On Thu, Oct 19, 2017 at 12:07 AM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote: > Hi Dmitry, > > On Wed, 2017-10-18 at 23:37 +0300, Dmitry Kasatkin wrote: >> May be Mikhail could share GIT url to look somewhere. >> To see latest bits. > > Please bottom post in the future. > > Summary: > Mikhail's patches were posted earlier this year. His patches defined > a portable EVM signature, which was never written out to disk, but > after being verified, was written out as an HMAC. This was based on > my understanding that the i_ino/uuid is required to prevent a cut & > paste attack. > > In the recent discussions, Matthew wanted to know why the i_ino/uuid > is required. After going around and around discussing it, it turns > out including security.ima is equivalent to including the i_ino/uuid. > The i_ino/uuid is only necessary to prevent a cut and paste attack, > when security.ima is not included in the security.evm hmac/signature. > > We're at the point of making the portable EVM signature immutable. By > immutable, we mean that it isn't re-written as an HMAC. It is based > on your ima-evm-utils support. Do you mean to have unconditionally immutable? > > Mikhail, Matthew, did I leave anything out? > > Mimi > -- Thanks, Dmitry
