[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1579628090.3390.28.camel@HansenPartnership.com>
Date: Tue, 21 Jan 2020 09:34:50 -0800
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
zohar@...ux.ibm.com, linux-integrity@...r.kernel.org
Cc: sashal@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default
On Tue, 2020-01-21 at 09:13 -0800, Lakshmi Ramasubramanian wrote:
> Enabling IMA and ASYMMETRIC_PUBLIC_KEY_SUBTYPE configs will
> automatically enable the IMA hook to measure asymmetric keys. Keys
> created or updated early in the boot process are queued up whether
> or not a custom IMA policy is provided. Although the queued keys will
> be freed if a custom IMA policy is not loaded within 5 minutes, it
> could still cause significant performance impact on smaller systems.
What exactly do you expect distributions to do with this? I can tell
you that most of them will take the default option, so this gets set to
N and you may as well not have got the patches upstream because you
won't be able to use them in any distro with this setting.
> This patch turns the config IMA_MEASURE_ASYMMETRIC_KEYS off by
> default. Since a custom IMA policy that defines key measurement is
> required to measure keys, systems that require key measurement can
> enable this config option in addition to providing a custom IMA
> policy.
Well, no they can't ... it's rather rare nowadays for people to build
their own kernels. The vast majority of Linux consumers take what the
distros give them. Think carefully before you decide a config option
is the solution to this problem.
James
Powered by blists - more mailing lists