Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932392Ab0FDPJq (ORCPT ); Fri, 4 Jun 2010 11:09:46 -0400 Received: from e31.co.us.ibm.com ([32.97.110.149]:50498 "EHLO e31.co.us.ibm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754036Ab0FDPJo (ORCPT ); Fri, 4 Jun 2010 11:09:44 -0400 Subject: Re: [PATCH 00/14] EVM From: Mimi Zohar To: Shaz Cc: Dmitry Kasatkin , James Morris , "linux-kernel@vger.kernel.org" , "linux-security-module@vger.kernel.org" , David Safford , Dave Hansen , Arjan van de Ven , securityengineeringresearchgroup In-Reply-To: References: <1271886594-3719-1-git-send-email-zohar@linux.vnet.ibm.com> <1275420536.28134.37.camel@localhost.localdomain> <4C060224.4090601@nokia.com> <4C062092.2030608@nokia.com> <1275487340.3068.74.camel@localhost.localdomain> Content-Type: text/plain; charset="UTF-8" Date: Fri, 04 Jun 2010 11:09:18 -0400 Message-ID: <1275664158.3205.27.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.28.3 (2.28.3-1.fc12) Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1059 Lines: 24 On Fri, 2010-06-04 at 11:53 +0500, Shaz wrote: > > Yes, verifying one file containing the hashes would be faster than > > verifying individual hashes stored as extended attributes (xattrs), but > > this does not take into account that files on a running system are being > > modified or added. On a small form factor, the number of files is > > limited, but would this scale well? In addition, what protects that one > > file containing all the hashes from being modified? So, if you limit > > How about sealing to protect this file? Was just indicating that the file needs to be protected. So, yes sealing the file, based on PCRs, would work in a trusted boot environment. > > the types of files to those that don't change, and the number of file > > hashes, then using a single file would be faster. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/