On Tue, 2019-09-17 at 08:45 -0400, Theodore Y. Ts'o wrote: > On Tue, Sep 17, 2019 at 09:30:31AM +0300, Janne Karhunen wrote: > > Could the fs-verity be plugged in as a measurement mechanism in the > > IMA? So rather than calling a hash function, call verity to measure > > and add new set of IMA hooks to report violations that arise after > > execution? IMA policy logic and functionality would be pretty much > > unchanged. > > That is the plan, and it's not hard to do. The question which I've > raised is when should we do it, given that some people believe that > pulling the entire file into memory and checksumming it at exec or > open time is a feature, not a bug. > > Should we use the fs-verity merkel tree root hash as the measurement > function unconditionally if it is present? Or does IMA want to have > some kind of tuning knob; and if so, should it be on a per-file system > basis, or globally, etc. etc. Those are IMA design questions, and > I'll let the IMA folks decide what they want to do. IMA doesn't hard code policy in the kernel, but is based on a single, centralized policy, which contains measurement, appraisal, and audit rules. Just as the new IMA appended signature support (kernel module signature format)[1] contains a new "appraise_type=imasig|modsig" option, there would be a similar option for fs-verity. Mimi [1] Included in the v5.4 pull request.
