On Wed, 2021-02-17 at 10:53 -0800, Tushar Sugandhi wrote: > Thanks for the feedback Mimi. > Appreciate it. > > On 2021-02-17 7:03 a.m., Mimi Zohar wrote: > > Hi Tushar, > > > > The Subject line could be improved. Perhaps something like - "IMA: > > support for duplicate measurement records" > > > Will do. > > > On Tue, 2021-02-16 at 18:46 -0800, Tushar Sugandhi wrote: > >> IMA does not measure duplicate data since TPM extend is a very expensive > >> operation. However, in some cases, the measurement of duplicate data > >> is necessary to accurately determine the current state of the system. > >> Eg, SELinux state changing from 'audit', to 'enforcing', and back to > >> 'audit' again. In this example, currently, IMA will not measure the > >> last state change to 'audit'. This limits the ability of attestation > >> services to accurately determine the current state of the measurements > >> on the system. > > > > This patch description is written from your specific usecase > > perspective, but it impacts file and buffer data measurements as well, > > not only critical data measurements. In all of these situations, with > > this patch a new measurement record is added/appended to the > > measurement list. Please re-write the patch description making it more > > generic. > > > > For example, I would start with something like, "IMA does not include > > duplicate file, buffer or critical data measurement records ..." > > > Agreed. > I will generalize the description further and send the v3 for review.
It would be good to boot with the ima_policy=tcb policy with/without your patch and account for the different number of measurements. Are all the differences related to duplicate measurements - original file hash -> new file hash -> original file hash - similar to what you described. thanks, Mimi
