Hi all, [switched to plain text] I will check Mikhail's patches. Give me a moment. Thanks, Dmitry On Tue, Oct 10, 2017 at 10:07 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > On Tue, 2017-10-10 at 02:10 +0300, Mikhail Kurinnoi wrote: >> For now, we don't have ready for upstream "immutable" EVM signature >> format support patch. Both, Dmitry's and my, patches need more work >> in order to prevent file's data changes (in case of IMA hash) and >> metadata changes for files signed by "immutable" EVM xattr (same idea >> as we already have for IMA digsig, that prevent file's data change). > > After looking at your patches again, I think we should combine the > "immutable" and "portable" concepts so that the new "portable" > signature type is written out and considered "immutable". > > Dmitry's patch does prevent the file from changing, but that code is > in IMA, but should be in EVM. I agree we can defer preventing the > file from changing. > > Mimi > -- Thanks, Dmitry
