Hi Matthew, On Thu, 2018-10-04 at 13:30 -0700, Matthew Garrett wrote: > As of d77ccdc644a59b412d8e101576134c90a0aa6797, IMA will trigger a > rehash of any file on a FUSE filesystem for every measurement. This has > a significant impact on performance. Individual FUSE filesystems may > have the ability to identify whether a file needs to be rehashed, and > some may even have the ability to obtain the file hash out of band > without needing the kernel to do it. Longer term, this may also be > usable for other scenarios where a filesystem can provide a trustworthy > hash (eg, fs-verity on ext4 could provide a hash and then later abort > any read()s that discover that the file doesn't match the measurement). Really, a security vs. performance argument?! I don't need to tell you of all people, that one of the basic tenents of trusted boot is calculating the actual file hash before use. Limiting the file hash re-calculation is one thing, but relying on some out of band method of obtaining the file hash without the kernel ever calculating it is totally different. The only exception will be for fs-verity, which will return not the file hash, but the file's Merkle tree root hash. If you want to introduce support for identifying whether a FUSE file, on a trusted mount, needs to be rehashed, that's fine. It should not be the default behavior. Mimi
