On Mon, 2021-08-02 at 08:14 +0000, Roberto Sassu wrote:

quoted

From: Roberto Sassu [mailto:roberto.sassu@huawei.com]
Sent: Friday, July 30, 2021 4:25 PM

quoted

From: Mimi Zohar [mailto:zohar@linux.ibm.com]
Sent: Friday, July 30, 2021 4:03 PM
Hi Roberto,

On Fri, 2021-07-30 at 13:16 +0000, Roberto Sassu wrote:

quoted

quoted

From: Mimi Zohar [mailto:zohar@linux.ibm.com]
Sent: Friday, July 30, 2021 2:40 PM

quoted

quoted

"critical data", in this context, should probably be used for verifying
the in memory file digests and other state information haven't been
compromised.

Actually, this is what we are doing currently. To keep the
implementation simple, once the file or the buffer are uploaded
to the kernel, they will not be modified, just accessed through
the indexes.

My main concern about digest lists is their integrity, from loading the
digest lists to their being stored in memory.  A while back, there was
some work on defining a write once memory allocator.  I don't recall
whatever happened to it.  This would be a perfect usecase for that
memory allocator.

Adding Igor in CC.

Regarding loading, everything uploaded to the kernel is carefully
evaluated. This should not be a concern. Regarding making them
read-only, probably if you can subvert digest lists you can also
remove the read-only protection (unless you use an hypervisor).

I briefly talked with Igor. He also agreed with that, and added that
it could make it more difficult for an attacker to also disable the
protection. However, he is not planning to submit an update soon,
so I wouldn't consider this an option for now.

Hi Roberto, Greg,

As long as others understand and agree to the risk, the IMA details can
be worked out.

thanks,

Mimi