From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: zohar@linux.ibm.com, linux-integrity@vger.kernel.org
Cc: sashal@kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default
Date: Tue, 21 Jan 2020 09:13:02 -0800 [thread overview]
Message-ID: <20200121171302.4935-1-nramas@linux.microsoft.com> (raw)
Enabling IMA and ASYMMETRIC_PUBLIC_KEY_SUBTYPE configs will
automatically enable the IMA hook to measure asymmetric keys. Keys
created or updated early in the boot process are queued up whether
or not a custom IMA policy is provided. Although the queued keys will
be freed if a custom IMA policy is not loaded within 5 minutes, it could
still cause significant performance impact on smaller systems.
This patch turns the config IMA_MEASURE_ASYMMETRIC_KEYS off by default.
Since a custom IMA policy that defines key measurement is required to
measure keys, systems that require key measurement can enable this
config option in addition to providing a custom IMA policy.
Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
---
security/integrity/ima/Kconfig | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/security/integrity/ima/Kconfig b/security/integrity/ima/Kconfig
index 355754a6b6ca..8e678219ee9e 100644
--- a/security/integrity/ima/Kconfig
+++ b/security/integrity/ima/Kconfig
@@ -312,7 +312,19 @@ config IMA_APPRAISE_SIGNED_INIT
This option requires user-space init to be signed.
config IMA_MEASURE_ASYMMETRIC_KEYS
- bool
+ bool "Enable asymmetric keys measurement on key create or update"
depends on IMA
depends on ASYMMETRIC_PUBLIC_KEY_SUBTYPE=y
- default y
+ default n
+ help
+ This option enables measuring asymmetric keys when the key
+ is created or updated. Additionally a custom IMA policy that
+ defines key measurement should also be loaded.
+
+ If this option is enabled, keys created or updated early in
+ the boot process are queued up. The queued keys are processed
+ when a custom IMA policy is loaded. But if a custom IMA policy
+ is not loaded within 5 minutes after IMA subsystem is initialized,
+ any queued keys are just freed. Keys created or updated after
+ a custom IMA policy is loaded will be processed immediately and
+ not queued.
--
2.17.1
next reply other threads:[~2020-01-21 17:13 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-21 17:13 Lakshmi Ramasubramanian [this message]
2020-01-21 17:34 ` [PATCH] IMA: Turn IMA_MEASURE_ASYMMETRIC_KEYS off by default James Bottomley
2020-01-21 18:00 ` Lakshmi Ramasubramanian
2020-01-21 19:13 ` Mimi Zohar
2020-01-21 19:52 ` James Bottomley
2020-01-21 20:38 ` Lakshmi Ramasubramanian
2020-01-22 20:02 ` Mimi Zohar
2020-01-22 20:05 ` Lakshmi Ramasubramanian
2020-01-22 20:54 ` Mimi Zohar
2020-01-22 12:23 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200121171302.4935-1-nramas@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.