[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1275664158.3205.27.camel@localhost.localdomain>
Date: Fri, 04 Jun 2010 11:09:18 -0400
From: Mimi Zohar <zohar@...ux.vnet.ibm.com>
To: Shaz <shazalive@...il.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@...ia.com>,
James Morris <jmorris@...ei.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-security-module@...r.kernel.org"
<linux-security-module@...r.kernel.org>,
David Safford <safford@...son.ibm.com>,
Dave Hansen <dave@...ux.vnet.ibm.com>,
Arjan van de Ven <arjan@...radead.org>,
securityengineeringresearchgroup
<securityengineeringresearchgroup@...glegroups.com>
Subject: Re: [PATCH 00/14] EVM
On Fri, 2010-06-04 at 11:53 +0500, Shaz wrote:
> > Yes, verifying one file containing the hashes would be faster than
> > verifying individual hashes stored as extended attributes (xattrs), but
> > this does not take into account that files on a running system are being
> > modified or added. On a small form factor, the number of files is
> > limited, but would this scale well? In addition, what protects that one
> > file containing all the hashes from being modified? So, if you limit
>
> How about sealing to protect this file?
Was just indicating that the file needs to be protected. So, yes sealing
the file, based on PCRs, would work in a trusted boot environment.
> > the types of files to those that don't change, and the number of file
> > hashes, then using a single file would be faster.
Mimi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists