diff for duplicates of <1502289048.19092.62.camel@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index 632b3a3..813db43 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -26,7 +26,7 @@ On Wed, 2017-08-09 at 11:15 +0200, Roberto Sassu wrote: > >> > >> If the concern is security, it would be possible to prevent unsigned > >> RPM headers from being parsed, if the PGP key type is upstreamed -> >> (adding in CC keyrings@vger.kernel.org). +> >> (adding in CC keyrings at vger.kernel.org). > > > > It's a security concern and also a layering violation, there should be no > > need to parse package file formats in the kernel. @@ -60,20 +60,20 @@ On Wed, 2017-08-09 at 11:15 +0200, Roberto Sassu wrote: > Is the remaining part of the patch set ok, and is the explanation of > what it does clear? -From a trusted boot perspective, file measurements are added to the -measurement list, before access to the file is given. The measurement -list contains ALL measurements, as defined by policy. This patch set +>From a trusted boot perspective, file measurements are added to the +measurement list, before access to the file is given. ?The measurement +list contains ALL measurements, as defined by policy. ?This patch set changes that meaning to be all measurements, as defined by policy, with the exception of those in a white list. Changing the fundamental meaning of the measurement list is not -acceptable. You could define a new securityfs file to differentiate -between the full measurement list and this abbreviated one. But +acceptable. ?You could define a new securityfs file to differentiate +between the full measurement list and this abbreviated one. ?But before making this sort of change, I would prefer to address the underlying problem - TPM peformance. There are a couple of things that could be done to improve the TPM -driver performance, itself. Once all of these options have been +driver performance, itself. ?Once all of these options have been pursued, we could then consider batching the measurements to the TPM, meaning that the measurement list would still contain all the file measurements, but instead of extending the TPM for each measurement, a @@ -86,3 +86,8 @@ Mimi > > provide a more concrete explanation of what steps would occur during boot > > and attestation? > > + +-- +To unsubscribe from this list: send the line "unsubscribe linux-security-module" in +the body of a message to majordomo at vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index 2bead30..a38758a 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -4,19 +4,10 @@ "ref\011206fd8-d189-deb0-ab67-aec373f8d979@huawei.com\0" "ref\0alpine.LRH.2.20.1708021716440.1117@namei.org\0" "ref\00506050f-c4f1-1b36-a25b-c5418607906d@huawei.com\0" - "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" - "Subject\0Re: [Linux-ima-devel] [PATCH, RESEND 08/12] ima: added parser for RPM data type\0" - "Date\0Wed, 09 Aug 2017 14:30:48 +0000\0" - "To\0Roberto Sassu <roberto.sassu@huawei.com>" - " James Morris <jmorris@namei.org>\0" - "Cc\0Christoph Hellwig <hch@infradead.org>" - linux-doc@vger.kernel.org - linux-kernel@vger.kernel.org - linux-fsdevel@vger.kernel.org - linux-security-module@vger.kernel.org - keyrings@vger.kernel.org - linux-ima-devel@lists.sourceforge.net - " Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>\0" + "From\0zohar@linux.vnet.ibm.com (Mimi Zohar)\0" + "Subject\0[Linux-ima-devel] [PATCH, RESEND 08/12] ima: added parser for RPM data type\0" + "Date\0Wed, 09 Aug 2017 10:30:48 -0400\0" + "To\0linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Wed, 2017-08-09 at 11:15 +0200, Roberto Sassu wrote:\n" @@ -47,7 +38,7 @@ "> >>\n" "> >> If the concern is security, it would be possible to prevent unsigned\n" "> >> RPM headers from being parsed, if the PGP key type is upstreamed\n" - "> >> (adding in CC keyrings@vger.kernel.org).\n" + "> >> (adding in CC keyrings at vger.kernel.org).\n" "> >\n" "> > It's a security concern and also a layering violation, there should be no\n" "> > need to parse package file formats in the kernel.