From: Mimi Zohar <zohar@kernel.org>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: linux-integrity@vger.kernel.org, bill.c.roberts@gmail.com
Subject: Re: [PATCH v4 ima-evm-utils] extend ima_measurement --pcrs option to support per-bank pcr files
Date: Mon, 27 Jul 2020 10:15:38 -0400 [thread overview]
Message-ID: <1595859338.4841.116.camel@kernel.org> (raw)
In-Reply-To: <20200727132110.5057-1-stephen.smalley.work@gmail.com>
On Mon, 2020-07-27 at 09:21 -0400, Stephen Smalley wrote:
> ---
> v4 updates the usage in the README and usage message, reduces MAX_NPCRFILE
> to 2 (for sha1 and sha256) and changes the buffer size to
> MAX_DIGEST_SIZE * 2 + 8 for the lines read from the pcrs file(s).
>
> One thing that is unclear to me is correct/expected usage of the
> --verify and --validate options to evmctl ima_measurement. For an
> appraisal of a remote attestation, when would one NOT want to use
> --verify (i.e. doesn't lack of --verify render the result insecure)
> and when would one want to use --validate (i.e. doesn't use of --validate
> render the result insecure)? And shouldn't the default in both cases
> be the more secure case (i.e. verify = 1, validate = 0)? The naming of
> --validate is also confusing since one might expect it to mean
> to validate/check the result as opposed to ignore violations?
Yes, agreed. Thank you for reviewing and commenting on the code.
While adding support for these features, originally in LTP and the
standalone version, they should be cleaned up. Should "--verify" just
be dropped? Without a custom policy, with just the builtin
"ima_policy=tcb" policy, a few files are read while being opened for
write (e.g. audit, log, print files). Perhaps rename "validate" to
something like "force-validate".
I forgot to add "evmctl boot_aggregate" to the README. The supplied
pcrs could also be used to calculate the "boot_aggregate" value(s).
Mimi
next prev parent reply other threads:[~2020-07-27 14:15 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-27 13:21 [PATCH v4 ima-evm-utils] extend ima_measurement --pcrs option to support per-bank pcr files Stephen Smalley
2020-07-27 14:15 ` Mimi Zohar [this message]
2020-07-27 14:34 ` Stephen Smalley
2020-07-27 14:51 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1595859338.4841.116.camel@kernel.org \
--to=zohar@kernel.org \
--cc=bill.c.roberts@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).