Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp3930321ybl; Tue, 21 Jan 2020 09:37:07 -0800 (PST) X-Google-Smtp-Source: APXvYqwqNb/c/Us/lH2h1cXCbjUJhuFJ4SDZUYwq+cgDKf4DdP++zHzIS+EPnMPYAWNSm2zGLLW3 X-Received: by 2002:aca:5083:: with SMTP id e125mr3863105oib.96.1579628227644; Tue, 21 Jan 2020 09:37:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579628227; cv=none; d=google.com; s=arc-20160816; b=IgWuOet3tq2BthhFDn25xitiFw2Jn11kKt9L/HG2TbAG9N1qud1ut0eflyhfCVBJOw 6oxyrWDllMlTq/KQoUVr2sT07U5SDc/bbvwvaOfwzIbiN5N7OcCaY8UHylAbAy+GeFpw pHf3FvCzTgFbYOPMkfb3Vjlifa4rdHDLvCNNVBx54TPr4PGJD85pMYA707VJwNFLPAjJ 2QiWdrgJbCNUkEE8SbE8zIkh9FOLud9dnPIT1hM+MPxdjDQnkCbn7u55bvO0fQc4Kfa9 rZnQNSGAWV0FuUorEEwDaLOUwpoZ3Z2MfUvAOcQnyQssdB0ELbI1IiD7k5r+ZJr6+0Kd z8Ow== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:dkim-signature; bh=ykFJGYp4JEsScI4S90ieI4Omr8lPhl5tK01ibRyhkVA=; b=WkOGNwdWf1PslhB16P3Kn3hd+9hPPipzPBiZ6cWPLMceskY8pxMjSkiSLtL3l3+6gF y1HhraxiSXpH1qRW6o7zm1sEFEsiNiEw7rac01/yiSjLFoRIkGBYpYxRxOcb9xlnZuCR tkNiN34JniUQYtfahu8u0THw2ZzxSAQ6tfnpGT1Civ5/DU3AWvJOUKJfP5QiOu8EASlj WeVI4w4h4FoiAMDpWPeYON2bXRKACQGyKh63jkyiglGKZsendOP4wC0tMB6jPsPNbunI r6cDkUGrhVsCMwbACOz6ZnX5/qNvag6D1xAutqKjkTlHfdIIQioqDbwLt74p3nzamvcT 41Ew== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=NUOVdFzk; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=NUOVdFzk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l26si23271517otn.48.2020.01.21.09.36.54; Tue, 21 Jan 2020 09:37:07 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=NUOVdFzk; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b=NUOVdFzk; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729140AbgAURex (ORCPT + 99 others); Tue, 21 Jan 2020 12:34:53 -0500 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:60408 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728186AbgAURew (ORCPT ); Tue, 21 Jan 2020 12:34:52 -0500 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 597FC8EE180; Tue, 21 Jan 2020 09:34:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1579628092; bh=vcYNFOeLQG9On2rFmCpXuIKj7cjYAwyM8qk3B50z018=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=NUOVdFzkm+/32Ol+TaRpDzUod5DduXpbCNSF8OsNEf6HDz60bv/uluBHVBUMr8ik2 dCycmIpURSjQJn4fnBapBJys6DMybqorjLUWebT6pdJFytEB8mfcDEiw8Cgaq4+CEA HfOF6FEiV5ZyD5km00z2s4lbdZv0+NwIq42pdxI8= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8c7TChbFVXin; Tue, 21 Jan 2020 09:34:52 -0800 (PST) Received: from jarvis.lan (unknown [50.35.76.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 7AF088EE0C9; Tue, 21 Jan 2020 09:34:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1579628092; bh=vcYNFOeLQG9On2rFmCpXuIKj7cjYAwyM8qk3B50z018=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=NUOVdFzkm+/32Ol+TaRpDzUod5DduXpbCNSF8OsNEf6HDz60bv/uluBHVBUMr8ik2 dCycmIpURSjQJn4fnBapBJys6DMybqorjLUWebT6pdJFytEB8mfcDEiw8Cgaq4+CEA HfOF6FEiV5ZyD5km00z2s4lbdZv0+NwIq42pdxI8= Message-ID: <1579628090.3390.28.camel@HansenPartnership.com> Subject: Re: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default From: James Bottomley To: Lakshmi Ramasubramanian , zohar@linux.ibm.com, linux-integrity@vger.kernel.org Cc: sashal@kernel.org, linux-kernel@vger.kernel.org Date: Tue, 21 Jan 2020 09:34:50 -0800 In-Reply-To: <20200121171302.4935-1-nramas@linux.microsoft.com> References: <20200121171302.4935-1-nramas@linux.microsoft.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2020-01-21 at 09:13 -0800, Lakshmi Ramasubramanian wrote: > Enabling IMA and ASYMMETRIC_PUBLIC_KEY_SUBTYPE configs will > automatically enable the IMA hook to measure asymmetric keys. Keys > created or updated early in the boot process are queued up whether > or not a custom IMA policy is provided. Although the queued keys will > be freed if a custom IMA policy is not loaded within 5 minutes, it > could still cause significant performance impact on smaller systems. What exactly do you expect distributions to do with this? I can tell you that most of them will take the default option, so this gets set to N and you may as well not have got the patches upstream because you won't be able to use them in any distro with this setting. > This patch turns the config IMA_MEASURE_ASYMMETRIC_KEYS off by > default. Since a custom IMA policy that defines key measurement is > required to measure keys, systems that require key measurement can > enable this config option in addition to providing a custom IMA > policy. Well, no they can't ... it's rather rare nowadays for people to build their own kernels. The vast majority of Linux consumers take what the distros give them. Think carefully before you decide a config option is the solution to this problem. James