lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 16 May 2019 18:45:34 -0400
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Lakshmi <nramas@...ux.microsoft.com>,
        Linux Integrity <linux-integrity@...r.kernel.org>,
        David Howells <dhowells@...hat.com>,
        James Morris <jamorris@...ux.microsoft.com>,
        Linux Kernel <linux-kernel@...r.kernel.org>
Cc:     Balaji Balasubramanyan <balajib@...ux.microsoft.com>,
        Prakhar Srivastava <prsriva@...ux.microsoft.com>
Subject: Re: [PATCH 0/2] public key: IMA signer logging: Log public key of
 IMA Signature signer in IMA log

On Wed, 2019-05-15 at 11:17 -0700, Lakshmi wrote:
> Hi Mimi,
> 
> I would like to make sure I understood your feedback.
> 
> > 
> > Why duplicate the certificate info on each record in the measurement
> > list?  Why not add the certificate info once, as the key is loaded
> > onto the .ima and .platform keyrings?
> > 
> 
> key_create_or_update function in security/keys/key.c is called to 
> add\update a key to a keyring. Are you suggesting that an IMA function 
> be called from here to add the certificate info to the IMA log?

There's an existing LSM hook in alloc_key(), but the keyring isn't
being passed.  Again a decision would need to be made as to whether
this needs to be an LSM or IMA hook.

> 
> Our requirement is that the key information is available in the IMA log 
> which is TPM backed.
> 

There's some confusion as to why adding the keys to the measurement
list is needed.  Could you respond to Ken's questions please?

Mimi

Powered by blists - more mailing lists