Re: Allow FUSE filesystems to provide out-of-band hashes to IMA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Oct 9, 2018 at 11:04 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
>
> On Tue, 2018-10-09 at 10:21 -0700, Matthew Garrett wrote:
> > Well, there's a performance benefit as well - reading 500MB
> > executables over the network is time consuming and otherwise mostly
> > unnecessary. Given two solutions that have the same properties in
> > terms of which components we need to trust, why not pick the one
> > that's faster?
>
> With the existing cover letter, the purpose of this patch set should
> be to address the performance of calculating the file hash on trusted
> local FUSE mounted filesystems, not remote filesystems or fs-verity
> filesystems.

The performance hit is more noticeable over remote filesystems, but we
have large binaries that take several seconds to hash even on local
filesystems. Would it be helpful to try to define the assumptions that
IMA makes in terms of whether or not it produces trustworthy results?
It feels like it's be easier to talk about this if we have a more
formal set of conditions to take into consideration.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux