From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4513EC433E1 for ; Thu, 13 Aug 2020 14:56:31 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1F356207DA for ; Thu, 13 Aug 2020 14:56:31 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="B+mU/7AA" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726567AbgHMO4W (ORCPT ); Thu, 13 Aug 2020 10:56:22 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46544 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726419AbgHMO4V (ORCPT ); Thu, 13 Aug 2020 10:56:21 -0400 Received: from mail-il1-x143.google.com (mail-il1-x143.google.com [IPv6:2607:f8b0:4864:20::143]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5B79CC061757; Thu, 13 Aug 2020 07:56:21 -0700 (PDT) Received: by mail-il1-x143.google.com with SMTP id q14so5773814ilj.8; Thu, 13 Aug 2020 07:56:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=h86jHgXoGDrr6y1H8GyRJonT43XDQUGwHsyIjrhVClo=; b=B+mU/7AA7XkCB/WQIaZ0Uw35rHqx3FZlWfVE1DyqFdBseBLhVBC2WXmEUnX3bL16N8 hifCnG0SzU/B3z/g5mM/0gMgqgHnAOEjMlQVmeIU8eE+dQ6csS+IMG8Gl/UoKYRJREj6 NQ4WjR5wKqRWsM3czQOCG90hF1K6Vx45EDKHGAqlVH3bzn/7iiCVMJ09eMdZYto61Iui Vtv0Zo2FsoOleYy80RSEuRQZhxjh3nvjgxT3tiEqpHB0ywRU2SsawHnqZmvn2Mb98EY6 y1DRK8Kp2eDEvN1Majj+vLY0Sex6QY6W/VvqHhrl1HUG2iimWg4iqdfx6vtZu8hHHSPT us9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=h86jHgXoGDrr6y1H8GyRJonT43XDQUGwHsyIjrhVClo=; b=Hrgnrvd08hwLM9g34ydyyhGTRXG0lkxFKWCdE8ozC5KkLeAROJHE9qCwoeDBjhnCqL bJHI0xU7unN68le6mKH+y77BMbXLI6x/qkQBuXCSkGkt6498bxAnf9LZ24kPHPetPvX4 5ll7rNEnsKJFOXKnlIZMfMebEls5NXIpRln/url6AwWXY4MdLbUOoFVeZwOqdvo6TtDv I/TpENCZRo7isiT93nvExlWMfZuQdIpnzQoSTgbGkwh0HP5dFEU1ohhcYfVzw80N/fqj e17Kg2Klhl335IboOTeWiU3TkmPcWjKTo650AAgURH5ucOE4d6C1Wjhzz74dLU8M5/4y 7ioA== X-Gm-Message-State: AOAM533WqLk0n1rs6aYFsHnUng+6GKJmBPiPyWkJedStOVa7TMasN6Fe LVGB3PiitBnwVab5wvKlzEA= X-Google-Smtp-Source: ABdhPJyufAWBDkWl0rbFsm4iCNiuMOHAC/vQfunIPsTD3bDPGN/H0DAGcWooZcr1d23PB42mHpq9Dw== X-Received: by 2002:a92:99ca:: with SMTP id t71mr2876299ilk.143.1597330580641; Thu, 13 Aug 2020 07:56:20 -0700 (PDT) Received: from anon-dhcp-152.1015granger.net (c-68-61-232-219.hsd1.mi.comcast.net. [68.61.232.219]) by smtp.gmail.com with ESMTPSA id p13sm2089843ilb.61.2020.08.13.07.56.18 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Aug 2020 07:56:19 -0700 (PDT) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Subject: Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) From: Chuck Lever In-Reply-To: <1597329763.3708.13.camel@HansenPartnership.com> Date: Thu, 13 Aug 2020 10:56:17 -0400 Cc: Mimi Zohar , James Morris , Deven Bowers , Pavel Machek , Sasha Levin , snitzer@redhat.com, dm-devel@redhat.com, tyhicks@linux.microsoft.com, agk@redhat.com, Paul Moore , Jonathan Corbet , nramas@linux.microsoft.com, serge@hallyn.com, pasha.tatashin@soleen.com, Jann Horn , linux-block@vger.kernel.org, Al Viro , Jens Axboe , mdsakib@microsoft.com, open list , eparis@redhat.com, linux-security-module@vger.kernel.org, linux-audit@redhat.com, linux-fsdevel , linux-integrity@vger.kernel.org, jaskarankhurana@linux.microsoft.com Content-Transfer-Encoding: quoted-printable Message-Id: <49A45475-20D8-456E-92AD-F63DBC71F900@gmail.com> References: <20200728213614.586312-1-deven.desai@linux.microsoft.com> <20200802115545.GA1162@bug> <20200802140300.GA2975990@sasha-vm> <20200802143143.GB20261@amd> <1596386606.4087.20.camel@HansenPartnership.com> <1596639689.3457.17.camel@HansenPartnership.com> <329E8DBA-049E-4959-AFD4-9D118DEB176E@gmail.com> <1597073737.3966.12.camel@HansenPartnership.com> <6E907A22-02CC-42DD-B3CD-11D304F3A1A8@gmail.com> <1597124623.30793.14.camel@HansenPartnership.com> <16C3BF97-A7D3-488A-9D26-7C9B18AD2084@gmail.com> <1597170509.4325.55.camel@HansenPartnership.com> <2CA41152-6445-4716-B5EE-2D14E5C59368@gmail.com> <1597246946.7293.9.camel@HansenPartnership.com> <3F328A12-25DD-418B-A7D0-64DA09236E1C@gmail.com> <1597329763.3708.13.camel@HansenPartnership.com> To: