On Mon, 2017-10-09 at 11:18 -0700, Matthew Garrett wrote: > On Mon, Oct 9, 2017 at 11:15 AM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > > On Mon, 2017-10-09 at 10:59 -0700, Matthew Garrett wrote: > >> Ok, that makes sense. But for cases where we do have security.ima, the > >> inode doesn't seem to provide additional security but does make > >> deployment more difficult. Does supporting this use case seem > >> reasonable? > > > > Yes! > > Excellent. This means defining a new signature type - the two options > seem to be Mikhail's portable format, or the approach I took of having > the signature define which metadata is included. Do you have a > preference? We now understand that as long as the EVM signature includes security.ima, it is safe not to include the i_ino/uuid. This new format can be written to disk. Based on the previous discussions, Mikhail's patches never write the portable EVM signature format to disk, but verify the signature, before calculating and writing the HMAC. Based on our current understanding that isn't required. The new EVM signature can be written out. Let's keep the change as simple as possible.
