On Tue, 2020-11-17 at 10:23 -0800, Linus Torvalds wrote: > On Mon, Nov 16, 2020 at 10:35 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > > > We need to differentiate between signed files, which by definition are > > immutable, and those that are mutable. Appending to a mutable file, > > for example, would result in the file hash not being updated. > > Subsequent reads would fail. > > Why would that require any reading of the file at all AT WRITE TIME? On the (last) file close, the file hash is re-calculated and written out as security.ima. The EVM hmac is re-calculated and written out as security.evm. > > Don't do it. Really. I really wish it wasn't needed. > > When opening the file write-only, you just invalidate the hash. It > doesn't matter anyway - you're only writing. > > Later on, when reading, only at that point does the hash matter, and > then you can do the verification. > > Although honestly, I don't even see the point. You know the hash won't > match, if you wrote to the file. On the local system, as Roberto mentioned, before updating a file, the existing file's data and metadata (EVM) should be verified to protect from an offline attack. The above scenario assumes calculating the file hash is only being used for verifying the integrity of the file (security.ima), but there are other reasons for calculating the file hash. For example depending on the IMA measurement policy, just accessing a file could require including the file hash in the measurement list. True that measurement will only be valid at the time of measurement, but it provides a base value. Mimi
