On Wed, 2017-10-18 at 22:48 +0300, Dmitry Kasatkin wrote: > Can you please point me to the patchset email? This was the start of the lengthy discussion - https://www.spinics.net/lists/linux-integrity/msg00035.html > > On Fri, Oct 13, 2017 at 2:09 AM, Dmitry Kasatkin > <dmitry.kasatkin@xxxxxxxxx> wrote: > > Hi all, > > > > [switched to plain text] > > > > I will check Mikhail's patches. > > Give me a moment. > > > > Thanks, > > Dmitry > > > > > > On Tue, Oct 10, 2017 at 10:07 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > >> On Tue, 2017-10-10 at 02:10 +0300, Mikhail Kurinnoi wrote: > >>> For now, we don't have ready for upstream "immutable" EVM signature > >>> format support patch. Both, Dmitry's and my, patches need more work > >>> in order to prevent file's data changes (in case of IMA hash) and > >>> metadata changes for files signed by "immutable" EVM xattr (same idea > >>> as we already have for IMA digsig, that prevent file's data change). > >> > >> After looking at your patches again, I think we should combine the > >> "immutable" and "portable" concepts so that the new "portable" > >> signature type is written out and considered "immutable". > >> > >> Dmitry's patch does prevent the file from changing, but that code is > >> in IMA, but should be in EVM. I agree we can defer preventing the > >> file from changing. > >> > >> Mimi > >> > > > > > > > > -- > > Thanks, > > Dmitry > > >
