On Thu, Oct 19, 2017 at 12:07 AM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > Hi Dmitry, > > On Wed, 2017-10-18 at 23:37 +0300, Dmitry Kasatkin wrote: >> May be Mikhail could share GIT url to look somewhere. >> To see latest bits. > > Please bottom post in the future. > > Summary: > Mikhail's patches were posted earlier this year. His patches defined > a portable EVM signature, which was never written out to disk, but > after being verified, was written out as an HMAC. This was based on > my understanding that the i_ino/uuid is required to prevent a cut & > paste attack. I checked Mikhail patches. In his patches, immutable is normal evm signature but not replaceable with hmac. 2) portable EVM digsig version, aimed to protect archived file's meta data from manipulations. What is the case of manipulation? hmac protects that.. > > In the recent discussions, Matthew wanted to know why the i_ino/uuid > is required. After going around and around discussing it, it turns > out including security.ima is equivalent to including the i_ino/uuid. > The i_ino/uuid is only necessary to prevent a cut and paste attack, > when security.ima is not included in the security.evm hmac/signature. > If I recall, we had such discussion in the chat about i_no/uuid. if I recall right, not including them was a compromise for "portability"? Archive could be unpacked with xattrs and signatures are still valid. tar --xattrs cp --preserve=xattr But how security.ima will protect against cut and paste attack? Attacker can take any other file together with metadata and it will be valid one. > We're at the point of making the portable EVM signature immutable. By > immutable, we mean that it isn't re-written as an HMAC. It is based > on your ima-evm-utils support. > > Mikhail, Matthew, did I leave anything out? > > Mimi > -- Thanks, Dmitry