James Bottomley X-Mailer: Apple Mail (2.3608.80.23.2.2) Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org > On Aug 13, 2020, at 10:42 AM, James Bottomley = wrote: >=20 > On Thu, 2020-08-13 at 10:21 -0400, Chuck Lever wrote: >>> On Aug 12, 2020, at 11:42 AM, James Bottomley >> enPartnership.com> wrote: > [...] >>> For most people the security mechanism of local xattrs is >>> sufficient. If you're paranoid, you don't believe it is and you >>> use EVM. >>=20 >> When IMA metadata happens to be stored in local filesystems in >> a trusted xattr, it's going to enjoy the protection you describe >> without needing the addition of a cryptographic signature. >>=20 >> However, that metadata doesn't live its whole life there. It >> can reside in a tar file, it can cross a network, it can live >> on a back-up tape. I think we agree that any time that metadata >> is in transit or at rest outside of a Linux local filesystem, it >> is exposed. >>=20 >> Thus I'm interested in a metadata protection mechanism that does >> not rely on the security characteristics of a particular storage >> container. For me, a cryptographic signature fits that bill >> nicely. >=20 > Sure, but one of the points about IMA is a separation of mechanism = from > policy. Signed hashes (called appraisal in IMA terms) is just one > policy you can decide to require or not or even make it conditional on > other things. AFAICT, the current EVM_IMA_DIGSIG and EVM_PORTABLE_DIGSIG formats are always signed. The policy choice is whether or not to verify the signature, not whether or not the metadata format is signed. -- Chuck Lever chucklever@gmail.com From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.0 required=3.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 74D07C433DF for ; Thu, 13 Aug 2020 15:04:13 +0000 (UTC) Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1793C20658 for ; Thu, 13 Aug 2020 15:04:12 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 1793C20658 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-495-4sPx6O5QN6Oi8ZWhag4HBg-1; Thu, 13 Aug 2020 11:04:09 -0400 X-MC-Unique: 4sPx6O5QN6Oi8ZWhag4HBg-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E798E51B3; Thu, 13 Aug 2020 15:04:05 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 86A3E600E4; Thu, 13 Aug 2020 15:04:05 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 1F376181A872; Thu, 13 Aug 2020 15:04:05 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 07DEuScs023234 for ; Thu, 13 Aug 2020 10:56:28 -0400 Received: by smtp.corp.redhat.com (Postfix) id 4B36B2022789; Thu, 13 Aug 2020 14:56:28 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast01.extmail.prod.ext.rdu2.redhat.com [10.11.55.17]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 46AA72026F94 for ; Thu, 13 Aug 2020 14:56:26 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 252D685A5B8 for ; Thu, 13 Aug 2020 14:56:26 +0000 (UTC) Received: from mail-il1-f194.google.com (mail-il1-f194.google.com [209.85.166.194]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-240-H0r_7sObOsiiTfNpeJq8fw-1; Thu, 13 Aug 2020 10:56:21 -0400 X-MC-Unique: H0r_7sObOsiiTfNpeJq8fw-1 Received: by mail-il1-f194.google.com with SMTP id t13so5759175ile.9; Thu, 13 Aug 2020 07:56:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=h86jHgXoGDrr6y1H8GyRJonT43XDQUGwHsyIjrhVClo=; b=PcjtA72WquiVEoTayK79h4ouDKuU3R6FFRQKvaK6m+giwek233klAZ57Mx2W3bQErz ViZ3xwrjeoW4ve5Lu9lzMmismO6zOpqcdDKt5jjMqEbqW1O6ZHOYGJlXdcxpYoJ/V//T