Re: [PATCH 2/3] binfmt_elf: Verify signature of signed elf binary

From: Vivek Goyal
Date: Thu Jan 17 2013 - 10:22:21 EST


On Thu, Jan 17, 2013 at 05:06:09PM +0200, Kasatkin, Dmitry wrote:

[..]
> One important thing to mention.
> Protecting ELF-only does not help too much in protecting the system.
> There are plenty of init, upstart and systemd scripts which must be
> verified as well. IMA does it.

Actually that would be a different requirement altogether. I am not
trying to verify all the processes started by root. I am just trying
to sign and verify signature of select user process and if signature
are verified, kernel grants those processes extra capability and allow
calling sys_kexec() when secureboot is enabled.

So for my use case, I don't care if there are so many other unsigned
processes running in the system.

Thanks
Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/