Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4089770ybl; Tue, 21 Jan 2020 12:39:53 -0800 (PST) X-Google-Smtp-Source: APXvYqwfjKTrzGVYJPKO7DjZUsqSs4uelmFEe0shL5rVRPTbPpi6G+yOLO0qSPGwX549Prr+BprR X-Received: by 2002:aca:1a06:: with SMTP id a6mr4226966oia.148.1579639193595; Tue, 21 Jan 2020 12:39:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579639193; cv=none; d=google.com; s=arc-20160816; b=EwLPtK8m7ENBeo7T1jdmenn/gImRv8FED45fUb3NJB0/XZsB7ipAl4RJupAqSyB3NR fkTZScNerALlNcf2vlkpt4KGyIyoQyd3Tz5+HQm3VOj8uhQpgTwMohDScMMVXYtgttKI jDOx6WUQOhTtyYlxVCEDEgwCZccxZMD8b4S0i9YNjzMtVXIkY83tFC08OlztZGWcgzJQ JEpYrzcRlvRMGklKf0vrYQq671eEyS4Q/iD6yK0N8qkUylzk5NulSkS2q26WsLirlREm f/9ARiODvPbHmOnMAfOb4K/VNB59E2VL4zFHlef/XUIL86bMb9TIyCxzGo9xWYvT7pQG hD3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature:dkim-filter; bh=39hRDfcQoedGytqRqIp/6T1ZCaQPsUpXvrhCIte/taw=; b=r0Bf1rMSdAfFIlZnBtdcAIwgIhq7JIk93GHbIPSKy2teg5Hx2MJEl3xWosp/7qy3vj VVfmFFlv9cFv6donU0p2Vrujdogtj/rwau/1UJ68AdBGXa/NCAeb/tuxz2Ft0a8RajKD XuZv4uD8g8Z3NhhUOWZtZ6sQaw57maXSkV1nBeG/jYIsVzBaKpwQdf9YwdGM+j000UJt bDNESedxHkLunAeacNHMR4yQuEMXCamAaqm6BqPjgaADVUfK5IDYfzLt4Z4yNMisR6mA 5a0vUDR+szV14+rriG5i/SwIwU7J5SBdyWEcC80F3fs1dMPyqI+8I/3GAZDZlAkH+d0O MGnA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=eZhJmakm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d5si18748913otf.198.2020.01.21.12.39.40; Tue, 21 Jan 2020 12:39:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=eZhJmakm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728760AbgAUUiq (ORCPT + 99 others); Tue, 21 Jan 2020 15:38:46 -0500 Received: from linux.microsoft.com ([13.77.154.182]:39004 "EHLO linux.microsoft.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727383AbgAUUiq (ORCPT ); Tue, 21 Jan 2020 15:38:46 -0500 Received: from [10.137.112.111] (unknown [131.107.147.111]) by linux.microsoft.com (Postfix) with ESMTPSA id E32BA2008819; Tue, 21 Jan 2020 12:38:45 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com E32BA2008819 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1579639126; bh=39hRDfcQoedGytqRqIp/6T1ZCaQPsUpXvrhCIte/taw=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=eZhJmakmz0bsFphuCLNYJ7RtxE+ijV4PfcNO94/c7nk1lWIBY5xF+b+pGNIz8ANta ZVVcFf3bdyrBRSdA1LQwXQhOcjlcEK2yaPIC0BmcNh6aTOleO0ElMu0iR9TdkmI36O zlgZiqHYC5tzGODOOaTLotQpBq3cUGqb0sQk/7Zw= Subject: Re: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default To: James Bottomley , Mimi Zohar , linux-integrity@vger.kernel.org Cc: sashal@kernel.org, linux-kernel@vger.kernel.org References: <20200121171302.4935-1-nramas@linux.microsoft.com> <1579628090.3390.28.camel@HansenPartnership.com> <1579634035.5125.311.camel@linux.ibm.com> <1579636351.3390.35.camel@HansenPartnership.com> From: Lakshmi Ramasubramanian Message-ID: Date: Tue, 21 Jan 2020 12:38:58 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.3.1 MIME-Version: 1.0 In-Reply-To: <1579636351.3390.35.camel@HansenPartnership.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/21/2020 11:52 AM, James Bottomley wrote: >> - really small devices/sensors being able to queue certificates > > seems like the answer to this one would be don't queue. I realise it's > after the submit design, but what about measuring when the key is added > if there's a policy otherwise measure the keyring when the policy is > added ... that way no queueing. Without the "deferred key processing" changes, only keys added at runtime were measured (if policy permitted). "deferred key processing" enabled queuing keys added early in the boot process and measured them when the policy is loaded. We can make this (the queuing) optional through a config, but leave the runtime key measurement auto-enabled (as is the config IMA_MEASURE_ASYMMETRIC_KEYS now). -lakshmi