Re: Fwd: New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt

[Mimi Zohar <zohar@linux.vnet.ibm.com>]

Hi Chuck,

On Tue, 2018-04-10 at 08:44 -0600, Chuck Lever wrote:
> > Begin forwarded message:
> > 
> > From: internet-drafts@ietf.org
> > Subject: New Version Notification for draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
> > Date: April 10, 2018 at 8:36:36 AM MDT
> > To: "Charles Lever" <chuck.lever@oracle.com>, "Chuck Lever" <chuck.lever@oracle.com>
> > 
> > 
> > A new version of I-D, draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
> > has been successfully submitted by Charles Lever and posted to the
> > IETF repository.
> > 
> > Name:		draft-cel-nfsv4-linux-seclabel-xtensions
> > Revision:	00
> > Title:		Linux-related Extensions to NFS version 4.2 Security Labels
> > Document date:	2018-04-09
> > Group:		Individual Submission
> > Pages:		8
> > URL:            https://www.ietf.org/internet-drafts/draft-cel-nfsv4-linux-seclabel-xtensions-00.txt
> > Status:         https://datatracker.ietf.org/doc/draft-cel-nfsv4-linux-seclabel-xtensions/
> > Htmlized:       https://tools.ietf.org/html/draft-cel-nfsv4-linux-seclabel-xtensions-00
> > Htmlized:       https://datatracker.ietf.org/doc/html/draft-cel-nfsv4-linux-seclabel-xtensions
> > 
> > 
> > Abstract:
> >   NFS version 4.2 introduces an optional feature known as NFSv4
> >   Security Labels.  This document extends NFSv4 Security Labels to
> >   support Linux file capabilities and the Linux Integrity Measurement
> >   Architecture.
> > 

Very nice!  Thank you so much for writing this up.

> > 
> > 
> > Please note that it may take a couple of minutes from the time of submission
> > until the htmlized version and diff are available at tools.ietf.org.
> > 
> > The IETF Secretariat
> 
> Initial revision, by no means final. Review comments welcome.
> 
> I'm toying with some ideas here. If you find anything controversial
> you are welcome to provide input.

"security.ima" may contain either a file hash or a file signature.
 "security.evm" may contain either an HMAC or a signature of the file
metdata.  Only the security.evm portable and immutable file signature,
not the HMAC which is TPM specific, will be applicable.

The last paragraph of section 1.1 mentions that the private key needs
to be protected, which is fine, but then mentions a TPM.  This might
be a bit confusing in the context of EVM/IMA-appraisal as only the
trusted "master" key, which is used to encrypt/decrypt the EVM key, is
created and decrypted by the TPM.

Mimi