CIDQkVAK1KZ3AgOkPPqUU9pYFN9llq8KMOaReQ8014n2a6qOtY4K0IhKFKP7pl4PWRZk JJKdiywJuyCJvZn6FSX81YoS+j5jViVMR3JUSYMNu+57TIj+Lv/aLW73qzZiGsOjwQQw 5jrdshOKSBnkTpoVrpNn+U15WqS4SE4UFYLSunSDjZ27oBJMHwGcgC+HAZUBG+24HZ8L d0/w== X-Gm-Message-State: AOAM532w2Z+KquI4iSGey0emtPkgyusx19hE6aXkTrVpYg41STeCzU+Z WXD2v88/YUJcy7BeD9WBLf4= X-Google-Smtp-Source: ABdhPJyufAWBDkWl0rbFsm4iCNiuMOHAC/vQfunIPsTD3bDPGN/H0DAGcWooZcr1d23PB42mHpq9Dw== X-Received: by 2002:a92:99ca:: with SMTP id t71mr2876299ilk.143.1597330580641; Thu, 13 Aug 2020 07:56:20 -0700 (PDT) Received: from anon-dhcp-152.1015granger.net (c-68-61-232-219.hsd1.mi.comcast.net. [68.61.232.219]) by smtp.gmail.com with ESMTPSA id p13sm2089843ilb.61.2020.08.13.07.56.18 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Aug 2020 07:56:19 -0700 (PDT) Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Subject: Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) From: Chuck Lever In-Reply-To: <1597329763.3708.13.camel@HansenPartnership.com> Date: Thu, 13 Aug 2020 10:56:17 -0400 Message-Id: <49A45475-20D8-456E-92AD-F63DBC71F900@gmail.com> References: <20200728213614.586312-1-deven.desai@linux.microsoft.com> <20200802115545.GA1162@bug> <20200802140300.GA2975990@sasha-vm> <20200802143143.GB20261@amd> <1596386606.4087.20.camel@HansenPartnership.com> <1596639689.3457.17.camel@HansenPartnership.com> <329E8DBA-049E-4959-AFD4-9D118DEB176E@gmail.com> <1597073737.3966.12.camel@HansenPartnership.com> <6E907A22-02CC-42DD-B3CD-11D304F3A1A8@gmail.com> <1597124623.30793.14.camel@HansenPartnership.com> <16C3BF97-A7D3-488A-9D26-7C9B18AD2084@gmail.com> <1597170509.4325.55.camel@HansenPartnership.com> <2CA41152-6445-4716-B5EE-2D14E5C59368@gmail.com> <1597246946.7293.9.camel@HansenPartnership.com> <3F328A12-25DD-418B-A7D0-64DA09236E1C@gmail.com> <1597329763.3708.13.camel@HansenPartnership.com> To: James Bottomley X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false; X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 07DEuScs023234 X-loop: linux-audit@redhat.com X-Mailman-Approved-At: Thu, 13 Aug 2020 11:02:55 -0400 Cc: snitzer@redhat.com, Deven Bowers , Mimi Zohar , dm-devel@redhat.com, tyhicks@linux.microsoft.com, Pavel Machek , agk@redhat.com, Sasha Levin , Jonathan Corbet , James Morris , nramas@linux.microsoft.com, serge@hallyn.com, pasha.tatashin@soleen.com, Jann Horn , linux-block@vger.kernel.org, Al Viro , Jens Axboe , mdsakib@microsoft.com, open list , linux-security-module@vger.kernel.org, linux-audit@redhat.com, linux-fsdevel , linux-integrity@vger.kernel.org, jaskarankhurana@linux.microsoft.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0.501 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit > On Aug 13, 2020, at 10:42 AM, James Bottomley wrote: > > On Thu, 2020-08-13 at 10:21 -0400, Chuck Lever wrote: >>> On Aug 12, 2020, at 11:42 AM, James Bottomley >> enPartnership.com> wrote: > [...] >>> For most people the security mechanism of local xattrs is >>> sufficient. If you're paranoid, you don't believe it is and you >>> use EVM. >> >> When IMA metadata happens to be stored in local filesystems in >> a trusted xattr, it's going to enjoy the protection you describe >> without needing the addition of a cryptographic signature. >> >> However, that metadata doesn't live its whole life there. It >> can reside in a tar file, it can cross a network, it can live >> on a back-up tape. I think we agree that any time that metadata >> is in transit or at rest outside of a Linux local filesystem, it >> is exposed. >> >> Thus I'm interested in a metadata protection mechanism that does >> not rely on the security characteristics of a particular storage >> container. For me, a cryptographic signature fits that bill >> nicely. > > Sure, but one of the points about IMA is a separation of mechanism from > policy. Signed hashes (called appraisal in IMA terms) is just one > policy you can decide to require or not or even make it conditional on > other things. AFAICT, the current EVM_IMA_DIGSIG and EVM_PORTABLE_DIGSIG formats are always signed. The policy choice is whether or not to verify the signature, not whether or not the metadata format is signed. -- Chuck Lever chucklever@gmail.