From: Roberto Sassu <roberto.sassu@huaweicloud.com>
To: Gregory Lumen <gregorylumen@linux.microsoft.com>
Cc: James Bottomley <James.Bottomley@HansenPartnership.com>,
steven chen <chenste@linux.microsoft.com>,
linux-integrity@vger.kernel.org, zohar@linux.ibm.com,
roberto.sassu@huawei.com, dmitry.kasatkin@gmail.com,
eric.snowberg@oracle.com, paul@paul-moore.com,
jmorris@namei.org, serge@hallyn.com,
linux-security-module@vger.kernel.org,
anirudhve@linux.microsoft.com, nramas@linux.microsoft.com,
sushring@linux.microsoft.com
Subject: Re: [PATCH 1/1] IMA event log trimming
Date: Mon, 08 Dec 2025 18:50:17 +0100 [thread overview]
Message-ID: <6b5e09ad1388d4352ccab6170a4eae6f574dcfeb.camel@huaweicloud.com> (raw)
In-Reply-To: <862fa081-df51-084-ae2c-efa0eae0ca7e@linux.microsoft.com>
On Mon, 2025-12-08 at 09:21 -0800, Gregory Lumen wrote:
> > Rather than designing the interface absent use cases, could we give use
> > cases first so we know it fits?
>
> I would also like to request that we include operational considerations in
> the interface design; specifically, which additional signals can or should
> be made available to UM to assist in diagnosing log validation failures.
> This seems called for as any form of log trimming will introduce a new
> potential cause for validation failures (unexpected trimming).
>
> With the proposed changes, the only signal available to system operators
> is the validation failure itself, with no signal that could be used to
> determine if the failure was the result of an unexpected trim or a loss of
> synchronization between the log and the PCRs (either through an unexpected
> PCR extend, or tampering with the measurement list). Any of these may
> indicate malicious activity, but they may also result from system
> configuration issues that operators would need to diagnose and resolve.
I don't agree with this. User space can keep a persistent state, and
resume from where it was interrupted. There is no risk of loss of data,
if user space deletes staged measurements only after the read is
complete.
The same comment applies for coordination between different user space
agents. It would not be too hard to expose an interface managed by a
new user space component, providing similar data as IMA (even showing
the full measurements list without its users being aware of the
snapshots). The other agents can fetch the data from the new interface.
And also, I don't see the problem in developing more complex user space
programs which link the measurement entries to PCR values, and anything
that is desirable.
And if from the kernel perspective all we need to do is a list replace,
for me that is the most efficient solution.
Roberto
> Tracking and exposing either the total number of trimmed measurements or
> the most recent trimmed-to PCR values by the kernel would allow system
> operators to determine whether a failure was caused by unexpected trimming
> or integrity issues. (Storing the PCR values also enables validation of
> the retained measurements even after an unexpected trim, though I’m unsure
> how often that signal would prove useful.)
>
> Neither approach appears to add any additional attack surface beyond
> raising the likelihood of incorrectly or insecurely implemented UM
> attestation agents. Though that risk (and the additional kernel
> complexity) should be weighed against the value of the additional
> diagnostic signals.
>
> -Gregory Lumen
next prev parent reply other threads:[~2025-12-08 17:50 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-02 23:28 [PATCH 0/1] Trim N entries of IMA event logs steven chen
2025-12-02 23:28 ` [PATCH 1/1] IMA event log trimming steven chen
2025-12-05 9:30 ` Roberto Sassu
2025-12-05 14:21 ` Roberto Sassu
2025-12-05 18:30 ` James Bottomley
2025-12-08 9:40 ` Roberto Sassu
2025-12-08 17:21 ` Gregory Lumen
2025-12-08 17:50 ` Roberto Sassu [this message]
2025-12-08 22:17 ` James Bottomley
2025-12-09 9:36 ` Roberto Sassu
2025-12-10 19:16 ` Mimi Zohar
2025-12-06 1:28 ` steven chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6b5e09ad1388d4352ccab6170a4eae6f574dcfeb.camel@huaweicloud.com \
--to=roberto.sassu@huaweicloud.com \
--cc=James.Bottomley@HansenPartnership.com \
--cc=anirudhve@linux.microsoft.com \
--cc=chenste@linux.microsoft.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=eric.snowberg@oracle.com \
--cc=gregorylumen@linux.microsoft.com \
--cc=jmorris@namei.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=roberto.sassu@huawei.com \
--cc=serge@hallyn.com \
--cc=sushring@linux.microsoft.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).