Re: Kdump with signed images

From: Mimi Zohar
Date: Thu Oct 25 2012 - 14:42:38 EST

Next message: Greg Kroah-Hartman: "Re: [PATCH 2/3 v2] firmware: Add /proc/firmware_path entry to listthe firmware paths"
Previous message: Greg KH: "Re: [PATCH v4] serial/arc-uart: Add New Driver"
In reply to: Vivek Goyal: "Re: Kdump with signed images"
Next in thread: Vivek Goyal: "Re: Kdump with signed images"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2012-10-25 at 10:10 -0400, Vivek Goyal wrote:
> On Thu, Oct 25, 2012 at 02:10:01AM -0400, Mimi Zohar wrote:
>
> [..]
> > IMA-appraisal verifies the integrity of file data, while EVM verifies
> > the integrity of the file metadata, such as LSM and IMA-appraisal
> > labels. Both 'security.ima' and 'security.evm' can contain digital
> > signatures.
>
> But the private key for creating these digital signature needs to be
> on the target system?
>
> Thanks
> Vivek

Absolutely not. The public key needs to be added to the _ima or _evm
keyrings. Roberto Sassu modified dracut and later made equivalent
changes to systemd. Both have been upstreamed. Dmitry has a package
that labels the filesystem called ima-evm-utils, which supports hash
(IMA), hmac(EVM) and digital signatures(both).

We're hoping that distro's would label all immutable files, not only elf
executables, with digital signatures and mutable files with a hash.

thanks,

Mimi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg Kroah-Hartman: "Re: [PATCH 2/3 v2] firmware: Add /proc/firmware_path entry to listthe firmware paths"
Previous message: Greg KH: "Re: [PATCH v4] serial/arc-uart: Add New Driver"
In reply to: Vivek Goyal: "Re: Kdump with signed images"
Next in thread: Vivek Goyal: "Re: Kdump with signed images"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]