lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 17 Feb 2021 10:03:55 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Tushar Sugandhi <tusharsu@...ux.microsoft.com>
Cc:     tyhicks@...ux.microsoft.com, sashal@...nel.org, jmorris@...ei.org,
        nramas@...ux.microsoft.com, linux-integrity@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] IMA: support for duplicate data measurement

Hi Tushar,

The Subject line could be improved.  Perhaps something like - "IMA:
support for duplicate measurement records"

On Tue, 2021-02-16 at 18:46 -0800, Tushar Sugandhi wrote:
> IMA does not measure duplicate data since TPM extend is a very expensive
> operation.  However, in some cases, the measurement of duplicate data
> is necessary to accurately determine the current state of the system.
> Eg, SELinux state changing from 'audit', to 'enforcing', and back to
> 'audit' again.  In this example, currently, IMA will not measure the
> last state change to 'audit'.  This limits the ability of attestation
> services to accurately determine the current state of the measurements 
> on the system.

This patch description is written from your specific usecase
perspective, but it impacts file and buffer data measurements as well,
not only critical data measurements.  In all of these situations, with
this patch a new measurement record is added/appended to the
measurement list.  Please re-write the patch description making it more
generic. 

For example, I would start with something like, "IMA does not include
duplicate file, buffer or critical data measurement records ..."

thanks,

Mimi

> 
> Update ima_add_template_entry() to support measurement of duplicate
> data, driven by a Kconfig option - IMA_DISABLE_HTABLE.
> 
> Signed-off-by: Tushar Sugandhi <tusharsu@...ux.microsoft.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