Re: [PATCH v1 3/5] ima: limit including fs-verity's file digest in measurement list

From: Eric Biggers
Date: Thu Dec 02 2021 - 17:22:10 EST

Next message: Alexandre Belloni: "Re: [PATCH v3] rtc: da9063: add as wakeup source"
Previous message: Kirill A. Shutemov: "Re: [PATCH v2] x86: Skip WBINVD instruction for VM guest"
In reply to: Mimi Zohar: "[PATCH v1 3/5] ima: limit including fs-verity's file digest in measurement list"
Next in thread: Mimi Zohar: "Re: [PATCH v1 3/5] ima: limit including fs-verity's file digest in measurement list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Dec 02, 2021 at 04:55:05PM -0500, Mimi Zohar wrote:
> Without the file signature included in the IMA measurement list, the type
> of file digest is unclear. Set up the plumbing to limit including
> fs-verity's file digest in the IMA measurement list based on whether the
> template name is ima-sig. In the future, this could be relaxed to include
> any template format that includes the file signature.
>

Does it make sense to tie IMA's fs-verity support to files having signatures?
What about IMA audit mode? I thought that is just about collecting hashes, and
has nothing to do with signatures.

- Eric

Next message: Alexandre Belloni: "Re: [PATCH v3] rtc: da9063: add as wakeup source"
Previous message: Kirill A. Shutemov: "Re: [PATCH v2] x86: Skip WBINVD instruction for VM guest"
In reply to: Mimi Zohar: "[PATCH v1 3/5] ima: limit including fs-verity's file digest in measurement list"
Next in thread: Mimi Zohar: "Re: [PATCH v1 3/5] ima: limit including fs-verity's file digest in measurement list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]