[prev in list] [next in list] [prev in thread] [next in thread]
List: linux-integrity
Subject: Re: [RFC V2] IMA Log Snapshotting Design Proposal
From: Ken Goldman <kgold () linux ! ibm ! com>
Date: 2023-12-20 22:13:47
Message-ID: 1c370ecf-272a-4052-8f06-4fcfd9bf08b5 () linux ! ibm ! com
[Download RAW message or body]
I'm still struggling with the "new root of trust" concept.
Something - a user space agent, a third party, etc. - has to
retain the entire log from event 0, because a new verifier
needs all measurements.
Therefore, the snapshot aggregate seems redundant. It has to
be verified to match the snapshotted events.
A redundancy is an attack surface. A badly written verifier
might not do that verification, and this permits snapshotted
events to be forged. No aggregate means the verifier can't
make a mistake.
On 11/22/2023 9:22 AM, Paul Moore wrote:
> I believe the intent is to only pause the measurements while the
> snapshot_aggregate is generated, not for the duration of the entire
> snapshot process. The purpose of the snapshot_aggregate is to
> establish a new root of trust, similar to the boot_aggregate, to help
> improve attestation performance.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic