diff for duplicates of <1521130749.3547.608.camel@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index 29848a3..1e27be1 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -3,11 +3,11 @@ On Wed, 2018-03-14 at 10:25 -0700, James Bottomley wrote: [..] > > Adding additional support for post IMA-initialization for TPM's built > > as kernel modules is clearly not optimal for all of the reasons -> > provided to now and will be confusing, but could be supported. This +> > provided to now and will be confusing, but could be supported. ?This > > delayed loading of the TPM needs to be clearly indicated in both the > > audit log and in IMA's measurement list. > -> Why if the measurement chain isn't broken? The way I'm thinking of +> Why if the measurement chain isn't broken? ?The way I'm thinking of > implementing it, IMA wouldn't even know. I'm not sure this is good news. @@ -18,9 +18,9 @@ I'm not sure this is good news. > EFI system, we'd just use the EFI driver to do perform the operation. If EFI is extending the TPM, will the events be added to the TPM event -log or to the IMA measurement list? Up to now the IMA boot aggregate -record includes PCRs from 0 - 7. With these PCRs, the boot aggregate -wouldn't change when booting the same kernel. Would you change the +log or to the IMA measurement list? ? Up to now the IMA boot aggregate +record includes PCRs from 0 - 7. ?With these PCRs, the boot aggregate +wouldn't change when booting the same kernel. ?Would you change the boot-aggregate to include these other PCRs? > There's probably a bit of additional subtlety making the kernel and EFI @@ -34,3 +34,8 @@ Agreed What happens for non EFI systems, when you can't extend the TPM? Mimi + +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index 9f1a025..c3a3b4a 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -15,21 +15,10 @@ "ref\01521038471.4508.25.camel@HansenPartnership.com\0" "ref\01521047286.3547.470.camel@linux.vnet.ibm.com\0" "ref\01521048306.4508.56.camel@HansenPartnership.com\0" - "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" - "Subject\0Re: [PATCH] security: Fix IMA Kconfig for dependencies on ARM64\0" + "From\0zohar@linux.vnet.ibm.com (Mimi Zohar)\0" + "Subject\0[PATCH] security: Fix IMA Kconfig for dependencies on ARM64\0" "Date\0Thu, 15 Mar 2018 12:19:09 -0400\0" - "To\0James Bottomley <James.Bottomley@hansenpartnership.com>" - Safford - David (GE Global Research - US) <david.safford@ge.com> - Jiandi An <anjiandi@codeaurora.org> - " Jason Gunthorpe <jgg@ziepe.ca>\0" - "Cc\0dmitry.kasatkin@gmail.com <dmitry.kasatkin@gmail.com>" - jmorris@namei.org <jmorris@namei.org> - serge@hallyn.com <serge@hallyn.com> - linux-integrity@vger.kernel.org <linux-integrity@vger.kernel.org> - linux-security-module@vger.kernel.org <linux-security-module@vger.kernel.org> - " linux-kernel@vger.kernel.org <linux-kernel@vger.kernel.org>\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Wed, 2018-03-14 at 10:25 -0700, James Bottomley wrote:\n" @@ -37,11 +26,11 @@ "[..]\n" "> > Adding additional support for post IMA-initialization for TPM's built\n" "> > as kernel modules is clearly not optimal for all of the reasons\n" - "> > provided to now and will be confusing, but could be supported. This\n" + "> > provided to now and will be confusing, but could be supported. ?This\n" "> > delayed loading of the TPM needs to be clearly indicated in both the\n" "> > audit log and in IMA's measurement list.\n" "> \n" - "> Why if the measurement chain isn't broken? The way I'm thinking of\n" + "> Why if the measurement chain isn't broken? ?The way I'm thinking of\n" "> implementing it, IMA wouldn't even know.\n" "\n" "I'm not sure this is good news.\n" @@ -52,9 +41,9 @@ "> EFI system, we'd just use the EFI driver to do perform the operation.