From: Mark Wielaard <mark@klomp.org>
To: Aaron Merey <amerey@redhat.com>, "Frank Ch. Eigler" <fche@redhat.com>
Cc: elfutils-devel@sourceware.org
Subject: Re: [rfc] [patch] PR28204: debuginfod ima signature verification
Date: Tue, 14 May 2024 17:18:44 +0200 [thread overview]
Message-ID: <b129715065f532a004f549005316241fd2338fdd.camel@klomp.org> (raw)
In-Reply-To: <CAJDtP-Sq=m0nUwy4B-UsN-mAEp72Hv55HT3vM7VBiJafS4DK7A@mail.gmail.com>
Hi Aaron,
On Thu, 2024-05-09 at 13:56 -0400, Aaron Merey wrote:
> I know there's already been a lot of discussion re. ima:permissive and
> I'm weighing in rather late, but FWIW I do support including it.
> Currently individual ELF sections cannot be downloaded when
> ima:enforcing is active. With ima:permissive we could support proper
> section queries while also being able to perform some amount of
> ima verification.
But what would "some amount of ima verification" mean?
I think we (me included, for suggesting some of it in the first place)
made things way to complicated by supporting multiple different ima
certificates and then also splitting ima verification policy per server
URL. If we also add different policies for the "amount" of ima we do
then it because really hard to reason about imho.
We should probably take a step back and formulate the security attack
we are trying to defend against with ima verification first.
Cheers,
Mark
prev parent reply other threads:[~2024-05-14 15:18 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-03 21:04 Frank Ch. Eigler
2024-04-09 12:31 ` Mark Wielaard
2024-04-10 21:01 ` Frank Ch. Eigler
2024-04-11 10:14 ` Mark Wielaard
2024-04-11 14:09 ` Frank Ch. Eigler
2024-04-16 22:15 ` Frank Ch. Eigler
2024-05-05 1:30 ` Frank Ch. Eigler
2024-05-09 17:56 ` Aaron Merey
2024-05-14 15:18 ` Mark Wielaard [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b129715065f532a004f549005316241fd2338fdd.camel@klomp.org \
--to=mark@klomp.org \
--cc=amerey@redhat.com \
--cc=elfutils-devel@sourceware.org \
--cc=fche@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).