From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: Roberto Sassu <roberto.sassu@huaweicloud.com>,
steven chen <chenste@linux.microsoft.com>,
linux-integrity@vger.kernel.org
Cc: zohar@linux.ibm.com, roberto.sassu@huawei.com,
dmitry.kasatkin@gmail.com, eric.snowberg@oracle.com,
paul@paul-moore.com, jmorris@namei.org, serge@hallyn.com,
linux-security-module@vger.kernel.org,
anirudhve@linux.microsoft.com, gregorylumen@linux.microsoft.com,
nramas@linux.microsoft.com, sushring@linux.microsoft.com
Subject: Re: [PATCH 1/1] IMA event log trimming
Date: Fri, 05 Dec 2025 13:30:28 -0500 [thread overview]
Message-ID: <34d739c2cf15baf78dff5acb7ae3ddd7ad47f219.camel@HansenPartnership.com> (raw)
In-Reply-To: <099492ee58996b6f18d73232677757ecadb14cb7.camel@huaweicloud.com>
On Fri, 2025-12-05 at 10:30 +0100, Roberto Sassu wrote:
> On Tue, 2025-12-02 at 15:28 -0800, steven chen wrote:
> > This patch is for trimming N entries of the IMA event logs as well
> > as cleaning the hash table.
> >
> > It provides a userspace interface ima_trim_log that can be used to
> > input number N to let kernel to trim N entries of IMA event logs.
> > When read this interface, it returns number of entries trimmed last
> > tim.
>
> High-level comments:
> - It does not offer the possibility to keep the hash table
> - There is no coordination between taking a snapshot and the readers
> of
> the measurements list (I think it is necessary, since reading is
> based on *pos, which contains the entries read until a given point;
> if there is a truncate in the middle of the read, *pos would still
> refer to the non-truncated list and the next read will skip some
> measurement entries)
Rather than designing the interface absent use cases, could we give use
cases first so we know it fits? I really only have one: the keylime
agent, but I believe it's pattern, which would be get TPM quote of
logging PCRs, certify quote and then trim the log up to the point the
quote was obtained will be a common pattern (at least I don't think
anyone would trim the log without quoting it). If you're trimming
based on a quote, you know the end hash of all the PCRs and you want to
trim up to that. Since the log is fixed, you can work out what the
index offset is, but it does seem a bit suboptimal to have to compute
that, which is why I think trimming by end PCR hash is useful. The
main point in all of this is, I think, that you don't really get to
decide which point in the log the TPM will quote: it always quotes it's
current PCR values, so no-one who cares about log quotes can select the
number of entries first, they all have to see what PCR values the quote
returns.
> - While trimming per se is ok, I like more the idea of staging
> changes and letting the user delete the staged measurements list
> later
I'm not averse to this, but keylime won't care ... it gets the quote
and the log and it will verify the log before it will get the agent to
issue a trim. Is there a use case that would actually need this
behaviour?
I also think having the base PCRs stored in the kernel after the trim
(in a way that's easily consumed, like a non measured log entry), thus
allowing verification from the log up to any current quote is useful.
The reason I think it's useful is the attestation token one: I can see
the keylime verifier giving an I've verified the log up to here and all
the entries look good token that contains the base PCRs and if there
are quite a few of these floating around (especially if the log isn't
always trimmed) I could see the kernel base PCR storage being used to
ask which is the relevant attestation token I should use to verify the
rest of the log (or even used to detect nefarious trimming designed to
hide records).
Regards,
James
next prev parent reply other threads:[~2025-12-05 18:30 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-02 23:28 [PATCH 0/1] Trim N entries of IMA event logs steven chen
2025-12-02 23:28 ` [PATCH 1/1] IMA event log trimming steven chen
2025-12-05 9:30 ` Roberto Sassu
2025-12-05 14:21 ` Roberto Sassu
2025-12-05 18:30 ` James Bottomley [this message]
2025-12-08 9:40 ` Roberto Sassu
2025-12-08 17:21 ` Gregory Lumen
2025-12-08 17:50 ` Roberto Sassu
2025-12-08 22:17 ` James Bottomley
2025-12-09 9:36 ` Roberto Sassu
2025-12-10 19:16 ` Mimi Zohar
2025-12-06 1:28 ` steven chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=34d739c2cf15baf78dff5acb7ae3ddd7ad47f219.camel@HansenPartnership.com \
--to=james.bottomley@hansenpartnership.com \
--cc=anirudhve@linux.microsoft.com \
--cc=chenste@linux.microsoft.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=gregorylumen@linux.microsoft.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=roberto.sassu@huaweicloud.com \
--cc=serge@hallyn.com \
--cc=sushring@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).