Re: [Linux-ima-user] [PATCH v3] evm: provide portable EVM signature version.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Mon, 2017-01-09 at 18:11 -0500, Mimi Zohar wrote:
> On Tue, 2017-01-10 at 00:06 +0300, Mikhail Kurinnoi wrote:
> > If EVM is enabled, the only way is patched archiver that will store EVM
> > portable signature during file packing instead of HMAC (I am testing
> > such patch now for tar with libimaevm). The idea is - prevent HMAC to
> > be stored in archive (store EVM portable digsig in this case), since we
> > can copy only EVM digsig xattr from archive during unpacking any way.
> 
> The archiver is normally general purpose.  Getting EVM or IMA specific
> code upstreamed in the archive code will be difficult.

I agree; probably it would be better (and fairly easy) to build a custom
pack/unpack tool based on libarchive.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.