On Fri, 2018-10-05 at 10:26 -0700, Matthew Garrett wrote: > On Fri, Oct 5, 2018 at 3:49 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > > Really, a security vs. performance argument?! I don't need to tell > > you of all people, that one of the basic tenents of trusted boot is > > calculating the actual file hash before use. Limiting the file hash > > re-calculation is one thing, but relying on some out of band method of > > obtaining the file hash without the kernel ever calculating it is > > totally different. The only exception will be for fs-verity, which > > will return not the file hash, but the file's Merkle tree root hash. > > Using FUSE means you're inherently accepting the risk of TOCTOU. > Having the kernel read everything once and hash it is no guarantee > that the filesystem will return the same value on further reads, so if > you're going to use FUSE in an environment where you're using IMA then > you already need to assert that your filesystems are trustworthy. Right, the correct behavior should be not to trust FUSE filesystems, but since we don't break userspace there is the "ima_policy=fail_securely" boot command line option. Mimi
