[prev in list] [next in list] [prev in thread] [next in thread] 

List:       linux-keyrings
Subject:    Re: [PATCH] IMA: Defined timer to process queued keys
From:       Mimi Zohar <zohar () linux ! ibm ! com>
Date:       2019-12-21 23:40:36
Message-ID: 1576971636.5241.95.camel () linux ! ibm ! com
[Download RAW message or body]

On Fri, 2019-12-20 at 17:52 -0800, Lakshmi Ramasubramanian wrote:
> keys queued for measurement should still be processed even if
> a custom IMA policy was not loaded. Otherwise, the keys will
> remain queued forever consuming kernel memory.
> 
> This patch defines a timer to handle the above scenario. The timer
> is setup to expire 5 minutes after IMA initialization is completed.
> 
> If a custom IMA policy is loaded before the timer expires, the timer
> is removed and any queued keys are processed. But if a custom policy
> was not loaded, on timer expiration any queued keys are processed.
> 
> On timer expiration the keys are still processed. This will enable
> keys to be measured in case the built-in IMA policy defines a key
> measurement rule.

If there was a built-in policy rule for measuring the early boot keys,
then there wouldn't be a need for queueing the "key" measurements.
  Just free the queued keys.

Mimi

[prev in list] [next in list] [prev in thread] [next in thread]