Re: Allow FUSE filesystems to provide out-of-band hashes to IMA

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2018-10-09 at 12:29 -0700, Matthew Garrett wrote:
> On Tue, Oct 9, 2018 at 11:04 AM Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote:
> >
> > On Tue, 2018-10-09 at 10:21 -0700, Matthew Garrett wrote:
> > > Well, there's a performance benefit as well - reading 500MB
> > > executables over the network is time consuming and otherwise mostly
> > > unnecessary. Given two solutions that have the same properties in
> > > terms of which components we need to trust, why not pick the one
> > > that's faster?
> >
> > With the existing cover letter, the purpose of this patch set should
> > be to address the performance of calculating the file hash on trusted
> > local FUSE mounted filesystems, not remote filesystems or fs-verity
> > filesystems.
> 
> The performance hit is more noticeable over remote filesystems, but we
> have large binaries that take several seconds to hash even on local
> filesystems. Would it be helpful to try to define the assumptions that
> IMA makes in terms of whether or not it produces trustworthy results?
> It feels like it's be easier to talk about this if we have a more
> formal set of conditions to take into consideration.

[Cc'ing Chuck Lever]

Integrity of files on remote filesystems should probably be discussed
in the context of fs-verity, not FUSE filesystems.

Do you want to continue the discussion here or perhaps as an LSS-EU
BoF?

Mimi




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux