it's still
included in Documentation/process/coding-style.rst. Use it as a guide.

Thanks for the pointer. We'll use scripts/Lindent going forward.

Mimi

Next message: Paul E. McKenney: "Re: [RFC-PATCH 1/2] mm: Add __GFP_NO_LOCKS flag"
Previous message: Lubomir Rintel: "[PATCH v2 0/4] media: marvell-ccic: Add support for runtime PM"
In reply to: Mimi Zohar: "Re: [PATCH 2/3] IMA: add policy to support measuring critical data from kernel components"
Next in thread: Mimi Zohar: "Re: [PATCH 2/3] IMA: add policy to support measuring critical data from kernel components"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]