[RFC] IMA Log Snapshotting Design Proposal
Mimi Zohar
zohar at linux.ibm.com
Mon Aug 14 15:02:23 PDT 2023
On Mon, 2023-08-14 at 14:42 -0700, Sush Shringarputale wrote:
> > This design seems overly complex and requires synchronization between
> > the "snapshot" record and exporting the records from the measurement
> > list. None of this would be necessary if the measurements were copied
> > from kernel memory to a backing file (e.g. tmpfs), as described in [1].
> >
> > What is the real problem - kernel memory pressure, memory pressure in
> > general, or disk space? Is the intention to remove or offload the
> > exported measurements?
> The main concern is the memory pressure on both the kernel and the
> attestation client
> when it sends the request. The concern you bring up is valid and we are
> working on
> creating a prototype. There is no intention to remove the exported
> measurements.
Glad to hear that you're not intending to remove the exported
measurements.
Defining and including a new record in the measurement list measurement
is fine, if it helps with attestation and doesn't require pausing the
measurements.
--
thanks,
Mimi
More information about the kexec
mailing list