Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752495Ab0FDG5B (ORCPT ); Fri, 4 Jun 2010 02:57:01 -0400 Received: from mail-px0-f174.google.com ([209.85.212.174]:42876 "EHLO mail-px0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751523Ab0FDG47 (ORCPT ); Fri, 4 Jun 2010 02:56:59 -0400 DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=Rtlp0+NiWwwCBGExSD41P2rPpfwGu94h600alf9tVToCP5ohBY6zq2vnEiPM0EAhVd ie+pHrpKMA5YsS3gHYNKBPrjsQytHIHbw6NjP+iF9CH02kLH3Yt+m3jqc2OlKpfxJxh1 Mw+2iVxG2q2uA2Rnkr26gk1z75ePswluSA5jU= MIME-Version: 1.0 In-Reply-To: References: <1271886594-3719-1-git-send-email-zohar@linux.vnet.ibm.com> <1275420536.28134.37.camel@localhost.localdomain> Date: Fri, 4 Jun 2010 11:56:59 +0500 Message-ID: Subject: Re: [PATCH 00/14] EVM From: Shaz To: James Morris Cc: Mimi Zohar , linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, David Safford , Dave Hansen , Arjan van de Ven , securityengineeringresearchgroup Content-Type: text/plain; charset=ISO-8859-1 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 920 Lines: 25 On Fri, Jun 4, 2010 at 5:57 AM, James Morris wrote: > On Tue, 1 Jun 2010, Mimi Zohar wrote: > >> SELinux, Smack, Capabilities, and IMA all use extended attributes. The >> purpose of EVM is to detect offline tampering of these security extended >> attributes. > > One issue mentioned to me off-list is that if EVM is only protecting > against offline attacks, why not just encrypt the entire volume ? Are you sure that EVM protects against offline attacks only? Why and why not encrypt the whole volume? > This would provide confidentiality and integrity protection for all data > and metadata, rather than just integrity for xattr metadata. -- Shaz -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/