Re: [PATCH v3 01/15] Documentation: add newcx initramfs format description

On Sat, 2018-02-17 at 16:26 -0800, h...@zytor.com wrote: > Do you have a description of the gaps you have identified? Probably the 2016 Linux Security Summit (LSS) integrity status update has the best list. http://events17.linuxfoundation.org/sites/events/files/slides/LSS2016-

Re: [PATCH v3 01/15] Documentation: add newcx initramfs format description

On Fri, 2018-02-16 at 12:59 -0800, H. Peter Anvin wrote: > On 02/16/18 12:33, Taras Kondratiuk wrote: > > Many of the Linux security/integrity features are dependent on file > > metadata, stored as extended attributes (xattrs), for making decisions. > > These features need to be initialized during

Re: [PATCH v2 06/15] ima: add parser of digest lists metadata

On Mon, 2017-11-20 at 10:40 +0100, Roberto Sassu wrote: > On 11/19/2017 12:23 AM, Mimi Zohar wrote: > > Hi Serge, > > > > On Fri, 2017-11-17 at 22:20 -0600, Serge E. Hallyn wrote: > >> On Tue, Nov 07, 2017 at 11:37:01AM +0100, Roberto Sassu wrote: > >>

Re: [PATCH v2 06/15] ima: add parser of digest lists metadata

Hi Serge, On Fri, 2017-11-17 at 22:20 -0600, Serge E. Hallyn wrote: > On Tue, Nov 07, 2017 at 11:37:01AM +0100, Roberto Sassu wrote: > > from a predefined position (/etc/ima/digest_lists/metadata), when rootfs > > becomes available. Digest lists must be loaded before IMA appraisal is in > >

Re: [PATCH v2 00/15] ima: digest list feature

On Fri, 2017-11-17 at 09:55 +0100, Roberto Sassu wrote: > On 11/17/2017 2:08 AM, Kees Cook wrote: > > On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu <roberto.sa...@huawei.com> > > wrote: > >> On 11/7/2017 2:37 PM, Mimi Zohar wrote: > >>> Normally, the p

Re: [PATCH v2 00/15] ima: digest list feature

On Thu, 2017-11-09 at 09:47 -0500, Matthew Garrett wrote: > This seems very over-complicated, and it's unclear why the kernel > needs to open the file itself. You *know* that all of userland is > trustworthy at this point even in the absence of signatures. Assuming the initramfs is signed, then

Re: [PATCH v2 00/15] ima: digest list feature

Hi Roberto, On Tue, 2017-11-07 at 11:36 +0100, Roberto Sassu wrote: > IMA is a security module with the objective of reporting or enforcing the > integrity of a system, by measuring files accessed with the execve(), > mmap() and open() system calls. For reporting, it takes advantage of the > TPM

Re: [Linux-ima-devel] [PATCH, RESEND 08/12] ima: added parser for RPM data type

On Wed, 2017-08-09 at 19:18 +0200, Roberto Sassu wrote: > On 8/9/2017 4:30 PM, Mimi Zohar wrote: > > On Wed, 2017-08-09 at 11:15 +0200, Roberto Sassu wrote: > >> On 8/2/2017 9:22 AM, James Morris wrote: > >>> On Tue, 1 Aug 2017, Roberto Sassu wrote: > >>&

Re: [Linux-ima-devel] [PATCH, RESEND 08/12] ima: added parser for RPM data type

On Wed, 2017-08-09 at 11:15 +0200, Roberto Sassu wrote: > On 8/2/2017 9:22 AM, James Morris wrote: > > On Tue, 1 Aug 2017, Roberto Sassu wrote: > > > >> On 8/1/2017 12:27 PM, Christoph Hellwig wrote: > >>> On Tue, Aug 01, 2017 at 12:20:36PM +0200, Roberto Sassu wrote: > This patch introduces

Re: [PATCH 00/12] ima: measure digest lists instead of individual files

Hi Roberto, [cc'ing tpmdd-devel] On Tue, 2017-07-25 at 17:44 +0200, Roberto Sassu wrote: > This patch set applies on top of kernel v4.13-rc2. > > IMA, for each file matching policy rules, calculates a digest, creates > a new entry in the measurement list and extends a TPM PCR with the digest >

Re: [RFC 09/10] ima: move to generic async completion

On Sat, 2017-05-06 at 15:59 +0300, Gilad Ben-Yossef wrote: > ima starts several async. crypto ops and waits for their completions. > Move it over to generic code doing the same. > > Signed-off-by: Gilad Ben-Yossef <gi...@benyossef.com> Acked-by: Mimi Zohar <zo.