lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1579628090.3390.28.camel@HansenPartnership.com>
Date:   Tue, 21 Jan 2020 09:34:50 -0800
From:   James Bottomley <James.Bottomley@...senPartnership.com>
To:     Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
        zohar@...ux.ibm.com, linux-integrity@...r.kernel.org
Cc:     sashal@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default

On Tue, 2020-01-21 at 09:13 -0800, Lakshmi Ramasubramanian wrote:
> Enabling IMA and ASYMMETRIC_PUBLIC_KEY_SUBTYPE configs will
> automatically enable the IMA hook to measure asymmetric keys. Keys
> created or updated early in the boot process are queued up whether
> or not a custom IMA policy is provided. Although the queued keys will
> be freed if a custom IMA policy is not loaded within 5 minutes, it
> could still cause significant performance impact on smaller systems.

What exactly do you expect distributions to do with this?  I can tell
you that most of them will take the default option, so this gets set to
N and you may as well not have got the patches upstream because you
won't be able to use them in any distro with this setting.

> This patch turns the config IMA_MEASURE_ASYMMETRIC_KEYS off by
> default.  Since a custom IMA policy that defines key measurement is
> required to measure keys, systems that require key measurement can
> enable this config option in addition to providing a custom IMA
> policy.

Well, no they can't ... it's rather rare nowadays for people to build
their own kernels.  The vast majority of Linux consumers take what the
distros give them.  Think carefully before you decide a config option
is the solution to this problem.

James

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