From: Eric Biggers <ebiggers@kernel.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org,
Stefan Berger <stefanb@linux.ibm.com>,
linux-fscrypt@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v7 5/5] fsverity: update the documentation
Date: Tue, 5 Apr 2022 20:35:24 +0000 [thread overview]
Message-ID: <YkyoDE3HPkxcV1jM@gmail.com> (raw)
In-Reply-To: <20220325223824.310119-6-zohar@linux.ibm.com>
On Fri, Mar 25, 2022 at 06:38:24PM -0400, Mimi Zohar wrote:
> Update the fsverity documentation related to IMA signature support.
>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> Documentation/filesystems/fsverity.rst | 20 ++++++++++++--------
> 1 file changed, 12 insertions(+), 8 deletions(-)
>
> diff --git a/Documentation/filesystems/fsverity.rst b/Documentation/filesystems/fsverity.rst
> index 1d831e3cbcb3..c1d355f17a54 100644
> --- a/Documentation/filesystems/fsverity.rst
> +++ b/Documentation/filesystems/fsverity.rst
> @@ -74,8 +74,12 @@ authenticating the files is up to userspace. However, to meet some
> users' needs, fs-verity optionally supports a simple signature
> verification mechanism where users can configure the kernel to require
> that all fs-verity files be signed by a key loaded into a keyring; see
> -`Built-in signature verification`_. Support for fs-verity file hashes
> -in IMA (Integrity Measurement Architecture) policies is also planned.
> +`Built-in signature verification`_.
> +
> +The Integrity Measurement Architecture (IMA) supports including
> +fs-verity file digests and signatures in the IMA measurement list
> +and verifying fs-verity based file signatures stored as security.ima
> +xattrs, based on policy.
This looks okay, but this would be easier to understand as a list of alternative
ways to do signature verification with fs-verity:
* Userspace-only
* Built-in signature verification + userspace policy
* IMA
- Eric
prev parent reply other threads:[~2022-04-06 5:19 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-25 22:38 [PATCH v7 0/5] ima: support fs-verity digests and signatures Mimi Zohar
2022-03-25 22:38 ` [PATCH v7 1/5] fs-verity: define a function to return the integrity protected file digest Mimi Zohar
2022-03-28 3:45 ` Guozihua (Scott)
2022-03-28 13:51 ` Mimi Zohar
2022-03-25 22:38 ` [PATCH v7 2/5] ima: define a new template field named 'd-ngv2' and templates Mimi Zohar
2022-03-28 6:14 ` Guozihua (Scott)
2022-03-28 13:50 ` Mimi Zohar
2022-04-05 19:11 ` Eric Biggers
2022-04-28 2:03 ` Mimi Zohar
2022-03-25 22:38 ` [PATCH v7 3/5] ima: permit fsverity's file digests in the IMA measurement list Mimi Zohar
2022-04-05 19:28 ` Eric Biggers
2022-04-28 2:03 ` Mimi Zohar
2022-03-25 22:38 ` [PATCH v7 4/5] ima: support fs-verity file digest based version 3 signatures Mimi Zohar
2022-04-05 20:31 ` Eric Biggers
2022-04-28 2:05 ` Mimi Zohar
2022-03-25 22:38 ` [PATCH v7 5/5] fsverity: update the documentation Mimi Zohar
2022-04-05 20:35 ` Eric Biggers [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YkyoDE3HPkxcV1jM@gmail.com \
--to=ebiggers@kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.