On Sun, 2019-05-12 at 17:31 +0200, Dominik Brodowski wrote: > On Sun, May 12, 2019 at 08:52:47AM -0400, Mimi Zohar wrote: > > It's too late. The /init itself should be signed and verified. > > Could you elaborate a bit more about the threat model, and why deferring > this to the initramfs is too late? The IMA policy defines a number of different methods of identifying which files to measure, appraise, audit.[1] Without xattrs, the granularity of the policy rules is severely limited. Without xattrs, a filesystem is either in policy, or not. With an IMA policy rule requiring rootfs (tmpfs) files to be verified, then /init needs to be properly labeled, otherwise /init will fail to execute. Mimi [1] Documentation/ABI/testing/ima_policy
