From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
dhowells@redhat.com, matthewgarrett@google.com,
sashal@kernel.org, jamorris@linux.microsoft.com,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v6 2/3] IMA: Define an IMA hook to measure keys
Date: Wed, 13 Nov 2019 21:18:23 +0000 [thread overview]
Message-ID: <1573679903.4517.5.camel@linux.ibm.com> (raw)
In-Reply-To: <8eba665e-637c-d341-c77d-4f2645d3b246@linux.microsoft.com>
On Wed, 2019-11-13 at 12:52 -0800, Lakshmi Ramasubramanian wrote:
> On 11/13/19 12:09 PM, Mimi Zohar wrote:
> >
> > All that is is needed is the key and public_key structures, which are
> > defined in include/linux/keys.h and include/crypto/public_key.h. If
> > the keys subsystem is disabled, then the new IMA hook won't be called.
> > There's no need for a new Kconfig option or a new file.
> >
> > Please move the hook to just after ima_kexec_cmdline().
> >
> > Mimi
>
> Yes - IMA hook won't be called when KEYS subsystem is disabled.
>
> But, build dependency is breaking since "struct key" is not defined
> without CONFIG_KEYS.
>
> Sasha was able to craft a .config that enabled IMA without enabling KEYS
> and found the build break.
Yes, thanks for pointing out the "#ifdef CONFIG_KEYS" in keys.h. A
separate file is needed, as you pointed out, but still no need for a
new Kconfig. The ima/Makefile can be based on CONFIG_KEYS.
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
dhowells@redhat.com, matthewgarrett@google.com,
sashal@kernel.org, jamorris@linux.microsoft.com,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v6 2/3] IMA: Define an IMA hook to measure keys
Date: Wed, 13 Nov 2019 16:18:23 -0500 [thread overview]
Message-ID: <1573679903.4517.5.camel@linux.ibm.com> (raw)
In-Reply-To: <8eba665e-637c-d341-c77d-4f2645d3b246@linux.microsoft.com>
On Wed, 2019-11-13 at 12:52 -0800, Lakshmi Ramasubramanian wrote:
> On 11/13/19 12:09 PM, Mimi Zohar wrote:
> >
> > All that is is needed is the key and public_key structures, which are
> > defined in include/linux/keys.h and include/crypto/public_key.h. If
> > the keys subsystem is disabled, then the new IMA hook won't be called.
> > There's no need for a new Kconfig option or a new file.
> >
> > Please move the hook to just after ima_kexec_cmdline().
> >
> > Mimi
>
> Yes - IMA hook won't be called when KEYS subsystem is disabled.
>
> But, build dependency is breaking since "struct key" is not defined
> without CONFIG_KEYS.
>
> Sasha was able to craft a .config that enabled IMA without enabling KEYS
> and found the build break.
Yes, thanks for pointing out the "#ifdef CONFIG_KEYS" in keys.h. A
separate file is needed, as you pointed out, but still no need for a
new Kconfig. The ima/Makefile can be based on CONFIG_KEYS.
Mimi
next prev parent reply other threads:[~2019-11-13 21:18 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-13 18:46 [PATCH v6 0/3] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian
2019-11-13 18:46 ` Lakshmi Ramasubramanian
2019-11-13 18:46 ` [PATCH v6 1/3] IMA: Add KEY_CHECK func to measure keys Lakshmi Ramasubramanian
2019-11-13 18:46 ` Lakshmi Ramasubramanian
2019-11-13 20:14 ` Mimi Zohar
2019-11-13 20:14 ` Mimi Zohar
2019-11-13 20:21 ` Lakshmi Ramasubramanian
2019-11-13 20:21 ` Lakshmi Ramasubramanian
2019-11-13 20:24 ` Mimi Zohar
2019-11-13 20:24 ` Mimi Zohar
2019-11-13 18:46 ` [PATCH v6 2/3] IMA: Define an IMA hook " Lakshmi Ramasubramanian
2019-11-13 18:46 ` Lakshmi Ramasubramanian
2019-11-13 20:09 ` Mimi Zohar
2019-11-13 20:09 ` Mimi Zohar
2019-11-13 20:52 ` Lakshmi Ramasubramanian
2019-11-13 20:52 ` Lakshmi Ramasubramanian
2019-11-13 21:18 ` Mimi Zohar [this message]
2019-11-13 21:18 ` Mimi Zohar
2019-11-13 22:01 ` Lakshmi Ramasubramanian
2019-11-13 22:01 ` Lakshmi Ramasubramanian
2019-11-13 18:46 ` [PATCH v6 3/3] KEYS: Call the " Lakshmi Ramasubramanian
2019-11-13 18:46 ` Lakshmi Ramasubramanian
2019-11-13 20:09 ` Mimi Zohar
2019-11-13 20:09 ` Mimi Zohar
2019-11-13 22:02 ` [PATCH v6 0/3] KEYS: Measure keys when they are created or updated Mimi Zohar
2019-11-13 22:02 ` Mimi Zohar
2019-11-13 22:04 ` Lakshmi Ramasubramanian
2019-11-13 22:04 ` Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1573679903.4517.5.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=jamorris@linux.microsoft.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthewgarrett@google.com \
--cc=nramas@linux.microsoft.com \
--cc=sashal@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.