Re: [RFC PATCH v11 16/19] ipe: enable support for fs-verity as a trust provider

linux-security-module.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Fan Wu <wufan@linux.microsoft.com>
To: Randy Dunlap <rdunlap@infradead.org>,
	corbet@lwn.net, zohar@linux.ibm.com, jmorris@namei.org,
	serge@hallyn.com, tytso@mit.edu, ebiggers@kernel.org,
	axboe@kernel.dk, agk@redhat.com, snitzer@kernel.org,
	eparis@redhat.com, paul@paul-moore.com
Cc: linux-doc@vger.kernel.org, linux-integrity@vger.kernel.org,
	linux-security-module@vger.kernel.org,
	linux-fscrypt@vger.kernel.org, linux-block@vger.kernel.org,
	dm-devel@redhat.com, audit@vger.kernel.org,
	roberto.sassu@huawei.com, linux-kernel@vger.kernel.org,
	Deven Bowers <deven.desai@linux.microsoft.com>
Subject: Re: [RFC PATCH v11 16/19] ipe: enable support for fs-verity as a trust provider
Date: Wed, 4 Oct 2023 19:45:50 -0700	[thread overview]
Message-ID: <a58cc269-1a95-445d-85c9-ecf997b47294@linux.microsoft.com> (raw)
In-Reply-To: <7cecea3f-aaca-4df5-9595-324137c3627e@infradead.org>



On 10/4/2023 4:58 PM, Randy Dunlap wrote:
> 
> 
> On 10/4/23 15:09, Fan Wu wrote:
> 
> | diff --git a/security/ipe/Kconfig b/security/ipe/Kconfig
> | index 7afb1ce0cb99..9dd5c4769d79 100644
> | --- a/security/ipe/Kconfig
> | +++ b/security/ipe/Kconfig
> | @@ -30,6 +30,19 @@ config IPE_PROP_DM_VERITY
> |  	  that was mounted with a signed root-hash or the volume's
> |  	  root hash matches the supplied value in the policy.
> |
> | +	  If unsure, answer Y.
> | +
> | +config IPE_PROP_FS_VERITY
> | +	bool "Enable property for fs-verity files"
> | +	depends on FS_VERITY && FS_VERITY_BUILTIN_SIGNATURES
> | +	help
> | +	  This option enables the usage of properties "fsverity_signature"
> | +	  and "fsverity_digest". These properties evaluates to TRUE when
> 
> 	                                          evaluate
> 
> | +	  a file is fsverity enabled and with a signed digest or its
> | +	  diegst matches the supplied value in the policy.
> 
> 	  digest
> 
> | +
> | +	  if unsure, answer Y.
> | +
> |  endmenu
> |
> |  endif
> 
> 

Thanks for catching the typo/error. Not sure why my spell script didn't 
find them. Maybe I should consider using a better tool.

-Fan

next prev parent reply	other threads:[~2023-10-05  2:46 UTC|newest]

