[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1579634035.5125.311.camel@linux.ibm.com>
Date: Tue, 21 Jan 2020 14:13:55 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: James Bottomley <James.Bottomley@...senPartnership.com>,
Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
linux-integrity@...r.kernel.org
Cc: sashal@...nel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default
On Tue, 2020-01-21 at 09:34 -0800, James Bottomley wrote:
> On Tue, 2020-01-21 at 09:13 -0800, Lakshmi Ramasubramanian wrote:
> > Enabling IMA and ASYMMETRIC_PUBLIC_KEY_SUBTYPE configs will
> > automatically enable the IMA hook to measure asymmetric keys. Keys
> > created or updated early in the boot process are queued up whether
> > or not a custom IMA policy is provided. Although the queued keys will
> > be freed if a custom IMA policy is not loaded within 5 minutes, it
> > could still cause significant performance impact on smaller systems.
>
> What exactly do you expect distributions to do with this? I can tell
> you that most of them will take the default option, so this gets set to
> N and you may as well not have got the patches upstream because you
> won't be able to use them in any distro with this setting.
>
> > This patch turns the config IMA_MEASURE_ASYMMETRIC_KEYS off by
> > default. Since a custom IMA policy that defines key measurement is
> > required to measure keys, systems that require key measurement can
> > enable this config option in addition to providing a custom IMA
> > policy.
>
> Well, no they can't ... it's rather rare nowadays for people to build
> their own kernels. The vast majority of Linux consumers take what the
> distros give them. Think carefully before you decide a config option
> is the solution to this problem.
James, up until now IMA could be configured, but there wouldn't be any
performance penalty for enabling IMA until a policy was loaded. With
IMA and asymmetric keys enabled, whether or not an IMA policy is
loaded, certificates will be queued.
My concern is:
- changing the expected behavior
- really small devices/sensors being able to queue certificates
This change permits disabling queueing certificates. Whether the
default should be "disabled" is a separate question. I'm open to
comments/suggestions.
Mimi
Powered by blists - more mailing lists