1 Sep
2020
1 Sep
'20
12:55 p.m.
I think it is better to set a flag, maybe a new one, directly in EVM, to notify the integrity subsystem that iint->evm_status is no longer valid.
If the EVM flag is set, IMA would reset the appraisal flags, as it uses iint->evm_status for appraisal. We can consider to reset also the measure flags when we have a template that includes file metadata.
When would IMA read the EVM flag? Who would reset the flag? At what point would it be reset? Just as EVM shouldn't be resetting the IMA flag, IMA shouldn't be resetting the EVM flag.
IMA would read the flag in process_measurement() and behave similarly to when it processes IMA_CHANGE_ATTR. The flag would be reset by evm_verify_hmac().
Sounds good.
Mimi