Thread (6 messages) 6 messages, 2 authors, 2021-03-17

Re: [PATCH v2] IMA: Allow only ima-buf template for key measurement

From: Petr Vorel <pvorel@suse.cz>
Date: 2021-03-17 20:37:27
Also in: ltp

Hi Lakshmi,
quoted
quoted
quoted
Just a double check does it always work without template=ima-buf for all kernel versions?
Or only for kernels with dea87d0889dd ("ima: select ima-buf template for buffer measurement")
i.e. v5.11-rc1 or backport?
The above change is required. Prior to this change, template has to be
specified in the policy, otherwise the default template would be used.
The default template is ima-ng, right?
Yes: ima-ng is the default template.
quoted
quoted
From what you write I understand that "measure func=KEY_CHECK
keyrings=.ima|.evm" will work only on newer kernel, thus we should always use
template=ima-buf as the policy example so that it's working also on that few
kernels between <v5.6,v5.10> (which have IMA key functionality, but not
dea87d0889dd), right?
Yes: In the kernels between v5.6 and v5.10, ima-buf template needs to be
specified in the policy for KEY_CHECK.
OK, thus your original version - i.e. don't require template=ima-buf,
but keep it in policy example is the best approach.
quoted
But we should mention that in the README.md.
Agreed - will update the README.md
Thanks!

Kind regards,
Petr
thanks,
 -lakshmi
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help