Received: by 2002:a25:31c3:0:0:0:0:0 with SMTP id x186csp244604ybx; Wed, 6 Nov 2019 16:23:27 -0800 (PST) X-Google-Smtp-Source: APXvYqzQ8w6/QecaEbvtPkE7M51ZobS+hWKtiWNUg5KZsoRVTtspFg9PAnHyJ9ceQXfWi1mzSOnR X-Received: by 2002:a17:906:b246:: with SMTP id ce6mr383979ejb.298.1573086207491; Wed, 06 Nov 2019 16:23:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573086207; cv=none; d=google.com; s=arc-20160816; b=ZJuFFOYZUYhT3efS/Oa9yUThFL+arCTKRpS5n42GnrQtiItwsNl3fgmW+PjxRn9Ys5 3jwHjj45RtfVcr7naMB52Cu4b3co18CcIL9kgEwDZT2q3d6wKY4G/Lc+LgOSSfslLjMH Oct1zQ2dPzldlLjVpb8Zn8MnQEVGwQTBoCrJ85BCyRYqtrNNW804rI20VccyoOxwYUhE D5IOzpcBkzXkVYVwOlZ7jbprK1n5UQAawXqcyS+SlIABE59jKw5wCMredn+suEchAe0Q COQRdaE0z6+Cp4PXT+UcjpZfAnkSazCEGEJCOzqUAEodvfy2prirwmJ35KAZ2NAcKD92 89UA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:dkim-signature:dkim-filter; bh=eEEXoIsgjYfls0Ada3aH4Nvwgp+zX0ZpkvcRvWey2wE=; b=XrrRZyKhq6fV1YH5TmsRhArIopqrOz9ZGJFHye0Pn4kfKwFc3xuO/RjDD3ThMHZeQm RUe2YoWN1Ovj6Jkfv+3NMCM0E+P1UwXmsDW2N+Nldd7NBxrAvsw7rZPA8Jd4XQnAQE0e 9zryWx/WhNPdl4/1+GKfVO0O2Cb82MXPvDMXqeT1T3z8wbvmIVQb7FmNw6FvVqvmgjj9 QtDspMqfvfDA6Z92T7pT/xx5VJYWVbj3uQYI1dtea3coIy56WnTi8VHE2dbt++k+Auqn z6Do06OfSOU0ucy4YWUQo0Pp0+txLUlGf8lplykO0ae0KXrxsKRieNE8OT6HyHDxyxr4 /1cQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=Ybz76JqW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x26si332977ejc.17.2019.11.06.16.23.04; Wed, 06 Nov 2019 16:23:27 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=Ybz76JqW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727973AbfKGAVY (ORCPT + 99 others); Wed, 6 Nov 2019 19:21:24 -0500 Received: from linux.microsoft.com ([13.77.154.182]:35294 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727326AbfKGAVX (ORCPT ); Wed, 6 Nov 2019 19:21:23 -0500 Received: from [10.137.112.111] (unknown [131.107.147.111]) by linux.microsoft.com (Postfix) with ESMTPSA id C964720B7192; Wed, 6 Nov 2019 16:21:22 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com C964720B7192 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1573086082; bh=eEEXoIsgjYfls0Ada3aH4Nvwgp+zX0ZpkvcRvWey2wE=; h=Subject:To:References:From:Date:In-Reply-To:From; b=Ybz76JqWo8S/SHKczbTAnnAXEvfdR+hU62S0BJ/UxhSd5gDkGnszsim7VpPJcygU7 U8jVE5gwHgLRpjKITVm1b5P//2fZtD/6xm+wSHPTR4+CPJeG57p+hUnJ03jsiDDffc Wcd8Sc8rXFowL6qc3poi7EjfClSfg6d3kcmjgVjY= Subject: Re: [PATCH v4 01/10] IMA: Defined an IMA hook to measure keys on key create or update To: Mimi Zohar , dhowells@redhat.com, matthewgarrett@google.com, sashal@kernel.org, jamorris@linux.microsoft.com, linux-integrity@vger.kernel.org, linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, linux-kernel@vger.kernel.org References: <20191106190116.2578-1-nramas@linux.microsoft.com> <20191106190116.2578-2-nramas@linux.microsoft.com> <1573080189.5028.313.camel@linux.ibm.com> From: Lakshmi Ramasubramanian Message-ID: Date: Wed, 6 Nov 2019 16:21:43 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 In-Reply-To: <1573080189.5028.313.camel@linux.ibm.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 11/6/2019 2:43 PM, Mimi Zohar wrote: >> +void ima_post_key_create_or_update(struct key *keyring, struct key *key, >> + unsigned long flags, bool create) >> +{ >> + if ((keyring != NULL) && (key != NULL)) >> + return; > > I would move the patch that defines the "keyring=" policy option prior > to this one.  Include the call to process_buffer_measurement() in this > patch.  A subsequent patch would add support to defer measuring the > key, by calling a function named something like > ima_queue_key_measurement(). > > Mimi As I'd stated in the other response, I wanted to isolate all key related code in a separate C file and build it if and only if all CONFIG dependencies are met. I can do the following: => Define the IMA hook in ima_asymmetric_keys.c instead of ima_main.c => In include/linux/ima.h declare the IMA hook if CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS is enabled. Else, NOP it. #ifdef CONFIG_IMA_MEASURE_ASYMMETRIC_KEYS extern void ima_post_key_create_or_update(struct key *keyring, struct key *key, unsigned long flags, bool create); #else static inline void ima_post_key_create_or_update(struct key *keyring, struct key *key, unsigned long flags, bool create) {} #endif Would that be acceptable? thanks, -lakshmi