On Fri, 2020-08-21 at 16:12 -0700, Lakshmi Ramasubramanian wrote: > The current implementation of early boot measurement in > the IMA subsystem is very specific to asymmetric keys. It does not > handle early boot measurement of data from other subsystems such as > Linux Security Module (LSM), Device-Mapper, etc. As a result data, > provided by these subsystems during system boot are not measured by IMA. > > Update the early boot key measurement to handle any early boot data. > Refactor the code from ima_queue_keys.c to a new file ima_queue_data.c. > Rename the kernel configuration CONFIG_IMA_QUEUE_EARLY_BOOT_KEYS to > CONFIG_IMA_QUEUE_EARLY_BOOT_DATA so it can be used for enabling any > early boot data measurement. Since measurement of asymmetric keys is > the first consumer of early boot measurement, this kernel configuration > is enabled if IMA_MEASURE_ASYMMETRIC_KEYS and SYSTEM_TRUSTED_KEYRING are > both enabled. > > Update the IMA hook ima_measure_critical_data() to utilize early boot > measurement support.
Please limit the changes in this patch to renaming the functions and/or files. For example, adding "measure_payload_hash" should be a separate patch, not hidden here. Mimi
