Re: [PATCH v3 00/10] evm: Support signatures on stacked filesystem

From: Mimi Zohar
Date: Tue Apr 09 2024 - 17:30:33 EST


On Fri, 2024-02-23 at 12:25 -0500, Stefan Berger wrote:
> EVM signature verification on stacked filesystem has recently been
> completely disabled by declaring some filesystems as unsupported
> (only overlayfs). This series now enables copy-up of "portable
> and immutable" signatures on those filesystems and enables the
> enforcement of "portable and immultable" as well as the "original"
> signatures on previously unsupported filesystem when evm is enabled
> with EVM_INIT_X509. HMAC verification and generation remains disabled.
>
> "Portable and immutable" signatures can be copied up since they are
> not created over file-specific metadata, such as UUID or generation.
> Instead, they are only covering file metadata such as mode bits, uid, and
> gid, that will all be preserved during a copy-up of the file metadata.
>
> This series is now based on the 'next' branch of Paul Moore's LSM tree and
> requires the following two commits from the vfs.misc branch of the vfs git
> repo at https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
>
> commit 2109cc619e73 ("fs: remove the inode argument to ->d_real() method")
> commit c6c14f926fbe ("fs: make file_dentry() a simple accessor")

Thanks, Stefan. The patch set is now queued in the next-integrity branch.
https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git/

Mimi