On Fri, 2023-01-13 at 11:52 +0100, Roberto Sassu wrote: > > > If we add a new policy keyword, existing policies would not be updated > > > unless the system administrator notices it. If a remote attestation > > > fails, the administrator has to look into it. > > > > Verifying the measurement list against a TPM quote should work > > regardless of additional measurements. The attestation server, > > however, should also check for unknown files. > > > > > Maybe we can introduce a new hook called MMAP_CHECK_REQ, so that an > > > administrator could change the policy to have the current behavior, if > > > the administrator wishes so. <snip> > > However "_REQ" could mean either requested or required. > > It was to recall reqprot. I could rename to MMAP_CHECK_REQPROT. That sounds good. -- thanks, Mimib
