please elaborate on the wiki what the ima_appraise options actually mean? I
can take a guess, but a simple table explaining exactly what they are would
be useful. Same with the evm options.
Additionally, the wiki (as I
have read it) suggests that measuring is enabled and on when the ima_tcb
kernel option is given. From what you've written on the list, it should be
possible to appraise when a file is mmapped, opened or executed according to
the policy without being measured. Can you make this a bit more explicit in
the wiki, explaining what the measurement options are to enable/disable
measurement? If this is done via the policy instead of via a kernel option,
can you adjust that as well (I don't know if there's a policy option of
You're doing some great work here. While I'm not
using IMA for attestation, I'm planning on verifying all my configuration
files and executables. The features you've got ready for the 3.3 merge seem
to fit exactly what I'm after, but I need to know what to set in kernel
first. Keep up the good work.