On Sun, Jan 28, 2018 at 10:39:10PM -0500, Mimi Zohar wrote: > So the filesystem is enforcing a policy set by userspace. What is > protecting that policy? Can the verity bit be unset once set? No. Well, technically it would be safe to allow the bit to be unset if the file is not in use (not open or mmaped), but in practice it would be simplest to not allow it to be unset. > > But once you get to data integrity protected via a Merkle tree at file > > read time, this is extremely quite far away from any traditional > > definition of "measurement". So purely from a naming convention, > > perhaps trying to take data integrity verification using Merkle trees > > should forcing it into the IMA framework might not be such a great > > fit. > > At what point is the signature on the Merkle tree hash verified? I > can't imagine it being done every time a page is read. It must be > done and the result cached at file open. The page is verified each time it is read from the storage device (in practice, flash). Why can't you imagine this working? Are you concerned from a performance perspective, or because IMA has different security requirements/expectations/assumptions? What I am proposing is completely analogous to how dm-verity works. In dm-verity, we verify each block (whether it be file system metadata block or a file data block) when it is read from flash. If you own a modern Android device, or a Chrome OS device, the system software is protected using dm-verity. The only difference between this fs-verity proposal and dm-verity is that it's being done at the file level instead of the block device level. - Ted
