Re: [PATCH 00/14] EVM

From: Mimi Zohar
Date: Fri Jun 04 2010 - 11:09:49 EST

Next message: Christoph Hellwig: "Re: [patch 1/4] fs: cleanup files_lock"
Previous message: Florian Mickler: "Re: suspend blockers & Android integration"
In reply to: Shaz: "Re: [PATCH 00/14] EVM"
Next in thread: Shaz: "Re: [PATCH 00/14] EVM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2010-06-04 at 11:53 +0500, Shaz wrote:
> > Yes, verifying one file containing the hashes would be faster than
> > verifying individual hashes stored as extended attributes (xattrs), but
> > this does not take into account that files on a running system are being
> > modified or added. On a small form factor, the number of files is
> > limited, but would this scale well? In addition, what protects that one
> > file containing all the hashes from being modified? So, if you limit
>
> How about sealing to protect this file?

Was just indicating that the file needs to be protected. So, yes sealing
the file, based on PCRs, would work in a trusted boot environment.

> > the types of files to those that don't change, and the number of file
> > hashes, then using a single file would be faster.

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Christoph Hellwig: "Re: [patch 1/4] fs: cleanup files_lock"
Previous message: Florian Mickler: "Re: suspend blockers & Android integration"
In reply to: Shaz: "Re: [PATCH 00/14] EVM"
Next in thread: Shaz: "Re: [PATCH 00/14] EVM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]