On Tue, 2019-02-19 at 22:51 -0500, Chuck Lever wrote: > > On Feb 19, 2019, at 7:36 PM, Mimi Zohar <zohar@xxxxxxxxxxxxx> wrote: > > > > Hi Chuck, > > > >> EVM is not supported in this prototype. NFS does not support several > >> of the xattrs that are protected by EVM: SMACK64, Posix ACLs, and > >> Linux file capabilities are not supported, which makes EVM more > >> difficult to support on NFS mounts. > > > > There's no requirement for all of these xattrs to exist. If an xattr > > does exist, then it is included in the security.evm hmac/signature. > > Understood. The issue is that if they exist on a file residing on an NFS server, > such xattrs would not be visible to clients. My understanding is that then EVM > verification would fail on such files on NFS clients. > > We could possibly make EVM work in limited scenarios until such time that > the NFS protocol can make those xattrs available to NFS clients. I hope that > having only security.ima is useful at least for experimenting and maybe more. > > However, if folks think having security.evm also is needed, that is straight- > forward... just saying that there are currently other limits in NFS that make a > full EVM implementation problematic. Thank you for the explanation. Yes, I think there is a benefit of having a file signature, without EVM. Mimi
