On Wed, Aug 28, 2019 at 8:36 PM Chuck Lever <chuck.lever@xxxxxxxxxx> wrote: > My thought was to use an ephemeral Merkle tree for NFS (and > possibly other remote filesystems, like FUSE, until these > filesystems support durable per-file Merkle trees). A tree would > be constructed when the client measures a file, but it would not > saved to the filesystem. Instead of a hash of the file's contents, > the tree's root signature is stored as the IMA metadata. So the attack you are trying to guard against is that the pages that were evicted once and that are read back could still be integrity verified? Handling this properly would be awesome. I don't think we have anything against this now, the pages that were once evicted are really not checked when read back. -- Janne
