Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp3910668ybl; Tue, 21 Jan 2020 09:16:00 -0800 (PST) X-Google-Smtp-Source: APXvYqyh+ej0UfzrFL+uFx9NGz4wDCqhk0QXWMST7mixVnWK6sgFSoisw5Loq6tfWcu6M6jSvSts X-Received: by 2002:aca:f445:: with SMTP id s66mr3570913oih.95.1579626960733; Tue, 21 Jan 2020 09:16:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579626960; cv=none; d=google.com; s=arc-20160816; b=LsxHGzbIfwQN/v63j0IzWxq0t6PkCqBz4Ey+lFarfUOa8cLv748gjMkHSqMrep6rHS +1SwAsXoQZ63zMzr5YkeJP0pjYLL340ydOlMB7yplHtDNeXpDZSDuEts0RQryymMAx4q PK69umveU7qNaFS4pvVEw0vVvkR9RASbr4FjnUjcbpSgH9qDFKXm3XIRklP+xY+U0crP t/SENhI6wLUQm1t6h9vmhIPwZgWoSBZChhB3T3yQZeeMeVTTuW+PwHtK7dw1NDZ2D5I4 ZilbeP4j8ky6+jqRnPl3U9vx0UcOOkZUSUXOCV13jbhQVmnJJheZzJe9Ve6pYdaVj8AE WvzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:dkim-filter; bh=4d23IOuwwmeJeaRu6c99Bav9ImfA/rQDKq2tTLeuCSw=; b=Z/FHNmUVVb3P7iIJmXIsnvOjaewxaE6kFh3hE5b7P4ARKJf7UfZTrBHUu9QJ+qMlWb Cb6egTt73oq1lylT6MSG3HnlRJivoGUNx6kHpJpaCF5x0b8jLW2KXETCk0VgYFo5cVVn pgJrMkB+KGOCUHF05YXmtgGuiP6FGJSe3r/lHvTj0adsGMq9IHjCZXQlw9gXYHM1y338 GnHnrByBhH6OGhlRju2LjfYsqSOfGInKTWtq83DGVSPSTN68ENXMpgzg4pEMqFzzcgVO lthyVJIacJyyH89VoOrvvlWDmZRJJ8bwAEKh9dBvOI9kPUL4JODk4dBvmbmUH8ws30x2 /UuA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=ZoLn8nS6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c79si20338039oig.208.2020.01.21.09.15.45; Tue, 21 Jan 2020 09:16:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=ZoLn8nS6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729367AbgAURNN (ORCPT + 99 others); Tue, 21 Jan 2020 12:13:13 -0500 Received: from linux.microsoft.com ([13.77.154.182]:51160 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729080AbgAURNN (ORCPT ); Tue, 21 Jan 2020 12:13:13 -0500 Received: from nramas-ThinkStation-P520.corp.microsoft.com (unknown [131.107.174.108]) by linux.microsoft.com (Postfix) with ESMTPSA id 8088220B4798; Tue, 21 Jan 2020 09:13:12 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 8088220B4798 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1579626792; bh=4d23IOuwwmeJeaRu6c99Bav9ImfA/rQDKq2tTLeuCSw=; h=From:To:Cc:Subject:Date:From; b=ZoLn8nS6Z9bPDtkxbcGdFOzZk7EQ/di/T3/lGGtUIDG56B4I5sTOaLb/tixqmK339 Y6qssmNlw9YNwm/2g4pMie6I2/aQ6VI1M7kibgZrTr0RemrH0mY8W1aylfIFh2d9T4 UrP1/labEksJ5r43pqdWBlz6nMCdFGPF8yWHydeQ= From: Lakshmi Ramasubramanian To: zohar@linux.ibm.com, linux-integrity@vger.kernel.org Cc: sashal@kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default Date: Tue, 21 Jan 2020 09:13:02 -0800 Message-Id: <20200121171302.4935-1-nramas@linux.microsoft.com> X-Mailer: git-send-email 2.17.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Enabling IMA and ASYMMETRIC_PUBLIC_KEY_SUBTYPE configs will automatically enable the IMA hook to measure asymmetric keys. Keys created or updated early in the boot process are queued up whether or not a custom IMA policy is provided. Although the queued keys will be freed if a custom IMA policy is not loaded within 5 minutes, it could still cause significant performance impact on smaller systems. This patch turns the config IMA_MEASURE_ASYMMETRIC_KEYS off by default. Since a custom IMA policy that defines key measurement is required to measure keys, systems that require key measurement can enable this config option in addition to providing a custom IMA policy. Signed-off-by: Lakshmi Ramasubramanian --- security/integrity/ima/Kconfig | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig index 355754a6b6ca..8e678219ee9e 100644 --- a/security/integrity/ima/Kconfig +++ b/security/integrity/ima/Kconfig @@ -312,7 +312,19 @@ config IMA_APPRAISE_SIGNED_INIT This option requires user-space init to be signed. config IMA_MEASURE_ASYMMETRIC_KEYS - bool + bool "Enable asymmetric keys measurement on key create or update" depends on IMA depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y - default y + default n + help + This option enables measuring asymmetric keys when the key + is created or updated. Additionally a custom IMA policy that + defines key measurement should also be loaded. + + If this option is enabled, keys created or updated early in + the boot process are queued up. The queued keys are processed + when a custom IMA policy is loaded. But if a custom IMA policy + is not loaded within 5 minutes after IMA subsystem is initialized, + any queued keys are just freed. Keys created or updated after + a custom IMA policy is loaded will be processed immediately and + not queued. -- 2.17.1