Re: [PATCH 00/23] Crypto keys and module signing

From: David Howells
Date: Fri May 25 2012 - 09:54:07 EST

Next message: Alan Cox: "Re: [PATCH] tty: tty_mutex: fix lockdep warning intty_lock_pair(v1)"
Previous message: Peter Zijlstra: "Re: [PATCH] tty: tty_mutex: fix lockdep warning intty_lock_pair(v1)"
In reply to: Mimi Zohar: "Re: [PATCH 00/23] Crypto keys and module signing"
Next in thread: Mimi Zohar: "Re: [PATCH 00/23] Crypto keys and module signing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:

> The issue here is whether we want the integrity metadata for kernel
> modules to be stored differently than for all other files.

Surely it's handled differently. The kernel is told by insmod what the
signature should be in your scheme rather than going looking for it itself. In
such a case, why not include the signature in the module file? It's more
efficient on the filesystem, doesn't require xattr support and is easier for
things like the initramfs composer to deal with.

Btw, am I right in thinking that with IMA, the kernel itself normally goes and
finds the signature (if there is one) for a file when it needs to open a file?
Do you only check the IMA when exec'ing a file or whenever you open it?

David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alan Cox: "Re: [PATCH] tty: tty_mutex: fix lockdep warning intty_lock_pair(v1)"
Previous message: Peter Zijlstra: "Re: [PATCH] tty: tty_mutex: fix lockdep warning intty_lock_pair(v1)"
In reply to: Mimi Zohar: "Re: [PATCH 00/23] Crypto keys and module signing"
Next in thread: Mimi Zohar: "Re: [PATCH 00/23] Crypto keys and module signing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]