Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp3514937ybg; Mon, 28 Oct 2019 14:10:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqxVKXYH6yuWNfqbAuYLTrAKe7pUewwKJ0FtdCb4AZB1SO6pixpE3Fux9jRUArnzcsWr0Ca0 X-Received: by 2002:a17:906:4813:: with SMTP id w19mr18917930ejq.258.1572297016510; Mon, 28 Oct 2019 14:10:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1572297016; cv=none; d=google.com; s=arc-20160816; b=0OELjD0ykPm8Pixo9CAZ53J9VQz1aM18nrG+pitj3D3mvmtG1wWuqe4DMbn4+sN03S CuYojXUEvf6JdrL1a1ZTi1qbagJhogZ7DBjGjy3BpB8zNDhcW8UKmp3gdmkZnn/48qaQ htOXqFNw77KfNKWhyuV5wC13wTBbUjUZTZKqGNqErB/P9Ysb9yi3F6UN/OKjg4RWhYzh f9oLlBSbfj/nCIwzQlJUsLYUxs3oMtdmSNbjna6/ei59MP8/3b1uN7JkDQNGrc9O8Ta5 8oXmvH8az3R0cwf//Hp9m8olq2bYwW5DBV5cG1Rj5df/gHWplBrksjCp+Gc6bDEApIIS yLvQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature:dkim-filter; bh=+4i7snc8+CJH6rwfZpPIV08+c2Slr7iBUhUCuWfrlls=; b=TJ8UhhsY9+yScyHCrmSS8PRkzGQCJ6QcvN17hdc3XSzjpj83RljGHE0DVW+0YQ2zZO wgIitk0n5N5LlalJ66LQ1VPRwcncmtVUmzS2JZQAtLJfKE1lA5j5AvdT0Xu5sjYz9Uwk 9tCH2zHddyOdCHmnSBS6B2fLFG1nHAMUN95a8WVv5AkE89ot7W10OqpT1n9nqbN0XD5z zl1hESSsDPN+9QBUpJl5+t+q97CaRyWPjBIEhslDeevqu1MHWzrANwcL+my5Vmn6+4wE +TlY/jDEabHwKf9BlweBROCQesdEoHMQLb8X9lrIY+iWNR7Ljpm6jNKvRQSQSkIjeW6/ K7Lg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=j0UFvLFA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r9si6721915eju.251.2019.10.28.14.09.52; Mon, 28 Oct 2019 14:10:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=j0UFvLFA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730157AbfJ1O6i (ORCPT + 99 others); Mon, 28 Oct 2019 10:58:38 -0400 Received: from linux.microsoft.com ([13.77.154.182]:42786 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726563AbfJ1O6h (ORCPT ); Mon, 28 Oct 2019 10:58:37 -0400 Received: from [10.137.112.108] (unknown [131.107.174.108]) by linux.microsoft.com (Postfix) with ESMTPSA id AD8EF2010AC5; Mon, 28 Oct 2019 07:58:36 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com AD8EF2010AC5 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1572274716; bh=+4i7snc8+CJH6rwfZpPIV08+c2Slr7iBUhUCuWfrlls=; h=Subject:To:References:From:Date:In-Reply-To:From; b=j0UFvLFAwzPt56V4SalGwYBFPyo5AY8x+FDt/QbWoI7weuCwz94pbxHS2dxcBywsO /Au8gNVv1GfwxnunbQq+3l5z+IcOX8CI0/1qn/lWU1D3WD4s1o3bl2iSeln9CRJSRq DIjRAtjUzDkwRDz3GalJJ9ckMbiYvrkixtFgKYFE= Subject: Re: [PATCH v2 1/4] KEYS: Defined an ima hook for measuring keys on key create or update To: Mimi Zohar , dhowells@redhat.com, casey@schaufler-ca.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-security-module@vger.kernel.org, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, keyrings@vger.kernel.org References: <20191023233950.22072-1-nramas@linux.microsoft.com> <20191023233950.22072-2-nramas@linux.microsoft.com> <1572032428.4532.72.camel@linux.ibm.com> <1572187644.4532.211.camel@linux.ibm.com> From: Lakshmi Ramasubramanian Message-ID: <1d7730ff-9847-c6be-4f4f-8cf1e90a71f2@linux.microsoft.com> Date: Mon, 28 Oct 2019 07:58:36 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 MIME-Version: 1.0 In-Reply-To: <1572187644.4532.211.camel@linux.ibm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 10/27/19 7:47 AM, Mimi Zohar wrote: >>> There's no reason to define a new variable to determine if IMA is >>> initialized.  Use ima_policy_flag. >> >> Please correct me if I am wrong - >> >> ima_policy_flag will be set to 0 if IMA is not yet initialized >> OR >> IMA is initialized, but ima_policy_flag could be still set to 0 (say, >> due to the configured policy). >> >> In the latter case the measurement request should be a NOP immediately. > > I'm not sure.  The builtin keys most likely will be loaded prior to a > custom IMA policy containing "keyring" rules are defined. > > Mimi I am not sure if I described it clearly - let me clarify: Say, we use ima_policy_flag to determine whether to measure the key immediately or queue the key for measurement and, measure when IMA is initialized. We can incorrectly keep queuing keys in the case when IMA is initialized, but due to the way IMA policy is configured ima_policy_flag is still 0. That's why I feel a separate boolean flag would be needed to know whether IMA is initialized or not. If IMA is initialized, ima_policy_flag will dictate whether to measure the key or not. thanks, -lakshmi