Re: [PATCH v2] IMA: Allow only ima-buf template for key measurement
From: Petr Vorel <pvorel@suse.cz>
Date: 2021-03-17 20:37:27
Also in:
ltp
From: Petr Vorel <pvorel@suse.cz>
Date: 2021-03-17 20:37:27
Also in:
ltp
Hi Lakshmi,
quoted
quoted
quoted
Just a double check does it always work without template=ima-buf for all kernel versions? Or only for kernels with dea87d0889dd ("ima: select ima-buf template for buffer measurement") i.e. v5.11-rc1 or backport?The above change is required. Prior to this change, template has to be specified in the policy, otherwise the default template would be used.The default template is ima-ng, right?Yes: ima-ng is the default template.
quoted
quoted
From what you write I understand that "measure func=KEY_CHECKkeyrings=.ima|.evm" will work only on newer kernel, thus we should always use template=ima-buf as the policy example so that it's working also on that few kernels between <v5.6,v5.10> (which have IMA key functionality, but not dea87d0889dd), right?Yes: In the kernels between v5.6 and v5.10, ima-buf template needs to be specified in the policy for KEY_CHECK.
OK, thus your original version - i.e. don't require template=ima-buf, but keep it in policy example is the best approach.
quoted
But we should mention that in the README.md.
Agreed - will update the README.md
Thanks! Kind regards, Petr
thanks, -lakshmi