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chuck Lever Subject: Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) Date: Thu, 13 Aug 2020 10:56:17 -0400 Message-ID: <49A45475-20D8-456E-92AD-F63DBC71F900@gmail.com> References: <20200728213614.586312-1-deven.desai@linux.microsoft.com> <20200802115545.GA1162@bug> <20200802140300.GA2975990@sasha-vm> <20200802143143.GB20261@amd> <1596386606.4087.20.camel@HansenPartnership.com> <1596639689.3457.17.camel@HansenPartnership.com> <329E8DBA-049E-4959-AFD4-9D118DEB176E@gmail.com> <1597073737.3966.12.camel@HansenPartnership.com> <6E907A22-02CC-42DD-B3CD-11D304F3A1A8@gmail.com> <1597124623.30793.14.camel@HansenPartnership.com> <16C3BF97-A7D3-488A-9D26-7C9B18AD2084@gmail.com> <1597170509.4325.55.camel@HansenPartnership.com> <2CA41152-6445-4716-B5EE-2D14E5C59368@gmail.com> <1597246946.7293.9.camel@HansenPartnership.com> <3F328A12-25DD-418B-A7D0-64DA09236E1C@gmail.com> <1597329763.3708.13.camel@HansenPartnership.com> Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\)) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <1597329763.3708.13.camel@HansenPartnership.com> Sender: owner-linux-security-module@vger.kernel.org To: James Bottomley Cc: Mimi Zohar , James Morris , Deven Bowers , Pavel Machek , Sasha Levin , snitzer@redhat.com, dm-devel@redhat.com, tyhicks@linux.microsoft.com, agk@redhat.com, Paul Moore , Jonathan Corbet , nramas@linux.microsoft.com, serge@hallyn.com, pasha.tatashin@soleen.com, Jann Horn , linux-block@vger.kernel.org, Al Viro , Jens Axboe , mdsakib@microsoft.com, open list , eparis@redhat.com, linux-security-module@vger.kernel.org, linux-audit@redhat.com, linux-fsdevel , linux-integrity@vger.kernel.org, jaskarankhurana@linu List-Id: dm-devel.ids > On Aug 13, 2020, at 10:42 AM, James Bottomley = wrote: >=20 > On Thu, 2020-08-13 at 10:21 -0400, Chuck Lever wrote: >>> On Aug 12, 2020, at 11:42 AM, James Bottomley >> enPartnership.com> wrote: > [...] >>> For most people the security mechanism of local xattrs is >>> sufficient. If you're paranoid, you don't believe it is and you >>> use EVM. >>=20 >> When IMA metadata happens to be stored in local filesystems in >> a trusted xattr, it's going to enjoy the protection you describe >> without needing the addition of a cryptographic signature. >>=20 >> However, that metadata doesn't live its whole life there. It >> can reside in a tar file, it can cross a network, it can live >> on a back-up tape. I think we agree that any time that metadata >> is in transit or at rest outside of a Linux local filesystem, it >> is exposed. >>=20 >> Thus I'm interested in a metadata protection mechanism that does >> not rely on the security characteristics of a particular storage >> container. For me, a cryptographic signature fits that bill >> nicely. >=20 > Sure, but one of the points about IMA is a separation of mechanism = from > policy. Signed hashes (called appraisal in IMA terms) is just one > policy you can decide to require or not or even make it conditional on > other things. AFAICT, the current EVM_IMA_DIGSIG and EVM_PORTABLE_DIGSIG formats are always signed. The policy choice is whether or not to verify the signature, not whether or not the metadata format is signed. -- Chuck Lever chucklever@gmail.com