Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp7421138yba; Thu, 2 May 2019 09:31:40 -0700 (PDT) X-Google-Smtp-Source: APXvYqxm2hl4IH54hfP9cz0pqMLTDXcXiaXH1UTbhKM7IqjwbPcAovrdZahcwKVQhcq29GD48162 X-Received: by 2002:a17:902:b190:: with SMTP id s16mr4696933plr.83.1556814700692; Thu, 02 May 2019 09:31:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1556814700; cv=none; d=google.com; s=arc-20160816; b=EFmin1NAuwvSy2uPuULR1Z1RM0KmucM9b2iDGIH8BKLBHd5JxHpVfPGi+MbGc1lPIz ejneWgBq2+WFIw/hrxRrv/0FXHFWra1lIeUyqHqpqZILQTPP+k/+hjiuAWucoqeD8Iew xRetXCFcCs38PhDmjB2XCp87yhnnusc7iVSwbWtEmXYl0rBJ2yubz3gJUqW2KBtiiTvR fUsCDejqR1npa9Im67J+PREBfpQqQjQwX1R+erZyaz6WCA5KlcDxM5XKg//E8mdGvS6Z r3ZCPxGoBhgrr/c14Iv0xQXt1EYph+FyDj1LmKNNm6cvcUPJjhHCcU75+gP9Kzo7iIt0 NF3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:references:cc:to:subject:from:dkim-signature; bh=H2HJJesMA20BcYlJ+IOaax9VIeLCiinnSIhrnVVMHXE=; b=pyX/oaqo6zZ0DX/TkcLJhnLM/gD69zoQIGBwFoagluEn5/JYAajSbbGAYqcctxhfXt Z7Sxxe6jqZGXS0DvfvELuoRvrXiQ5OPmLfqDoU8Iq1wlYnXsrEhyQaxJ5x+YiaH9ppbQ 3wiXfJ1rL3ZMhzh+i+u08NNrk67NzwIknfisceBYN2J1iprhYfFk7KTq/vGcdQc8deaU 3nainXLB7ISBoCdLtjO9+I8tQcO5oJ+XDViWLaNzTHIPNNh+SuAD3XBV81hfXhcTXEv5 dfuG9KujJ9iqdoJyLC7YG7C62z+zWvN1sVKFOTAtaMSpL8IM+79nlcMTSi6OqCcmLHpr v+Ew== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=KlNxglbH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f7si44572917pgg.234.2019.05.02.09.31.25; Thu, 02 May 2019 09:31:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@yahoo.com header.s=s2048 header.b=KlNxglbH; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726451AbfEBQ3F (ORCPT + 99 others); Thu, 2 May 2019 12:29:05 -0400 Received: from sonic308-8.consmr.mail.bf2.yahoo.com ([74.6.130.47]:41002 "EHLO sonic308-8.consmr.mail.bf2.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726300AbfEBQ3F (ORCPT ); Thu, 2 May 2019 12:29:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1556814543; bh=H2HJJesMA20BcYlJ+IOaax9VIeLCiinnSIhrnVVMHXE=; h=From:Subject:To:Cc:References:Date:In-Reply-To:From:Subject; b=KlNxglbHKJOisGlvlPTmrXU+egzI9pXzdY9co9OQCrQIAyfXMaKzspmvgGItp8d5W8O7cmUhkQmDXSb1FHfjLaehQUCwZtPhC+1LqV2h1GGzMuOrsHvn2KtQPr2xLFbzaerZStbnGPtU4mzd4NZQvhRSHxqxSJZRsFWfH4BHOs79n9oqorgzsEJMa0oMOEF3xud07AJ6ZGEQ1AJ4ybF79s1Lc9JrIPBmoD3D545rx8lptLpWCmfT7YS64cqTqn2xd8EBE3uBva5ReVUNM5Y1+W37/uTEntbWtUevesUnp+3uUDjIzxbBUS4nWuJlKNs21pC2Km59lowKwBJP8FTaOw== X-YMail-OSG: KTxj1FUVM1mLqkxD6A.OYugj.k8xCJODq.rjAJmhegyCATWb6r2dAuIZjCJR3Mz wbgoL4DCYzB27TxZ78xDMyJupXa1Y3M9ROGneF3Q8U.O3mbGGHUc_wxnXewhtsWWDlBTThcdrPXT bQdlCg.99Ds_4rpJSiO40mACqAGTU51nT.dF29EZQFJYzVHA8HuJk0OjUG4LwEs2M1Ur2eDea23y bCoFpbF6IDq8OmslgvdQQFXIVbET0KYeHSFaP19qL7Ku1Cs5V8Bw7Ow4gzt8Aq9R32FSrP22Q9u6 dqf1mZLKVcKPXUCf5mO9bX_u20E0vL4eq6WSWCfht20fe2K2Z05cWmShpdOkIVlQw2ZMiWvtpPIM