On Fri, Jun 12, 2020 at 10:42 PM Lakshmi Ramasubramanian <nra...@linux.microsoft.com> wrote: > > The data maintained by the security modules could be tampered with by > malware. The LSM needs to periodically query the state of > the security modules and measure the data when the state is changed. > > Define a workqueue for handling this periodic query and measurement.
Won't this make it difficult/impossible to predict the IMA PCR value? Unless I missed it, you are going to end up measuring every N minutes even if there was no change and therefore constantly be extending the PCR. That will break attestation or sealing against the IMA PCR.
