lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <f252a595-7b6a-9e20-bf08-97f102c41c01@linux.microsoft.com>
Date:   Mon, 17 Aug 2020 15:45:17 -0700
From:   Tushar Sugandhi <tusharsu@...ux.microsoft.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>, agk@...hat.com,
        snitzer@...hat.com, gmazyland@...il.com
Cc:     tyhicks@...ux.microsoft.com, sashal@...nel.org, jmorris@...ei.org,
        nramas@...ux.microsoft.com, linux-integrity@...r.kernel.org,
        linux-kernel@...r.kernel.org, dm-devel@...hat.com
Subject: Re: [PATCH 0/2] dm-devel:dm-crypt: infrastructure for measurement of
 DM target data using IMA



On 2020-08-17 2:46 p.m., Mimi Zohar wrote:
> On Sun, 2020-08-16 at 14:02 -0700, Tushar Sugandhi wrote:
>> There are several device-mapper targets which contribute to verify
>> the integrity of the mapped devices e.g. dm-integrity, dm-verity,
>> dm-crypt etc.
>>
>> But they do not use the capabilities provided by kernel integrity
>> subsystem (IMA). For instance, the IMA capability that measures several
>> in-memory constructs and files to detect if they have been accidentally
>> or maliciously altered, both remotely and locally. IMA also has the
>> capability to include these measurements in the IMA measurement list and
>> use them to extend a TPM PCR so that it can be quoted.
> 
> "both remotely" refers to measurement and attestation, while "locally"
> refers to integrity enforcement, based on hashes or signatures.  Is
> this patch set adding both IMA-measurement and IMA-appraisal?
> 
> Mimi
> 
Thanks Mimi for looking at this patch set.

I added both "remotely" and "locally" in the description, so that
people less familiar with IMA would get a general overview of whats
possible with IMA.

In this patch set we are only adding support for measurement and
attestation. In the next iteration, I will remove the references to
"local" detection.
~Tushar
<snip>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