lVherVpi04Hb9kQhsDDlMQ65raphU0t2l09Q1CXle.gREWoo9ceYOP5rGt71x3EVsaSelbLUoY_a jLpVsWg9.EYsxy0fDdpsNIdY0Vlt8tLvL6Z1VZciaonhTHSTdv9ni.3QYWnGKkbFpT6EsZ6KJBP2 AppPJDGh82inBJqCmNBGFpjP5om0aDTuX_8brYDTXzmZQbb0xmMRlKppwV4kN4r672i2u.9Weq9t i5m5aQj5qJqhjWAM85EsHZ429Hz9KLso2vnydrkcWpwvDJ_6nkmGPaWD89m.aFuoFdseNR0rFwef jpi5Nu9yR4.LNoTC4AMs1ROel.5tAUFP4ZJiL_Pb9j3O8_XWwWx0hiY8xTRowgCR1HjmFGpCgtdy DyVgzD9lGG9OGTmjGA6ZMX0.vOX2BmZnZMKpS2V1_gRhObhwQ404H3lsRzGYWfR.3QT_jzx8gITg W01U4uwnOh1f_ZFW1ytq5trh8f4TtzQfbvyYICC7D9.qAx5GWeHF55LCJf9O.l81F9TcQZax1mmE aqawpk7sKdGTY8XQZomVyiPGbw0v391uelBU.JpQK.GcQSLD0cy6PTJrv73dsBLlzeJDl3bER73V oawUN2yM4kjBjsTVrSnS2oagktVBSTseB6g57sEWrCpbcm90A6kwL9wtK.Zev6R_1vZrNiF21gvh XPGhdWlG603NAzY2.1_3nEAplhVTcbIHON7.gA70AW4vOFI5lQetDoQ6_uWrJboC6QcJ52xfm23_ q49EX5GuVmd9OD.NpbICukcA4E8Q_FCH_2swnfSN5pmHfZSfY4wVgggnBOFfuOfowreS8FJOHbo3 Llyw.duZKK.dVunulCC.DA1fz9JNEuafa Received: from sonic.gate.mail.ne1.yahoo.com by sonic308.consmr.mail.bf2.yahoo.com with HTTP; Thu, 2 May 2019 16:29:03 +0000 Received: from c-67-169-65-224.hsd1.ca.comcast.net (EHLO [192.168.0.103]) ([67.169.65.224]) by smtp402.mail.bf1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 1fa7d2e534e1a0e9e92015fab12bde34; Thu, 02 May 2019 16:29:00 +0000 (UTC) From: Casey Schaufler Subject: Re: [PATCH] kexec_buffer measure To: Mimi Zohar , prakhar srivastava Cc: linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module , Paul Moore , John Johansen , casey@schaufler-ca.com References: <1555978681.4914.305.camel@linux.ibm.com> <1556812101.4134.28.camel@linux.ibm.com> Message-ID: <7af61ebe-28a8-799c-fe47-d72f247494ed@schaufler-ca.com> Date: Thu, 2 May 2019 09:28:57 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: <1556812101.4134.28.camel@linux.ibm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 5/2/2019 8:48 AM, Mimi Zohar wrote: > [Cc'ing Paul, John, Casey] > > On Mon, 2019-04-22 at 20:18 -0400, Mimi Zohar wrote: >> [Cc'ing LSM mailing list] >> >> On Fri, 2019-04-19 at 17:30 -0700, prakhar srivastava wrote: >> >>> 2) Adding a LSM hook >>> We are doing both the command line and kernel version measurement in IMA. >>> Can you please elaborate on how this can be used outside of the scenario? >>> That will help me come back with a better design and code. I am >>> neutral about this. >> As I said previously, initially you might want to only measure the >> kexec boot command line, but will you ever want to verify or audit log >> the boot command line hash?????Perhaps LSMs would be interested in the >> boot command line. ??Should this be an LSM hook? > From an LSM perspective, is there any interest in the boot command line? I can imagine an LSM that cares about the command line, but I don't have interest in it for any work I have in progress. > Mimi >