lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 16 May 2019 18:45:34 -0400
From:   Mimi Zohar <>
To:     Lakshmi <>,
        Linux Integrity <>,
        David Howells <>,
        James Morris <>,
        Linux Kernel <>
Cc:     Balaji Balasubramanyan <>,
        Prakhar Srivastava <>
Subject: Re: [PATCH 0/2] public key: IMA signer logging: Log public key of
 IMA Signature signer in IMA log

On Wed, 2019-05-15 at 11:17 -0700, Lakshmi wrote:
> Hi Mimi,
> I would like to make sure I understood your feedback.
> > 
> > Why duplicate the certificate info on each record in the measurement
> > list?  Why not add the certificate info once, as the key is loaded
> > onto the .ima and .platform keyrings?
> > 
> key_create_or_update function in security/keys/key.c is called to 
> add\update a key to a keyring. Are you suggesting that an IMA function 
> be called from here to add the certificate info to the IMA log?

There's an existing LSM hook in alloc_key(), but the keyring isn't
being passed.  Again a decision would need to be made as to whether
this needs to be an LSM or IMA hook.

> Our requirement is that the key information is available in the IMA log 
> which is TPM backed.

There's some confusion as to why adding the keys to the measurement
list is needed.  Could you respond to Ken's questions please?


Powered by blists - more mailing lists