On Wed, 2020-08-26 at 12:24 -0700, Eric Biggers wrote: > fs-verity is mostly just a way of hashing a file. Can't IMA just continue to do > its signatures in the same way, and just swap out the traditional full file hash > with the fs-verity file hash (when it's enabled)? Yes, as previously discussed with you and Ted. Mimi > > fs-verity does support its own signature mechanism, because people wanted a > simple knob to set that makes the kernel verify and enforce signatures for all > fs-verity files. But it's not mandatory to use that.
