From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
dhowells@redhat.com, casey@schaufler-ca.com, sashal@kernel.org,
jamorris@linux.microsoft.com,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
keyrings@vger.kernel.org
Subject: Re: [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_ke
Date: Mon, 28 Oct 2019 17:08:38 +0000 [thread overview]
Message-ID: <1572282518.4532.260.camel@linux.ibm.com> (raw)
In-Reply-To: <8494baa1-c4db-f08b-26c9-2e56279075d0@linux.microsoft.com>
On Mon, 2019-10-28 at 08:12 -0700, Lakshmi Ramasubramanian wrote:
> On 10/27/19 7:33 AM, Mimi Zohar wrote:
>
> > .builtin_trusted_keys is a trusted keyring, which is created by the
> > kernel. It cannot be deleted or replaced by userspace, so it should
> > be possible to correlate a keyring name with a keyring number on
> > policy load.
>
> Yes - at policy load we can map a keyring name to a keyring number.
>
> But at runtime we still need to know if the keyring parameter passed to
> the IMA hook function is configured to be measured.
>
> void ima_post_key_create_or_update(struct key *keyring, struct key *key,
> unsigned long flags, bool create);
> {
> => Get the keyring number for the given "keyring".
There is no "getting" involved here. Pass "keyring" to
process_buffer_measurement and on to ima_get_action().
> => Check if the keyring number is in the configured IMA policy.
ima_get_action() should do a simple compare of the valued stored in
the IMA policy with the value returned by key_serial().
Mimi
> => If yes, measure the key.
> => Else, do nothing.
> }
> Did I misunderstand what you had stated?
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
dhowells@redhat.com, casey@schaufler-ca.com, sashal@kernel.org,
jamorris@linux.microsoft.com,
linux-security-module@vger.kernel.org,
linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
keyrings@vger.kernel.org
Subject: Re: [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring
Date: Mon, 28 Oct 2019 13:08:38 -0400 [thread overview]
Message-ID: <1572282518.4532.260.camel@linux.ibm.com> (raw)
In-Reply-To: <8494baa1-c4db-f08b-26c9-2e56279075d0@linux.microsoft.com>
On Mon, 2019-10-28 at 08:12 -0700, Lakshmi Ramasubramanian wrote:
> On 10/27/19 7:33 AM, Mimi Zohar wrote:
>
> > .builtin_trusted_keys is a trusted keyring, which is created by the
> > kernel. It cannot be deleted or replaced by userspace, so it should
> > be possible to correlate a keyring name with a keyring number on
> > policy load.
>
> Yes - at policy load we can map a keyring name to a keyring number.
>
> But at runtime we still need to know if the keyring parameter passed to
> the IMA hook function is configured to be measured.
>
> void ima_post_key_create_or_update(struct key *keyring, struct key *key,
> unsigned long flags, bool create);
> {
> => Get the keyring number for the given "keyring".
There is no "getting" involved here. Pass "keyring" to
process_buffer_measurement and on to ima_get_action().
> => Check if the keyring number is in the configured IMA policy.
ima_get_action() should do a simple compare of the valued stored in
the IMA policy with the value returned by key_serial().
Mimi
> => If yes, measure the key.
> => Else, do nothing.
> }
> Did I misunderstand what you had stated?
next prev parent reply other threads:[~2019-10-28 17:08 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-23 23:39 [PATCH v2 0/4] KEYS: measure keys when they are created or updated Lakshmi Ramasubramanian
2019-10-23 23:39 ` Lakshmi Ramasubramanian
2019-10-23 23:39 ` [PATCH v2 1/4] KEYS: Defined an ima hook for measuring keys on key create or update Lakshmi Ramasubramanian
2019-10-23 23:39 ` Lakshmi Ramasubramanian
2019-10-25 19:40 ` Mimi Zohar
2019-10-25 19:40 ` Mimi Zohar
2019-10-25 19:49 ` Lakshmi Ramasubramanian
2019-10-25 19:49 ` Lakshmi Ramasubramanian
2019-10-25 22:28 ` Lakshmi Ramasubramanian
2019-10-25 22:28 ` Lakshmi Ramasubramanian
2019-10-27 14:47 ` Mimi Zohar
2019-10-27 14:47 ` Mimi Zohar
2019-10-28 14:58 ` Lakshmi Ramasubramanian
2019-10-28 14:58 ` Lakshmi Ramasubramanian
2019-10-23 23:39 ` [PATCH v2 2/4] KEYS: Queue key for measurement if ima is not initialized. Measure queued keys when i Lakshmi Ramasubramanian
2019-10-23 23:39 ` [PATCH v2 2/4] KEYS: Queue key for measurement if ima is not initialized. Measure queued keys when ima is initialized Lakshmi Ramasubramanian
2019-10-23 23:39 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys k Lakshmi Ramasubramanian
2019-10-23 23:39 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring Lakshmi Ramasubramanian
2019-10-27 14:33 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_ke Mimi Zohar
2019-10-27 14:33 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring Mimi Zohar
2019-10-28 15:12 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_ke Lakshmi Ramasubramanian
2019-10-28 15:12 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring Lakshmi Ramasubramanian
2019-10-28 17:08 ` Mimi Zohar [this message]
2019-10-28 17:08 ` Mimi Zohar
2019-10-28 15:56 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_ke Lakshmi Ramasubramanian
2019-10-28 15:56 ` [PATCH v2 3/4] KEYS: Added BUILTIN_TRUSTED_KEYS enum to measure keys added to builtin_trusted_keys keyring Lakshmi Ramasubramanian
2019-10-23 23:39 ` [PATCH v2 4/4] KEYS: Enabled ima policy " Lakshmi Ramasubramanian
2019-10-23 23:39 ` Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1572282518.4532.260.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=casey@schaufler-ca.com \
--cc=dhowells@redhat.com \
--cc=jamorris@linux.microsoft.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=sashal@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.