Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE)

From: Mimi Zohar
Date: Thu Aug 06 2020 - 13:35:00 EST

On Thu, 2020-08-06 at 09:51 +1000, James Morris wrote:
> On Wed, 5 Aug 2020, Mimi Zohar wrote:
> > If block layer integrity was enough, there wouldn't have been a need
> > for fs-verity. Even fs-verity is limited to read only filesystems,
> > which makes validating file integrity so much easier. From the
> > beginning, we've said that fs-verity signatures should be included in
> > the measurement list. (I thought someone signed on to add that support
> > to IMA, but have not yet seen anything.)
> >
> > Going forward I see a lot of what we've accomplished being incorporated
> > into the filesystems. When IMA will be limited to defining a system
> > wide policy, I'll have completed my job.
> What are your thoughts on IPE being a standalone LSM? Would you prefer to
> see its functionality integrated into IMA?

Improving the integrity subsystem would be preferred.