On Wed, Oct 18, 2017 at 11:16 AM, Dmitry Kasatkin <dmitry.kasatkin@xxxxxxxxx> wrote: > Hi, > > I have not read thread in detail so sorry if I will repeat something. > > EVM support signatures. > https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/tree/security/integrity/evm/evm_main.c?h=next#n166 > > They can be mutable or immutable if I not is marked immutables > Mutable signature will be replaced on the first verification. > > And ima-evm-utils has support to generate evm signatures > > https://sourceforge.net/p/linux-ima/ima-evm-utils/ci/master/tree/src/evmctl.c#l1549 > > Also there is concept of EVM signatures not bound to inode unique data like > ino and generation That's fine - the problem is how to write these out. If EVM is enabled there's no way to write security.evm on a new file unless the iint entry has an IMA_NEW_FILE flag, and this will only be set if there's an IMA policy that covers that file.
