Hi Janne,

On Fri, 2020-01-10 at 10:48 +0200, Janne Karhunen wrote:

On Wed, Jan 8, 2020 at 1:18 PM Janne Karhunen [off-list ref] wrote:

quoted

Some systems can end up carrying lots of entries in the ima
measurement list. Since every entry is using a bit of kernel
memory, allow the sysadmin to export the measurement list to
the filesystem to free up some memory.

Hopefully this addressed comments from everyone. The flush event can
now be triggered by the admin anytime and unique file names can be
used for each flush (log.1, log.2, ...) etc, so getting to the correct
item should be easy.

While it can now be argued that since this is an admin-driven event,
kernel does not need to write the file. However, the intention is to
bring out a second patch a bit later that adds a variable to define
the max number of entries to be kept in the kernel memory and
workqueue based automatic flushing. In those cases the kernel has to
be able to write the file without any help from the admin..

I don't think it is common, and probably not acceptable, for the
kernel to open a file for writing.
 
As exporting the binary measurement list should be the equivalent of
displaying the binary measurement list and redirecting the output to a
file, the same mechanism used for displaying the binary measurement
list should be re-used for exporting it.  Just as carrying the
measurement list across kexec re-uses the same method.

Mimi