Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE)

[RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Deven Bowers <hidden> · 2020-07-28
[RFC PATCH v5 02/11] security: add ipe lsm evaluation loop and audit system · Deven Bowers <hidden> · 2020-07-28
[RFC PATCH v5 09/11] dm-verity: add bdev_setsecurity hook for root-hash · Deven Bowers <hidden> · 2020-07-28
[RFC PATCH v5 11/12] documentation: add ipe documentation · Deven Bowers <hidden> · 2020-07-28
[RFC PATCH v5 06/11] dm-verity: move signature check after tree validation · Deven Bowers <hidden> · 2020-07-28
Re: [RFC PATCH v5 06/11] dm-verity: move signature check after tree validation · Eric Biggers <ebiggers@kernel.org> · 2020-07-28
Re: [RFC PATCH v5 06/11] dm-verity: move signature check after tree validation · Deven Bowers <hidden> · 2020-07-28
[RFC PATCH v5 12/12] cleanup: uapi/linux/audit.h · Deven Bowers <hidden> · 2020-07-28
[RFC PATCH v5 08/11] ipe: add property for signed dmverity volumes · Deven Bowers <hidden> · 2020-07-28
[RFC PATCH v5 10/12] ipe: add property for dmverity roothash · Deven Bowers <hidden> · 2020-07-28
[RFC PATCH v5 03/11] security: add ipe lsm policy parser and policy loading · Deven Bowers <hidden> · 2020-07-28
[RFC PATCH v5 11/11] cleanup: uapi/linux/audit.h · Deven Bowers <hidden> · 2020-07-28
[RFC PATCH v5 10/11] documentation: add ipe documentation · Deven Bowers <hidden> · 2020-07-28
[RFC PATCH v5 05/11] fs: add security blob and hooks for block_device · Deven Bowers <hidden> · 2020-07-28
Re: [RFC PATCH v5 05/11] fs: add security blob and hooks for block_device · Casey Schaufler <casey@schaufler-ca.com> · 2020-07-28
Re: [RFC PATCH v5 05/11] fs: add security blob and hooks for block_device · Al Viro <viro@zeniv.linux.org.uk> · 2020-07-28
Re: [RFC PATCH v5 05/11] fs: add security blob and hooks for block_device · Deven Bowers <hidden> · 2020-07-28
[RFC PATCH v5 07/11] dm-verity: add bdev_setsecurity hook for dm-verity signature · Deven Bowers <hidden> · 2020-07-28
[RFC PATCH v5 04/11] ipe: add property for trust of boot volume · Deven Bowers <hidden> · 2020-07-28
[RFC PATCH v5 01/11] scripts: add ipe tooling to generate boot policy · Deven Bowers <hidden> · 2020-07-28
Re: [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Pavel Machek <hidden> · 2020-08-02
Re: [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Sasha Levin <sashal@kernel.org> · 2020-08-02
Re: [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Pavel Machek <hidden> · 2020-08-02
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Bottomley <James.Bottomley@HansenPartnership.com> · 2020-08-02
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Deven Bowers <hidden> · 2020-08-04
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Bottomley <James.Bottomley@HansenPartnership.com> · 2020-08-05
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Morris <jmorris@namei.org> · 2020-08-05
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-05
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Morris <jmorris@namei.org> · 2020-08-05
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-06
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Morris <jmorris@namei.org> · 2020-08-07
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-07
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-07
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Morris <jmorris@namei.org> · 2020-08-10
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Chuck Lever <hidden> · 2020-08-08
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-09
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Bottomley <James.Bottomley@HansenPartnership.com> · 2020-08-10
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-10
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Bottomley <James.Bottomley@HansenPartnership.com> · 2020-08-10
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Mimi Zohar <zohar@linux.ibm.com> · 2020-08-10
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Chuck Lever <hidden> · 2020-08-10
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Bottomley <James.Bottomley@HansenPartnership.com> · 2020-08-11
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Chuck Lever <hidden> · 2020-08-11
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Bottomley <James.Bottomley@HansenPartnership.com> · 2020-08-11
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Pavel Machek <hidden> · 2020-08-11
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Chuck Lever <hidden> · 2020-08-12
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Bottomley <James.Bottomley@HansenPartnership.com> · 2020-08-11
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Chuck Lever <hidden> · 2020-08-12
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Bottomley <James.Bottomley@HansenPartnership.com> · 2020-08-12
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Chuck Lever <hidden> · 2020-08-13
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Bottomley <James.Bottomley@HansenPartnership.com> · 2020-08-13
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Chuck Lever <hidden> · 2020-08-14
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Bottomley <James.Bottomley@HansenPartnership.com> · 2020-08-11
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Chuck Lever <hidden> · 2020-08-12
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Bottomley <James.Bottomley@HansenPartnership.com> · 2020-08-12
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Chuck Lever <hidden> · 2020-08-13
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Bottomley <James.Bottomley@HansenPartnership.com> · 2020-08-13
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Chuck Lever <hidden> · 2020-08-13
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · James Morris <jmorris@namei.org> · 2020-08-11
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Chuck Lever <hidden> · 2020-08-12
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE) · Deven Bowers <hidden> · 2020-08-12

From: Pavel Machek <hidden>
Date: 2020-08-11 19:30:25
Also in: dm-devel, linux-block, linux-fsdevel, linux-integrity, lkml

Hi!

quoted

(eg, a specification) will be critical for remote filesystems.

If any of this is to be supported by a remote filesystem, then we
need an unencumbered description of the new metadata format
rather than code. GPL-encumbered formats cannot be contributed to
the NFS standard, and are probably difficult for other
filesystems that are not Linux-native, like SMB, as well.

I don't understand what you mean by GPL encumbered formats.  The
GPL is a code licence not a data or document licence.

IETF contributions occur under a BSD-style license incompatible
with the GPL.

https://trustee.ietf.org/trust-legal-provisions.html

Non-Linux implementers (of OEM storage devices) rely on such
standards processes to indemnify them against licensing claims.

Well, that simply means we won't be contributing the Linux
implementation, right? However, IETF doesn't require BSD for all
implementations, so that's OK.

quoted

Today, there is no specification for existing IMA metadata formats,
there is only code. My lawyer tells me that because the code that
implements these formats is under GPL, the formats themselves cannot
be contributed to, say, the IETF without express permission from the
authors of that code. There are a lot of authors of the Linux IMA
code, so this is proving to be an impediment to contribution. That
blocks the ability to provide a fully-specified NFS protocol
extension to support IMA metadata formats.

Well, let me put the counterpoint: I can write a book about how
linux

You should probably talk to your lawyer.

device drivers work (which includes describing the data formats), for
instance, without having to get permission from all the authors ... or
is your lawyer taking the view we should be suing Jonathan Corbet,
Alessandro Rubini, and Greg Kroah-Hartman for licence infringement?  In
fact do they think we now have a huge class action possibility against
O'Reilly  and a host of other publishers ...

Because yes, you can reverse engineer for compatibility reasons --
doing clean room re-implementation (BIOS binary -> BIOS documentation
-> BIOS sources under different license), but that was only tested in
the US, is expensive, and I understand people might be uncomfortable
doing that.

Best regards,
									Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Attachments

signature.asc [application/pgp-signature] 195 bytes

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help