Re: [PATCH 00/14] EVM

From: James Morris
Date: Thu Jun 03 2010 - 20:58:05 EST

Next message: Rusty Russell: "Re: [PATCH 2/2] module: fix bne2 "gave up waiting for init of module libcrc32c""
Previous message: Li Zefan: "Re: [PATCH 2/2] menuconfig: truncate list items"
In reply to: Shaz: "Re: [PATCH 00/14] EVM"
Next in thread: Shaz: "Re: [PATCH 00/14] EVM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 1 Jun 2010, Mimi Zohar wrote:

> SELinux, Smack, Capabilities, and IMA all use extended attributes. The
> purpose of EVM is to detect offline tampering of these security extended
> attributes.

One issue mentioned to me off-list is that if EVM is only protecting
against offline attacks, why not just encrypt the entire volume ?

This would provide confidentiality and integrity protection for all data
and metadata, rather than just integrity for xattr metadata.

- James
--
James Morris
<jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Rusty Russell: "Re: [PATCH 2/2] module: fix bne2 "gave up waiting for init of module libcrc32c""
Previous message: Li Zefan: "Re: [PATCH 2/2] menuconfig: truncate list items"
In reply to: Shaz: "Re: [PATCH 00/14] EVM"
Next in thread: Shaz: "Re: [PATCH 00/14] EVM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]