lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ac6c559e-2d68-afcb-d316-6ac49a570831@linux.microsoft.com>
Date:   Tue, 21 Jan 2020 12:38:58 -0800
From:   Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
To:     James Bottomley <James.Bottomley@...senPartnership.com>,
        Mimi Zohar <zohar@...ux.ibm.com>,
        linux-integrity@...r.kernel.org
Cc:     sashal@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default

On 1/21/2020 11:52 AM, James Bottomley wrote:

>> - really small devices/sensors being able to queue certificates
> 
> seems like the answer to this one would be don't queue.  I realise it's
> after the submit design, but what about measuring when the key is added
> if there's a policy otherwise measure the keyring when the policy is
> added ... that way no queueing.

Without the "deferred key processing" changes, only keys added at 
runtime were measured (if policy permitted).

"deferred key processing" enabled queuing keys added early in the boot 
process and measured them when the policy is loaded.

We can make this (the queuing) optional through a config, but leave the 
runtime key measurement auto-enabled (as is the config 
IMA_MEASURE_ASYMMETRIC_KEYS now).

  -lakshmi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