[dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE)
James Morris
jmorris at namei.org
Wed Aug 5 23:51:57 UTC 2020
On Wed, 5 Aug 2020, Mimi Zohar wrote:
> If block layer integrity was enough, there wouldn't have been a need
> for fs-verity. Even fs-verity is limited to read only filesystems,
> which makes validating file integrity so much easier. From the
> beginning, we've said that fs-verity signatures should be included in
> the measurement list. (I thought someone signed on to add that support
> to IMA, but have not yet seen anything.)
>
> Going forward I see a lot of what we've accomplished being incorporated
> into the filesystems. When IMA will be limited to defining a system
> wide policy, I'll have completed my job.
What are your thoughts on IPE being a standalone LSM? Would you prefer to
see its functionality integrated into IMA?
More information about the Linux-security-module-archive
mailing list