On Wed, 2019-09-18 at 08:27 +0300, Janne Karhunen wrote: > On Tue, Sep 17, 2019 at 5:57 PM James Bottomley > <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote: > > > with. The biggest problem with fs-verity has been where to store > > the merkel tree. However, what I've heard from IMA people is as > > long as the merkle tree storage problem gets solved satisfactorily, > > they're perfectly happy to have per page hash verification be an > > IMA mechanism because it's a simple extension of policy and an > > addition of a gate. > > The way I see this is that the greatest asset to protect on any > device is the user data. The data security comes first, then the > device security as a mechanism to protect that same data. You could > even say that the device security is worthless when the device is > empty. The user data is almost always mutable by nature. So, would be > really great if the fs-verity metadata storage would take it into a > consideration that one day someone will want to use it for the > mutable data as well, even if Google does not want at this point in > time. Things like photos, videos are ideal use cases for the verity > like Ted pointed out. Mutability for integrity checked executables/data is problematic. With IMA you have to update the file and the xattr and make sure nothing touches it before you've completed all the updates otherwise you get an integrity check failure. This can work if your mutation is simply a distro update, but it's really hard to do if the file is constantly undergoing mutation because the window where the integrity check fails is huge ... thus it depends on your use case for mutability. James > Heck, doubt we would even have the conspiracy over the moon landings > anymore if the photos were taken with a device that could reliably > identify the device, the device user, location and the time when the > photos were taken ;) > > > -- > Janne >