> On Feb 19, 2019, at 7:36 PM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > Hi Chuck, > >> EVM is not supported in this prototype. NFS does not support several >> of the xattrs that are protected by EVM: SMACK64, Posix ACLs, and >> Linux file capabilities are not supported, which makes EVM more >> difficult to support on NFS mounts. > > There's no requirement for all of these xattrs to exist. If an xattr > does exist, then it is included in the security.evm hmac/signature. Understood. The issue is that if they exist on a file residing on an NFS server, such xattrs would not be visible to clients. My understanding is that then EVM verification would fail on such files on NFS clients. We could possibly make EVM work in limited scenarios until such time that the NFS protocol can make those xattrs available to NFS clients. I hope that having only security.ima is useful at least for experimenting and maybe more. However, if folks think having security.evm also is needed, that is straight- forward... just saying that there are currently other limits in NFS that make a full EVM implementation problematic.
