Re: [PATCH 2/3] binfmt_elf: Verify signature of signed elf binary

From: Vivek Goyal
Date: Thu Jan 17 2013 - 10:22:21 EST

Next message: Stephane Eranian: "[PATCH 0/2] perf stat: add interval counter printing"
Previous message: Alan Stern: "Re: [PATCH v2 4/4] usb: Add APIs to access host registers from TegraPHY"
In reply to: Kasatkin, Dmitry: "Re: [PATCH 2/3] binfmt_elf: Verify signature of signed elf binary"
Next in thread: Vivek Goyal: "Re: [PATCH 2/3] binfmt_elf: Verify signature of signed elf binary"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jan 17, 2013 at 05:06:09PM +0200, Kasatkin, Dmitry wrote:

[..]
> One important thing to mention.
> Protecting ELF-only does not help too much in protecting the system.
> There are plenty of init, upstart and systemd scripts which must be
> verified as well. IMA does it.

Actually that would be a different requirement altogether. I am not
trying to verify all the processes started by root. I am just trying
to sign and verify signature of select user process and if signature
are verified, kernel grants those processes extra capability and allow
calling sys_kexec() when secureboot is enabled.

So for my use case, I don't care if there are so many other unsigned
processes running in the system.

Thanks
Vivek
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stephane Eranian: "[PATCH 0/2] perf stat: add interval counter printing"
Previous message: Alan Stern: "Re: [PATCH v2 4/4] usb: Add APIs to access host registers from TegraPHY"
In reply to: Kasatkin, Dmitry: "Re: [PATCH 2/3] binfmt_elf: Verify signature of signed elf binary"
Next in thread: Vivek Goyal: "Re: [PATCH 2/3] binfmt_elf: Verify signature of signed elf binary"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]