Re: [RFC][PATCH v1 0/2] integrity: module integrity verification
From: Kasatkin, Dmitry
Date: Wed Feb 08 2012 - 09:02:30 EST
On Wed, Feb 8, 2012 at 3:45 PM, Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
> On Wed, 2012-02-08 at 10:09 +1030, Rusty Russell wrote:
>> On Tue, 7 Feb 2012 23:18:38 +0200, "Kasatkin, Dmitry" <dmitry.kasatkin@xxxxxxxxx> wrote:
>> > On Tue, Feb 7, 2012 at 7:13 PM, Rusty Russell <rusty@xxxxxxxxxx> wrote:
>> > > On Mon, 6 Feb 2012 08:59:00 +0200, "Kasatkin, Dmitry" <dmitry.kasatkin@xxxxxxxxx> wrote:
>> > >> On Mon, Feb 6, 2012 at 3:51 AM, James Morris <jmorris@xxxxxxxxx> wrote:
>> > >> > On Wed, 1 Feb 2012, Dmitry Kasatkin wrote:
>> > >> >
>> > >> >> Hi,
>> > >> >>
>> > >> >> Here is another module verification patchset, which is based on the recently
>> > >> >> upstreamed digital signature support used by EVM and IMA-appraisal.
>> > >> >
>> > >> > You should cc: Rusty on any changes to the module code.
>> > >> >
>> > >>
>> > >> Hello,
>> > >>
>> > >> Mimi already has pointed that out.
>> > >> I have sent him an email with the link..
>> > >
>> > > Thanks.
>> > >
>> > > Using an external signature (via cmdline arguments) is simple, at
>> > > least. ÂNot sure what the userspace side of this looks like?
>> > >
>> >
>> > Hello,
>> >
>> > There are couple of patches for modprobe and insmod...
>> >
>> > You could see them on the top at:
>> > http://linux-ima.git.sourceforge.net/git/gitweb.cgi?p=linux-ima/module-init-tools.git;a=summary
>> >
>> > It first tries to read signature from xattr, then from file...
>> > "modprobe -v" will show 'ima=' Âparameter with signature.
>> >
>> > - Dmitry
>>
>> The problem is that distributions tend to have two variants of modules:
>> stripped and unstripped. ÂThus you may want to support multiple
>> signatures, any *one* of which may match.
>>
>> I've cc'd the module-init-tools and libkmod maintainers for their
>> comments, too.
>>
>> Cheers,
>> Rusty.
>
> Hi Rusty,
>
> As a distro knows what it is shipping, why would you need support for
> both stripped/unstripped versions. ÂUnless "stripping" occurs post
> install. ÂPerhaps something similar to 'prelink'?
>
How are they distributed? In separate packages?
And striped during package creation?
Then during package building, before archiving, signing tool is simply
invoked for each binary package,
so "same" modules from different packages will get own signature.
Or it goes some other way?
> thanks,
>
> Mimi
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/