On Wed, 2020-02-12 at 16:08 -0500, david.safford@gmail.com wrote:

On Tue, 2020-02-11 at 18:10 -0500, Mimi Zohar wrote:

quoted

On Tue, 2020-02-11 at 11:10 -0500, david.safford@gmail.com wrote:

quoted

quoted

<snip>

This new feature will require setting up some infrastructure for
storing the partial measurement list(s) in order to validate a TPM
quote.  Userspace already can save partial measurement list(s) without
any kernel changes.  The entire measurement list does not need to be
read each time.  lseek can read past the last record previously read.
 The only new aspect is truncating the in kernel measurement list in
order to free kernel memory.

This is a pretty important new feature.
A lot of people can't use IMA because of the memory issue.
Also, I really think we need to let administrators choose the tradeoffs
of keeping the list in memory, on a local file, or only on the 
attestation server, as best fits their use cases.

Dave, I understand that some use cases require the ability of
truncating the measurement list.  We're discussing how to truncate the
measurement list.  For example, in addition to the existing securityfs
binary_runtime_measurements file, we could define a new securityfs
file indicating the number of records to delete.

quoted

< snip> 

Until there is proof that the measurement list can be exported to a
file before kexec, instead of carrying the measurement list across
kexec, and a TPM quote can be validated after the kexec, there isn't a
compelling reason for the kernel needing to truncate the measurement
list.

If this approach doesn't work with all the kexec use cases, then it is 
useless, and the ball is in my court to prove that it does. Fortunately
I have to test that anyway for the coming TLV support.

Working on it...

Testing could be done independently of the TLV support.  To verify
that you aren't loosing any measurements, boot with a measurement
policy like "ima_policy=tcb" on the boot command line.

thanks,

Mimi