[LTP] [PATCH v2] IMA: Allow only ima-buf template for key measurement
Petr Vorel
pvorel@suse.cz
Wed Mar 17 21:37:27 CET 2021
Hi Lakshmi,
> > > > Just a double check does it always work without template=ima-buf for all kernel versions?
> > > > Or only for kernels with dea87d0889dd ("ima: select ima-buf template for buffer measurement")
> > > > i.e. v5.11-rc1 or backport?
> > > The above change is required. Prior to this change, template has to be
> > > specified in the policy, otherwise the default template would be used.
> > The default template is ima-ng, right?
> Yes: ima-ng is the default template.
> > > From what you write I understand that "measure func=KEY_CHECK
> > keyrings=.ima|.evm" will work only on newer kernel, thus we should always use
> > template=ima-buf as the policy example so that it's working also on that few
> > kernels between <v5.6,v5.10> (which have IMA key functionality, but not
> > dea87d0889dd), right?
> Yes: In the kernels between v5.6 and v5.10, ima-buf template needs to be
> specified in the policy for KEY_CHECK.
OK, thus your original version - i.e. don't require template=ima-buf,
but keep it in policy example is the best approach.
> > But we should mention that in the README.md.
> Agreed - will update the README.md
Thanks!
Kind regards,
Petr
> thanks,
> -lakshmi
More information about the ltp
mailing list