On Thu, Apr 4, 2019 at 3:35 PM James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: > Redundant information is always possible, but it can become > inconsistent and, because the hashes can't be derived from each other, > it's hard to tell if it is inconsistent without redoing the whole hash > with each method. Part of the problem here is that IMA is effectively used for two related but different purposes - measurement and appraisal. You generally want measurements to be comparable across filesystems, whereas appraisal doesn't need to be. So if we don't have comparable measurements, there's less benefit in performing measurement (we have no real idea what the expected measurements would be in advance). That's less important for appraisal, but arguably we don't care about appraisal of stuff on fs-verity backed filesystems to begin with because we can just attest that they're legitimate? > I was more wondering what, if any, problems would follow if we did let > the filesystem choose the hash method and simply used the top merkle > hash in place of the usual IMA hash? We could definitely just pass it through as a separate hash type, and my initial thinking was that fs-verity might be a reasonable use case for that, but I'm not sure that it buys us much in the IMA case.
