lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Mar 2022 18:38:24 -0400 From: Mimi Zohar <zohar@...ux.ibm.com> To: linux-integrity@...r.kernel.org Cc: Mimi Zohar <zohar@...ux.ibm.com>, Eric Biggers <ebiggers@...nel.org>, Stefan Berger <stefanb@...ux.ibm.com>, linux-fscrypt@...r.kernel.org, linux-kernel@...r.kernel.org Subject: [PATCH v7 5/5] fsverity: update the documentation Update the fsverity documentation related to IMA signature support. Signed-off-by: Mimi Zohar <zohar@...ux.ibm.com> --- Documentation/filesystems/fsverity.rst | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/Documentation/filesystems/fsverity.rst b/Documentation/filesystems/fsverity.rst index 1d831e3cbcb3..c1d355f17a54 100644 --- a/Documentation/filesystems/fsverity.rst +++ b/Documentation/filesystems/fsverity.rst @@ -74,8 +74,12 @@ authenticating the files is up to userspace. However, to meet some users' needs, fs-verity optionally supports a simple signature verification mechanism where users can configure the kernel to require that all fs-verity files be signed by a key loaded into a keyring; see -`Built-in signature verification`_. Support for fs-verity file hashes -in IMA (Integrity Measurement Architecture) policies is also planned. +`Built-in signature verification`_. + +The Integrity Measurement Architecture (IMA) supports including +fs-verity file digests and signatures in the IMA measurement list +and verifying fs-verity based file signatures stored as security.ima +xattrs, based on policy. User API ======== @@ -653,12 +657,12 @@ weren't already directly answered in other parts of this document. hashed and what to do with those hashes, such as log them, authenticate them, or add them to a measurement list. - IMA is planned to support the fs-verity hashing mechanism as an - alternative to doing full file hashes, for people who want the - performance and security benefits of the Merkle tree based hash. - But it doesn't make sense to force all uses of fs-verity to be - through IMA. As a standalone filesystem feature, fs-verity - already meets many users' needs, and it's testable like other + IMA supports the fs-verity hashing mechanism as an alternative + to full file hashes, for those who want the performance and + security benefits of the Merkle tree based hash. However, it + doesn't make sense to force all uses of fs-verity to be through + IMA. fs-verity already meets many users' needs even as a + standalone filesystem feature, and it's testable like other filesystem features e.g. with xfstests. :Q: Isn't fs-verity useless because the attacker can just modify the -- 2.27.0
Powered by blists - more mailing lists