Thread overview: 58+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-10-04 22:09 [RFC PATCH v11 00/19] Integrity Policy Enforcement LSM (IPE) Fan Wu
2023-10-04 22:09 ` [RFC PATCH v11 01/19] security: add ipe lsm Fan Wu
2023-10-04 22:09 ` [RFC PATCH v11 02/19] ipe: add policy parser Fan Wu
2023-10-24  3:52   ` [PATCH RFC v11 2/19] " Paul Moore
2023-10-25 22:45     ` Fan Wu
2023-10-26 21:36       ` Paul Moore
2023-10-04 22:09 ` [RFC PATCH v11 03/19] ipe: add evaluation loop Fan Wu
2023-10-24  3:52   ` [PATCH RFC v11 3/19] " Paul Moore
2023-10-26  0:15     ` Fan Wu
2023-10-04 22:09 ` [RFC PATCH v11 04/19] ipe: add LSM hooks on execution and kernel read Fan Wu
2023-10-24  3:52   ` [PATCH RFC v11 4/19] " Paul Moore
2023-10-04 22:09 ` [RFC PATCH v11 05/19] ipe: introduce 'boot_verified' as a trust provider Fan Wu
2023-10-24  3:52   ` [PATCH RFC v11 5/19] " Paul Moore
2023-10-26 21:33     ` Fan Wu
2023-10-26 22:12       ` Paul Moore
2023-11-02 22:46         ` Fan Wu
2023-11-03 22:15           ` Paul Moore
2023-11-03 22:30             ` Paul Moore
2023-10-04 22:09 ` [RFC PATCH v11 06/19] security: add new securityfs delete function Fan Wu
2023-10-04 22:09 ` [RFC PATCH v11 07/19] ipe: add userspace interface Fan Wu
2023-10-04 22:09 ` [RFC PATCH v11 08/19] uapi|audit|ipe: add ipe auditing support Fan Wu
2023-10-24  3:52   ` [PATCH RFC v11 8/19] " Paul Moore
2023-11-02 22:55     ` Fan Wu
2023-10-04 22:09 ` [RFC PATCH v11 09/19] ipe: add permissive toggle Fan Wu
2023-10-24  3:52   ` [PATCH RFC v11 9/19] " Paul Moore
2023-11-02 22:56     ` Fan Wu
2023-10-04 22:09 ` [RFC PATCH v11 10/19] block|security: add LSM blob to block_device Fan Wu
2023-10-04 22:09 ` [RFC PATCH v11 11/19] dm verity: set DM_TARGET_SINGLETON feature flag Fan Wu
2023-10-24  3:52   ` [PATCH RFC " Paul Moore
2023-11-02  0:40     ` Paul Moore
2023-10-04 22:09 ` [RFC PATCH v11 12/19] dm: add finalize hook to target_type Fan Wu
2023-10-24  3:52   ` [PATCH RFC " Paul Moore
2023-11-02  0:41     ` Paul Moore
2023-10-04 22:09 ` [RFC PATCH v11 13/19] dm verity: consume root hash digest and signature data via LSM hook Fan Wu
2023-10-24  3:52   ` [PATCH RFC " Paul Moore
2023-11-02  0:41     ` Paul Moore
2023-10-04 22:09 ` [RFC PATCH v11 14/19] ipe: add support for dm-verity as a trust provider Fan Wu
2023-10-24  3:52   ` [PATCH RFC " Paul Moore
2023-11-02 22:40     ` Fan Wu
2023-10-04 22:09 ` [RFC PATCH v11 15/19] fsverity: consume builtin signature via LSM hook Fan Wu
2023-10-05  2:27   ` Eric Biggers
2023-10-05  2:49     ` Fan Wu
2023-10-24  3:52   ` [PATCH RFC " Paul Moore
2023-11-02  0:40     ` Paul Moore
2023-11-02  2:53       ` Eric Biggers
2023-11-02 15:42         ` Paul Moore
2023-11-02 19:33           ` Fan Wu
2023-10-04 22:09 ` [RFC PATCH v11 16/19] ipe: enable support for fs-verity as a trust provider Fan Wu
2023-10-04 23:58   ` Randy Dunlap
2023-10-05  2:45     ` Fan Wu [this message]
2023-10-24  3:52   ` [PATCH RFC " Paul Moore
2023-10-04 22:09 ` [RFC PATCH v11 17/19] scripts: add boot policy generation program Fan Wu
2023-10-24  3:52   ` [PATCH RFC " Paul Moore
2023-11-02 23:09     ` Fan Wu
2023-10-04 22:09 ` [RFC PATCH v11 18/19] ipe: kunit test for parser Fan Wu
2023-10-24  3:52   ` [PATCH RFC " Paul Moore
2023-11-02 23:11     ` Fan Wu
2023-10-04 22:09 ` [RFC PATCH v11 19/19] documentation: add ipe documentation Fan Wu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a58cc269-1a95-445d-85c9-ecf997b47294@linux.microsoft.com \
    --to=wufan@linux.microsoft.com \
    --cc=agk@redhat.com \
    --cc=audit@vger.kernel.org \
    --cc=axboe@kernel.dk \
    --cc=corbet@lwn.net \
    --cc=deven.desai@linux.microsoft.com \
    --cc=dm-devel@redhat.com \
    --cc=ebiggers@kernel.org \
    --cc=eparis@redhat.com \
    --cc=jmorris@namei.org \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-doc@vger.kernel.org \
    --cc=linux-fscrypt@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=paul@paul-moore.com \
    --cc=rdunlap@infradead.org \
    --cc=roberto.sassu@huawei.com \
    --cc=serge@hallyn.com \
    --cc=snitzer@kernel.org \
    --cc=tytso@mit.edu \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).