Re: [PATCH 2/4] integrity: Linux Integrity Module(LIM)

[david safford]

On Thu, 2008-11-20 at 14:26 -0500, Christoph Hellwig wrote: 
> On Thu, Nov 20, 2008 at 02:21:38PM -0500, david safford wrote:
> > The consensus in the (insane) security community was to have an
> > interface with selectable modules similar to LSM and its modules,
> > so that users could easily choose among a set of integrity providers.
> 
> So what other integrity provider is there waiting to be merged?  Unless
> there is a realistic mid-term candidate it's just pure bloat, and we
> can introduce an abstraction once it's actually needed.
> 

IMA tries to be generic, but it is still oriented around the Trusted
Computing Group concept of hardware anchored lists of file measurements.
We know of other projects looking at measurements of things that are
not files, such as introspection of process memory invariants, and
other integrity models not anchored in TCG hardware, such as public 
key signed files. I don't really know how close these other projects 
are to submission, but when this was reviewed on the LSM mailing list, 
everyone agreed with the abstraction. Hopefully some of the other
interested people will chime in here.

dave
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/