lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 21 Jan 2020 14:13:55 -0500 From: Mimi Zohar <zohar@...ux.ibm.com> To: James Bottomley <James.Bottomley@...senPartnership.com>, Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>, linux-integrity@...r.kernel.org Cc: sashal@...nel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default On Tue, 2020-01-21 at 09:34 -0800, James Bottomley wrote: > On Tue, 2020-01-21 at 09:13 -0800, Lakshmi Ramasubramanian wrote: > > Enabling IMA and ASYMMETRIC_PUBLIC_KEY_SUBTYPE configs will > > automatically enable the IMA hook to measure asymmetric keys. Keys > > created or updated early in the boot process are queued up whether > > or not a custom IMA policy is provided. Although the queued keys will > > be freed if a custom IMA policy is not loaded within 5 minutes, it > > could still cause significant performance impact on smaller systems. > > What exactly do you expect distributions to do with this? I can tell > you that most of them will take the default option, so this gets set to > N and you may as well not have got the patches upstream because you > won't be able to use them in any distro with this setting. > > > This patch turns the config IMA_MEASURE_ASYMMETRIC_KEYS off by > > default. Since a custom IMA policy that defines key measurement is > > required to measure keys, systems that require key measurement can > > enable this config option in addition to providing a custom IMA > > policy. > > Well, no they can't ... it's rather rare nowadays for people to build > their own kernels. The vast majority of Linux consumers take what the > distros give them. Think carefully before you decide a config option > is the solution to this problem. James, up until now IMA could be configured, but there wouldn't be any performance penalty for enabling IMA until a policy was loaded. With IMA and asymmetric keys enabled, whether or not an IMA policy is loaded, certificates will be queued. My concern is: - changing the expected behavior - really small devices/sensors being able to queue certificates This change permits disabling queueing certificates. Whether the default should be "disabled" is a separate question. I'm open to comments/suggestions. Mimi
Powered by blists - more mailing lists