On Mon, 2018-01-29 at 07:09 -0500, Mimi Zohar wrote: > Bringing it all together, what is needed? > - the signature of the Merkle tree hash > - a method for validating the signature > - a method for knowing if fs-verity is enabled on the system > A mode where fs-verity can not be disabled on the local, running > system, once enabled. > - lastly, a policy. Just because a file has a signature, does not > necessarily imply that it should be verified. Before people start saying that the policy doesn't belong in IMA, maybe it doesn't, but let me describe a couple of use cases to illustrate the problems: - On systems that support multiple types of signatures, it's important to be able to define which signature types are acceptable, or for that matter if a file hash suffices (normally used for mutable files), on a per file basis. - Similarly, suppose the trusted keyring contains multiple keys. I've installed software from multiple software providers and loaded their public keys on the trusted keyring. Is using any key to verify the file signature acceptable? How would you indicate which key is acceptable for which file. For embedded or closed systems, a single key can be used to sign all files, but for the generic case, like our laptops, this doesn't scale. Mimi
