Re: IMA: How to manage user space signing policy with others

[Eric Paris]

On Thu, Feb 28, 2013 at 4:35 PM, Vivek Goyal <vgoyal@xxxxxxxxxx> wrote:
> On Thu, Feb 28, 2013 at 02:23:39PM -0500, Mimi Zohar wrote:

I think just a second for both of you to step back and see a slightly
larger picture/problem might help.

This is a weird case where Vivek does not trust root to make the
policy decision.  If the box is configured for secure boot, it needs
to make these decisions no matter what the admin wants.  This is why
he talks about trying to merge multiple competing policies.  The
current IMA policy is controlled by whomever can first write to the
ima policy file interface.  Vivek does not want an admin to be able to
overwrite the secureboot policy.  So I get why he thinks changes may
be needed to support this use case.

The ima_tcb policy was meant to be larger than needed to determine a
trusted computing base, but it is clearly not a superset of what he is
hoping to accomplish.

So how do we take a system where the admin/software has some control
over the integrity policy (as it is today?) and the kernel/system
itself also has control (as Vivek wants it)?

It seems unsolved with what we have today....

-Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/