Re: [RFC][Patch 5/5]integrity: IMA as an integrity service provider

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Pavel Machek

Subject: Re: [RFC][Patch 5/5]integrity: IMA as an integrity service provider

Date: Saturday, May 31, 2008 - 12:54 am

On Wed 2008-05-28 01:22:42, Andrew Morton wrote:
quoted text> On Fri, 23 May 2008 11:05:45 -0400 Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> 
> > This is a re-release of Integrity Measurement Architecture(IMA) as an
> > independent Linunx Integrity Module(LIM) service provider, which implements
> > the new LIM must_measure(), collect_measurement(), store_measurement(), and
> > display_template() API calls. The store_measurement() call supports two 
> > types of data, IMA (i.e. file data) and generic template data.
...
quoted text> Generally: the code is all moderately intrusive into the VFS and this
> sort of thing does need careful explanation and justification, please. 
> Once we have some understanding of what you're trying to achieve here
> we will inevitably ask "can't that be done in userspace".  So it would
> be best if your description were to preemptively answer all that.  

...also, it would be nice to see explanation 'what is this good for'.

Closest explanation I remember was 'it will protect you by making
system unbootable if someone stole disk with your /usr filesystem --
but not / filesystem -- added some rootkit, and then stealthily
returned it'. That seems a) very unlikely scenario and b) probably
better solved by encrypting /usr.
							Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

[RFC][Patch 5/5]integrity: IMA as an integrity service pro ..., Mimi Zohar, (Fri May 23, 8:05 am)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., Randy Dunlap, (Fri May 23, 4:30 pm)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., Mimi Zohar, (Mon May 26, 6:02 pm)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., Mimi Zohar, (Tue May 27, 7:36 am)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., Andrew Morton, (Wed May 28, 1:22 am)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., Mimi Zohar, (Wed May 28, 8:17 pm)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., Andrew Morton, (Wed May 28, 8:30 pm)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., Mimi Zohar, (Wed May 28, 8:33 pm)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., Mimi Zohar, (Thu May 29, 2:50 pm)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., Andrew Morton, (Thu May 29, 4:35 pm)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., Mimi Zohar, (Thu May 29, 6:58 pm)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., Andrew Morton, (Thu May 29, 7:04 pm)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., Mimi Zohar, (Fri May 30, 6:06 am)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., Pavel Machek, (Sat May 31, 12:54 am)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., Randy Dunlap, (Wed Jun 11, 3:31 pm)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., david safford, (Tue Jun 24, 9:28 am)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., Pavel Machek, (Tue Aug 5, 10:32 am)

Re: [RFC][Patch 5/5]integrity: IMA as an integrity service ..., Pavel Machek, (Tue Aug 5, 10:35 am)


linux-kernel:
Greg KH	Og dreams of kernels
Jens Axboe	[PATCH 31/33] Fusion: sg chaining support
Arnd Bergmann	Re: finding your own dead "CONFIG_" variables
Mark Brown	[PATCH 2/2] Subject: natsemi: Allow users to disable workaround for DspCfg reset
Tony Breeds	[LGUEST] Look in object dir for .config
git:
Brian Downing	Re: Git in a Nutshell guide
John Benes	Re: master has some toys
Matthias Lederhofer	[PATCH 4/7] introduce GIT_WORK_TREE to specify the work tree
Alexander Sulfrian	[RFC/PATCH] RE: git calls SSH_ASKPASS even if DISPLAY is not set
Junio C Hamano	Re: Rss produced by git is not valid xml?
git-commits-head:
Linux Kernel Mailing List	iSeries: fix section mismatch in iseries_veth
Linux Kernel Mailing List	ixbge: remove TX lock and redo TX accounting.
Linux Kernel Mailing List	ixgbe: fix several counter register errata
Linux Kernel Mailing List	b43: fix build with CONFIG_SSB_PCIHOST=n
Linux Kernel Mailing List	9p: block-based virtio client
linux-netdev:
Michael Breuer	Re: [PATCH] af_packet: Don't use skb after dev_queue_xmit()
Michael Breuer	Re: [PATCH] af_packet: Don't use skb after dev_queue_xmit()
David Daney	[PATCH 5/7] Staging: Octeon Ethernet: Convert to NAPI.
Wolfgang Grandegger	[PATCH net-next v4 1/3] can: mscan: fix improper return if dlc < 8 in start_xmi...
Amit Kumar Salecha	[PATCHv3 NEXT 2/2] NET: Add Qlogic ethernet driver for CNA devices
openbsd-misc:
Theo de Raadt	Re: Old IPSEC bug
Tomáš Bodžár	Problem with vpnc connection - check group password !
Insan Praja SW	Mandoc Compiling Error
Carl Roberso	Re: Cannot change MTU of carp interface?
Richard Daemon	Re: booting openbsd on eee without cd-rom