lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 21 Jan 2020 14:13:55 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     James Bottomley <James.Bottomley@...senPartnership.com>,
        Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
        linux-integrity@...r.kernel.org
Cc:     sashal@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default

On Tue, 2020-01-21 at 09:34 -0800, James Bottomley wrote:
> On Tue, 2020-01-21 at 09:13 -0800, Lakshmi Ramasubramanian wrote:
> > Enabling IMA and ASYMMETRIC_PUBLIC_KEY_SUBTYPE configs will
> > automatically enable the IMA hook to measure asymmetric keys. Keys
> > created or updated early in the boot process are queued up whether
> > or not a custom IMA policy is provided. Although the queued keys will
> > be freed if a custom IMA policy is not loaded within 5 minutes, it
> > could still cause significant performance impact on smaller systems.
> 
> What exactly do you expect distributions to do with this?  I can tell
> you that most of them will take the default option, so this gets set to
> N and you may as well not have got the patches upstream because you
> won't be able to use them in any distro with this setting.
> 
> > This patch turns the config IMA_MEASURE_ASYMMETRIC_KEYS off by
> > default.  Since a custom IMA policy that defines key measurement is
> > required to measure keys, systems that require key measurement can
> > enable this config option in addition to providing a custom IMA
> > policy.
> 
> Well, no they can't ... it's rather rare nowadays for people to build
> their own kernels.  The vast majority of Linux consumers take what the
> distros give them.  Think carefully before you decide a config option
> is the solution to this problem.

James, up until now IMA could be configured, but there wouldn't be any
performance penalty for enabling IMA until a policy was loaded.  With
IMA and asymmetric keys enabled, whether or not an IMA policy is
loaded, certificates will be queued.

My concern is:
- changing the expected behavior
- really small devices/sensors being able to queue certificates

This change permits disabling queueing certificates.  Whether the
default should be "disabled" is a separate question.  I'm open to
comments/suggestions.

Mimi

Powered by blists - more mailing lists