On Wed, 2019-09-18 at 08:37 -0400, Theodore Y. Ts'o wrote: > On Tue, Sep 17, 2019 at 09:56:09AM -0500, James Bottomley wrote: > > > There seems to be a philosophical debate about this. Some IMA folks > > > have claimed that you want to know at the time of the binary being > > > executed, whether or not it is corrupt or not. Their concern is that > > > if you can make a binary crash when it pages in some page of memory,,,, > > > > That's not my recollection of the IMA position. > > I had *several* conversations with IMA folks, including Mimi, who very > carefully explained to me why fs-verity was bad from a security > perspective. There are use cases where you want to fail immediately, but that is dependent on the use case (eg. critical industrial control systems). I'm not sure why you're bringing this up now, as we've already agreed there are different use cases with different requirements, even on the same system. IMA doesn't hard code policy in the kernel, but is based on a single, centralized policy, which contains measurement, appraisal, and audit rules. The same file hash, or in this case fs-verity's hash, could be included in the measurement list, used to extended TPM, and added to the audit log, as an IMA-audit record. Mimi
