Re: [PATCH] IMA: make runtime measurement list pollable

[Daiki Ueno <dueno@redhat.com>]

Hello Mimi,

Mimi Zohar <zohar@linux.ibm.com> writes:

> Hi Daiki,
>
> On Tue, 2021-10-05 at 16:44 +0200, Daiki Ueno wrote:
>> The IMA runtime measurement list exposed on securityfs is currently
>> not pollable, so applications that incrementally verify the
>> measurements have to monitor the file periodically.  This patch makes
>> it possible to poll the file in a similar fashion to the sysfs files,
>> i.e., POLLPRI will be signalled on any changes to the list.
>> 
>> Signed-off-by: Daiki Ueno <dueno@redhat.com>
>
> With the sample code in the poll man page and without this patch, the
> ascii measurement list is pollable.  I must be missing something.

The sample code polls with POLLIN, so every poll() call returns
immediately, even if there is no change in the measurement list.  That
is not ideal in some scenarios[1], and could be a CPU hog as the calling
process never sleeps.

With this patch, poll() behaves the same for POLLIN, while the user
program is also able to wait for actual changes to the measurement list,
with POLLPRI.

> The call to wake_up_interruptible() probably should not be here, but in
> the caller after the TPM is extended.   With that change, you would be
> able to differentiate between restoring the measurement list after
> kexec and regular additional measurements.

Thank you for the suggestion; I will test that change and get it back to
you soon.

Regards,

Footnotes:
[1]  https://github.com/keylime/keylime/blob/master/keylime/cmd/ima_emulator_adapter.py#L95
     Currently the poll() in the loop is no-op and it would spin if
     there is no time.sleep()

-- 
Daiki Ueno