From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from lan.nucleusys.com ([92.247.61.126]:43911 "EHLO zztop.nucleusys.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1756275AbbEUQvO (ORCPT ); Thu, 21 May 2015 12:51:14 -0400 Date: Thu, 21 May 2015 19:51:02 +0300 From: Petko Manolov To: Andy Lutomirski Cc: David Howells , Mimi Zohar , Joey Lee , Rusty Russell , Kyle McMartin , Sedat Dilek , LSM List , Jiri Kosina , Konstantin Ryabitsev , Michal Marek , Seth Forshee , "Luis R. Rodriguez" , "linux-kernel@vger.kernel.org" , Borislav Petkov , David Woodhouse , Linux Wireless List , Linus Torvalds , Greg Kroah-Hartman , James Morris , keyrings@linux-nfs.org, Abelardo Ricart III , "Serge E. Hallyn" Subject: Re: [RFD] linux-firmware key arrangement for firmware signing Message-ID: <20150521165101.GI18164@localhost> (sfid-20150521_185126_291461_C58EFFE6) References: <20150519200232.GM23057@wotan.suse.de> <555BA438.2070802@kernel.org> <20150519221128.GP23057@wotan.suse.de> <9567.1432223509@warthog.procyon.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii In-Reply-To: Sender: linux-wireless-owner@vger.kernel.org List-ID: On 15-05-21 09:39:50, Andy Lutomirski wrote: > > It's also a performance cost because the average user of this signature stuff > doesn't actually want IMA, and IMA is checking the wrong think anyway. > IMA/EVM tells us "this file validly belongs in /lib/modules/whatever according > to whomever we trust for the filesystem". We want to check "is this data, > regardless of where it was read from, a trusted module". IMA-appraise does not care where the file comes from (although it may be persuaded to) and verifies file's data and meta-data against a signature. I guess you should actually read the code. :) Petko