From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from userp1040.oracle.com ([156.151.31.81]:51832 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932315AbdJYJ46 (ORCPT ); Wed, 25 Oct 2017 05:56:58 -0400 Date: Wed, 25 Oct 2017 11:56:44 +0200 (CEST) From: James Morris To: Matthew Garrett cc: linux-integrity@vger.kernel.org, zohar@linux.vnet.ibm.com, Dmitry Kasatkin , Mikhail Kurinnoi Subject: Re: [PATCH V3] EVM: Add support for portable signature format In-Reply-To: <20171025095413.25794-1-mjg59@google.com> Message-ID: References: <20171025095413.25794-1-mjg59@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Sender: linux-integrity-owner@vger.kernel.org List-ID: On Wed, 25 Oct 2017, Matthew Garrett wrote: > The EVM signature includes the inode number and (optionally) the > filesystem UUID, making it impractical to ship EVM signatures in > packages. This patch adds a new portable format intended to allow > distributions to include EVM signatures. It is identical to the existing > format but hardcodes the inode and generation numbers to 0 and does not > include the filesystem UUID even if the kernel is configured to do so. > > Removing the inode means that the metadata and signature from one file > could be copied to another file without invalidating it. This is avoided > by ensuring that an IMA xattr is present during EVM validation. > > Based on earlier work by Dmitry Kasatkin and Mikhail Kurinnoi. > > Signed-off-by: Matthew Garrett > Cc: Dmitry Kasatkin > Cc: Mikhail Kurinnoi Reviewed-by: James Morris -- James Morris