Re: RFC: Make it practical to ship EVM signatures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2017-10-18 at 22:48 +0300, Dmitry Kasatkin wrote:
> Can you please point me to the patchset email?

This was the start of the lengthy discussion -
https://www.spinics.net/lists/linux-integrity/msg00035.html


> 
> On Fri, Oct 13, 2017 at 2:09 AM, Dmitry Kasatkin
> <dmitry.kasatkin@xxxxxxxxx> wrote:
> > Hi all,
> >
> > [switched to plain text]
> >
> > I will check Mikhail's patches.
> > Give me a moment.
> >
> > Thanks,
> > Dmitry
> >
> >
> > On Tue, Oct 10, 2017 at 10:07 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> >> On Tue, 2017-10-10 at 02:10 +0300, Mikhail Kurinnoi wrote:
> >>> For now, we don't have ready for upstream "immutable" EVM signature
> >>> format support patch. Both, Dmitry's and my, patches need more work
> >>> in order to prevent file's data changes (in case of IMA hash) and
> >>> metadata changes for files signed by "immutable" EVM xattr (same idea
> >>> as we already have for IMA digsig, that prevent file's data change).
> >>
> >> After looking at your patches again, I think we should combine the
> >> "immutable" and "portable" concepts so that the new "portable"
> >> signature type is written out and considered "immutable".
> >>
> >> Dmitry's patch does prevent the file from changing, but that code is
> >> in IMA, but should be in EVM.  I agree we can defer preventing the
> >> file from changing.
> >>
> >> Mimi
> >>
> >
> >
> >
> > --
> > Thanks,
> > Dmitry
> 
> 
> 




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux