Re: [PATCH 0/2] dm-devel:dm-crypt: infrastructure for measurement of DM target data using IMA

[Tushar Sugandhi]

On 2020-08-17 2:46 p.m., Mimi Zohar wrote:
> On Sun, 2020-08-16 at 14:02 -0700, Tushar Sugandhi wrote:
> > There are several device-mapper targets which contribute to verify
> > the integrity of the mapped devices e.g. dm-integrity, dm-verity,
> > dm-crypt etc.
> >
> > But they do not use the capabilities provided by kernel integrity
> > subsystem (IMA). For instance, the IMA capability that measures several
> > in-memory constructs and files to detect if they have been accidentally
> > or maliciously altered, both remotely and locally. IMA also has the
> > capability to include these measurements in the IMA measurement list and
> > use them to extend a TPM PCR so that it can be quoted.
>
> "both remotely" refers to measurement and attestation, while "locally"
> refers to integrity enforcement, based on hashes or signatures.  Is
> this patch set adding both IMA-measurement and IMA-appraisal?
>
> Mimi
Thanks Mimi for looking at this patch set.

I added both "remotely" and "locally" in the description, so that
people less familiar with IMA would get a general overview of whats
possible with IMA.

In this patch set we are only adding support for measurement and
attestation. In the next iteration, I will remove the references to
"local" detection.
~Tushar
<snip>