\n" "\n" "If EFI is extending the TPM, will the events be added to the TPM event\n" - "log or to the IMA measurement list? Up to now the IMA boot aggregate\n" - "record includes PCRs from 0 - 7. With these PCRs, the boot aggregate\n" - "wouldn't change when booting the same kernel. Would you change the\n" + "log or to the IMA measurement list? ? Up to now the IMA boot aggregate\n" + "record includes PCRs from 0 - 7. ?With these PCRs, the boot aggregate\n" + "wouldn't change when booting the same kernel. ?Would you change the\n" "boot-aggregate to include these other PCRs?\n" "\n" "> There's probably a bit of additional subtlety making the kernel and EFI\n" @@ -67,6 +56,11 @@ "\n" "What happens for non EFI systems, when you can't extend the TPM?\n" "\n" - Mimi + "Mimi\n" + "\n" + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -468a432e5a19cbc06c8db9eb71a1b98dff09dc38824161076408e253372093f5 +33754bf94d560886ccdddc564c6d2970a119220864c55cc0fdefdec64346a7e0
diff --git a/a/1.txt b/N2/1.txt index 29848a3..636f735 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -3,11 +3,11 @@ On Wed, 2018-03-14 at 10:25 -0700, James Bottomley wrote: [..] > > Adding additional support for post IMA-initialization for TPM's built > > as kernel modules is clearly not optimal for all of the reasons -> > provided to now and will be confusing, but could be supported. This +> > provided to now and will be confusing, but could be supported. This > > delayed loading of the TPM needs to be clearly indicated in both the > > audit log and in IMA's measurement list. > -> Why if the measurement chain isn't broken? The way I'm thinking of +> Why if the measurement chain isn't broken? The way I'm thinking of > implementing it, IMA wouldn't even know. I'm not sure this is good news. @@ -18,9 +18,9 @@ I'm not sure this is good news. > EFI system, we'd just use the EFI driver to do perform the operation. If EFI is extending the TPM, will the events be added to the TPM event -log or to the IMA measurement list? Up to now the IMA boot aggregate -record includes PCRs from 0 - 7. With these PCRs, the boot aggregate -wouldn't change when booting the same kernel. Would you change the +log or to the IMA measurement list? Up to now the IMA boot aggregate +record includes PCRs from 0 - 7. With these PCRs, the boot aggregate +wouldn't change when booting the same kernel. Would you change the boot-aggregate to include these other PCRs? > There's probably a bit of additional subtlety making the kernel and EFI diff --git a/a/content_digest b/N2/content_digest index 9f1a025..bcf0847 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -37,11 +37,11 @@ "[..]\n" "> > Adding additional support for post IMA-initialization for TPM's built\n" "> > as kernel modules is clearly not optimal for all of the reasons\n" - "> > provided to now and will be confusing, but could be supported. This\n" + "> > provided to now and will be confusing, but could be supported. \302\240This\n" "> > delayed loading of the TPM needs to be clearly indicated in both the\n" "> > audit log and in IMA's measurement list.\n" "> \n" - "> Why if the measurement chain isn't broken? The way I'm thinking of\n" + "> Why if the measurement chain isn't broken? \302\240The way I'm thinking of\n" "> implementing it, IMA wouldn't even know.\n" "\n" "I'm not sure this is good news.\n" @@ -52,9 +52,9 @@ "> EFI system, we'd just use the EFI driver to do perform the operation.\n" "\n" "If EFI is extending the TPM, will the events be added to the TPM event\n" - "log or to the IMA measurement list? Up to now the IMA boot aggregate\n" - "record includes PCRs from 0 - 7. With these PCRs, the boot aggregate\n" - "wouldn't change when booting the same kernel. Would you change the\n" + "log or to the IMA measurement list? \302\240 Up to now the IMA boot aggregate\n" + "record includes PCRs from 0 - 7. \302\240With these PCRs, the boot aggregate\n" + "wouldn't change when booting the same kernel. \302\240Would you change the\n" "boot-aggregate to include these other PCRs?\n" "\n" "> There's probably a bit of additional subtlety making the kernel and EFI\n" @@ -69,4 +69,4 @@ "\n" Mimi -468a432e5a19cbc06c8db9eb71a1b98dff09dc38824161076408e253372093f5 +8c0a855f6a3f95b1e38f8feabcbb8413984c9e384c33b1db416ac94dd66b6af1
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.