Perfect - that's exactly how I have implemented it right now. Will continue to test it.
The measurement decision is not based on whether the keyring is a
trusted one or an untrusted one. As long as the IMA policy allows
(through the "keyrings=" option) the key will be measured.
We should be able to measure all keys being loaded onto any keyring or
onto a specific "keyring=". Â This shouldn't be any different than any
other policy rule. ÂOnce you have this basic feature working, you
would address loading keys during early boot.
Thank you.Do you want only trusted keyrings to be allowed in the measurement?
In my opinion, that decision should be deferred to whoever is setting up
the IMA policy.
Right, but it shouldn't be limited to just "trusted" keyrings. ÂThis
way you can first test loading keys onto any keyring.
Queuing the keys should be independent of measuring the keys.
ÂInitially you would start with just measuring the key. ÂFrom a high
level it would look like:
ima_post_key_create_or_update(...)
{
 Â"measure key based on
policy(key, keyring, ...)"
}
This requires the IMA "keyring=" policy option support be defined
first.
Subsequently you would add key queuing support, and then update
ima_post_key_create_or_update(). ÂIt would look like:
ima_post_key_create_or_update(...)
{
if (custom policy is loaded)
 Â"measure key based on policy(key, keyring, ...)"
else
"queue key(key, keyring)"
}
Mimi