[dm-devel] [PATCH 0/2] dm-devel:dm-crypt: infrastructure for measurement of DM target data using IMA
Tushar Sugandhi
tusharsu at linux.microsoft.com
Mon Aug 17 22:45:17 UTC 2020
On 2020-08-17 2:46 p.m., Mimi Zohar wrote:
> On Sun, 2020-08-16 at 14:02 -0700, Tushar Sugandhi wrote:
>> There are several device-mapper targets which contribute to verify
>> the integrity of the mapped devices e.g. dm-integrity, dm-verity,
>> dm-crypt etc.
>>
>> But they do not use the capabilities provided by kernel integrity
>> subsystem (IMA). For instance, the IMA capability that measures several
>> in-memory constructs and files to detect if they have been accidentally
>> or maliciously altered, both remotely and locally. IMA also has the
>> capability to include these measurements in the IMA measurement list and
>> use them to extend a TPM PCR so that it can be quoted.
>
> "both remotely" refers to measurement and attestation, while "locally"
> refers to integrity enforcement, based on hashes or signatures. Is
> this patch set adding both IMA-measurement and IMA-appraisal?
>
> Mimi
>
Thanks Mimi for looking at this patch set.
I added both "remotely" and "locally" in the description, so that
people less familiar with IMA would get a general overview of whats
possible with IMA.
In this patch set we are only adding support for measurement and
attestation. In the next iteration, I will remove the references to
"local" detection.
~Tushar
<snip>
More information about the dm-devel
mailing list