[dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE)
Mimi Zohar
zohar at linux.ibm.com
Fri Aug 7 18:40:54 UTC 2020
On Fri, 2020-08-07 at 13:31 -0400, Mimi Zohar wrote:
> On Sat, 2020-08-08 at 02:41 +1000, James Morris wrote:
> > On Thu, 6 Aug 2020, Mimi Zohar wrote:
> >
> > > On Thu, 2020-08-06 at 09:51 +1000, James Morris wrote:
> > > > On Wed, 5 Aug 2020, Mimi Zohar wrote:
> > > >
> > > > > If block layer integrity was enough, there wouldn't have been a need
> > > > > for fs-verity. Even fs-verity is limited to read only filesystems,
> > > > > which makes validating file integrity so much easier. From the
> > > > > beginning, we've said that fs-verity signatures should be included in
> > > > > the measurement list. (I thought someone signed on to add that support
> > > > > to IMA, but have not yet seen anything.)
> > > > >
> > > > > Going forward I see a lot of what we've accomplished being incorporated
> > > > > into the filesystems. When IMA will be limited to defining a system
> > > > > wide policy, I'll have completed my job.
> > > >
> > > > What are your thoughts on IPE being a standalone LSM? Would you prefer to
> > > > see its functionality integrated into IMA?
> > >
> > > Improving the integrity subsystem would be preferred.
> > >
> >
> > Are you planning to attend Plumbers? Perhaps we could propose a BoF
> > session on this topic.
>
> That sounds like a good idea.
Other than it is already sold out.
Mimi
More information about the Linux-security-module-archive
mailing list