Re: [Linux-ima-user] Initramfs and IMA Appraisal

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Wed, 2014-12-03 at 23:44 +0200, Dmitry Kasatkin wrote:
> >> But there may be a different solution for this.
> >> Leave security.evm with HMAC functioning as it is and add new
> >extended
> >> attribute security.evmsig
> >> which will protect attrs and xattrs additionally with signatures.
> >
> >Let's think about this some.
> 
> Actually new xattr type can be used which includes both hmac and
> signature to avoid using additional xattr.

Having both the HMAC, which includes the i_ino and i_version, and a
system independent signature type (based on a subset of the HMAC fields)
in a single xattr is a performance improvement.  We would still need a
new type containing just the system independent signature, which could
be included in software packages and archives.

Mimi