\n" @@ -81,20 +72,20 @@ "> Is the remaining part of the patch set ok, and is the explanation of\n" "> what it does clear?\n" "\n" - "From a trusted boot perspective, file measurements are added to the\n" - "measurement list, before access to the file is given. \302\240The measurement\n" - "list contains ALL measurements, as defined by policy. \302\240This patch set\n" + ">From a trusted boot perspective, file measurements are added to the\n" + "measurement list, before access to the file is given. ?The measurement\n" + "list contains ALL measurements, as defined by policy. ?This patch set\n" "changes that meaning to be all measurements, as defined by policy,\n" "with the exception of those in a white list.\n" "\n" "Changing the fundamental meaning of the measurement list is not\n" - "acceptable. \302\240You could define a new securityfs file to differentiate\n" - "between the full measurement list and this abbreviated one. \302\240But\n" + "acceptable. ?You could define a new securityfs file to differentiate\n" + "between the full measurement list and this abbreviated one. ?But\n" "before making this sort of change, I would prefer to address the\n" "underlying problem - TPM peformance.\n" "\n" "There are a couple of things that could be done to improve the TPM\n" - "driver performance, itself. \302\240Once all of these options have been\n" + "driver performance, itself. ?Once all of these options have been\n" "pursued, we could then consider batching the measurements to the TPM,\n" "meaning that the measurement list would still contain all the file\n" "measurements, but instead of extending the TPM for each measurement, a\n" @@ -106,6 +97,11 @@ "> > I'm not really clear on exactly how this patch series works. Can you\n" "> > provide a more concrete explanation of what steps would occur during boot\n" "> > and attestation?\n" - > > + "> >\n" + "\n" + "--\n" + "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" + "the body of a message to majordomo at vger.kernel.org\n" + More majordomo info at http://vger.kernel.org/majordomo-info.html -bdcc49ad91038840bc6e7295e50ed1407038a921fbcfda31a77cd6929938c7e6 +5c457ebdde285ca23bbc25507e36d0a6b28c74eab45522d430e11f4231d9658d
diff --git a/a/1.txt b/N2/1.txt index 632b3a3..e34cd10 100644 --- a/a/1.txt +++ b/N2/1.txt @@ -60,7 +60,7 @@ On Wed, 2017-08-09 at 11:15 +0200, Roberto Sassu wrote: > Is the remaining part of the patch set ok, and is the explanation of > what it does clear? -From a trusted boot perspective, file measurements are added to the +>From a trusted boot perspective, file measurements are added to the measurement list, before access to the file is given. The measurement list contains ALL measurements, as defined by policy. This patch set changes that meaning to be all measurements, as defined by policy, diff --git a/a/content_digest b/N2/content_digest index 2bead30..8d4a40a 100644 --- a/a/content_digest +++ b/N2/content_digest @@ -6,7 +6,7 @@ "ref\00506050f-c4f1-1b36-a25b-c5418607906d@huawei.com\0" "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" "Subject\0Re: [Linux-ima-devel] [PATCH, RESEND 08/12] ima: added parser for RPM data type\0" - "Date\0Wed, 09 Aug 2017 14:30:48 +0000\0" + "Date\0Wed, 09 Aug 2017 10:30:48 -0400\0" "To\0Roberto Sassu <roberto.sassu@huawei.com>" " James Morris <jmorris@namei.org>\0" "Cc\0Christoph Hellwig <hch@infradead.org>" @@ -81,7 +81,7 @@ "> Is the remaining part of the patch set ok, and is the explanation of\n" "> what it does clear?\n" "\n" - "From a trusted boot perspective, file measurements are added to the\n" + ">From a trusted boot perspective, file measurements are added to the\n" "measurement list, before access to the file is given. \302\240The measurement\n" "list contains ALL measurements, as defined by policy. \302\240This patch set\n" "changes that meaning to be all measurements, as defined by policy,\n" @@ -108,4 +108,4 @@ "> > and attestation?\n" > > -bdcc49ad91038840bc6e7295e50ed1407038a921fbcfda31a77cd6929938c7e6 +98c251563314c39f99bdf5966a95a224a024286dcb92cefe66dd50caff3afc40
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.