lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 19 Oct 2022 10:34:48 -0400
From:   Mimi Zohar <>
To:     Kees Cook <>
Cc:     Paul Moore <>, James Morris <>,
        "Serge E. Hallyn" <>,
        Dmitry Kasatkin <>,
        Mickaël Salaün <>,
        Petr Vorel <>, Borislav Petkov <>,
        Takashi Iwai <>,
        Jonathan McDowell <>,,, KP Singh <>,
        Casey Schaufler <>,
        John Johansen <>,,
Subject: Re: [PATCH 2/9] security: Move trivial IMA hooks into LSM

On Thu, 2022-10-13 at 15:36 -0700, Kees Cook wrote:
> This moves the trivial hard-coded stacking of IMA LSM hooks into the
> existing LSM infrastructure.

The only thing trivial about making IMA and EVM LSMs is moving them to
LSM hooks.  Although static files may be signed and the signatures
distributed with the file data through the normal distribution
mechanisms (e.g. RPM), other files cannot be signed remotely (e.g.
configuration files).  For these files, both IMA and EVM may be
configured to maintain persistent file state stored as security xattrs
in the form of security.ima file hashes or security.evm HMACs.  The LSM
flexibility of enabling/disabling IMA or EVM on a per boot basis breaks
this usage, potentially preventing subsequent boots.


Powered by blists - more mailing lists