[LTP] [PATCH v2] IMA: Allow only ima-buf template for key measurement
Lakshmi Ramasubramanian
nramas@linux.microsoft.com
Tue Mar 16 19:50:41 CET 2021
On 3/16/21 10:21 AM, Petr Vorel wrote:
Hi Petr,
>
>>> Just a double check does it always work without template=ima-buf for all kernel versions?
>>> Or only for kernels with dea87d0889dd ("ima: select ima-buf template for buffer measurement")
>>> i.e. v5.11-rc1 or backport?
>> The above change is required. Prior to this change, template has to be
>> specified in the policy, otherwise the default template would be used.
> The default template is ima-ng, right?
Yes: ima-ng is the default template.
>>From what you write I understand that "measure func=KEY_CHECK
> keyrings=.ima|.evm" will work only on newer kernel, thus we should always use
> template=ima-buf as the policy example so that it's working also on that few
> kernels between <v5.6,v5.10> (which have IMA key functionality, but not
> dea87d0889dd), right?
Yes: In the kernels between v5.6 and v5.10, ima-buf template needs to be
specified in the policy for KEY_CHECK.
>
> But we should mention that in the README.md.
>
Agreed - will update the README.md
thanks,
-lakshmi
More information about the ltp
mailing list