From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-integrity-owner@vger.kernel.org>
Received: from aserp1040.oracle.com ([141.146.126.69]:41951 "EHLO
        aserp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751004AbdKSUsR (ORCPT
        <rfc822;linux-integrity@vger.kernel.org>);
        Sun, 19 Nov 2017 15:48:17 -0500
Date: Mon, 20 Nov 2017 07:47:55 +1100 (AEDT)
From: James Morris <james.l.morris@oracle.com>
To: Roberto Sassu <roberto.sassu@huawei.com>
cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
        Matthew Garrett <mjg59@google.com>,
        Patrick Ohly <patrick.ohly@intel.com>,
        linux-integrity <linux-integrity@vger.kernel.org>,
        linux-security-module <linux-security-module@vger.kernel.org>,
        Silviu Vlasceanu <silviu.vlasceanu@huawei.com>
Subject: Re: IMA appraisal master plan?
In-Reply-To: <a88aff89-1e75-9019-4394-640f5fb318da@huawei.com>
Message-ID: <alpine.LFD.2.20.1711200746120.25470@localhost>
References: <20171107151742.25122-1-mjg59@google.com> <1510766803.5979.17.camel@intel.com> <CACdnJusRutc4j7z+w6pZ0tooeAPcq=Vky_evF=X61AK_ivAEqg@mail.gmail.com> <1510770065.5979.21.camel@intel.com> <alpine.LFD.2.20.1711161101360.27132@localhost>
 <CACdnJuv=YDngm5HqJT9sfM01AVoZUaf8_uu-ygo+h8nNjtsDeA@mail.gmail.com> <1510798382.3711.389.camel@linux.vnet.ibm.com> <8bbaea89-336c-d14b-2ed8-44cd0a0d3ed1@huawei.com> <1510837595.3711.420.camel@linux.vnet.ibm.com>
 <a88aff89-1e75-9019-4394-640f5fb318da@huawei.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Sender: linux-integrity-owner@vger.kernel.org
List-ID: <linux-integrity.vger.kernel.org>

On Fri, 17 Nov 2017, Roberto Sassu wrote:

> LSMs are responsible to enforce a security policy at run-time, while
> IMA/EVM protect data and metadata against offline attacks.

In my view, IMA can also protect against making an online attack 
persistent across boots, and that would be the most compelling use of it 
for many general purpose applications.



-- 
James Morris
<james.l.morris@oracle.com>