Hello Thore,
On 7/14/21 4:32 AM, Thore Sommer wrote:
Thank you for bringing IMA support to device mapper. The addition of dm-verity
to IMA is very useful for the project I'm working on where we boot
our distribution from removable USB media.
Thank you for the positive ack. Appreciate it.
One of our goals is to detect tampering of the root file system remotely.
Therefore we enabled dm-verity support but implementing remote attestation for
dm-verity from userland is not ideal which was our initial plan.
Yes, remote attestation from userland is not ideal.
This patch set enables us to leverage to already implemented IMA attestation
infrastructure by the remote attestation service that we are using (Keylime)
without trying to roll a custom solution.
I am glad that DM-IMA functionality is useful for your scenario.
We tested the initial RFC patch set and will continue testing with
this one to see if it fully works in our environment and with our use
case.
Thank you for testing the RFC patch set.
Please let me know if you discover any bugs in this one, or have any
other feedback.
Thanks again.
Regards,
Tushar
Thore Sommer