Re: [RFC PATCH 0/6][v3] ima: Support a mode to appraise signed filesonly

From: Vivek Goyal
Date: Thu Feb 14 2013 - 16:45:54 EST

On Thu, Feb 14, 2013 at 03:51:24PM -0500, Mimi Zohar wrote:
> On Thu, 2013-02-14 at 14:55 -0500, Vivek Goyal wrote:
> > Hi,
> >
> > Currently ima appraises all the files as specified by the rule.
> Currently IMA appraises files based on policy.

And policy is composed of multiple rules. Ok, will change it.

> > So
> > if one wants to create a system where only few executables are
> > signed, that system will not work with IMA.
> This statement misrepresents the IMA policy. You can definitely define
> a policy that only measures/appraises a few specific files. In your
> usecase scenario, you are not willing to rely on LSM labels. Policy
> rules can also be based on file owner. We could also add support for
> gid.

Ok, will change it. How about following.

We want to create a system where only few executables are signed. This
patch extends IMA policy syntax so that one can specify that signatures
are optional.

> > With secureboot, one needs to disable kexec so that unsigned kernels
> > can't be booted. To avoid this problem, it was proposed that sign
> > /sbin/kexec binary and if signatures are verified successfully, give
> > an special capability to the /sbin/kexec process. And in secureboot
> > mode processes with that special capability can invoke sys_kexec()
> > system call.
> Please add here that you then rely on /sbin/kexec to verify the
> integrity of the kernel image.

Ok, will do that. This is infact a grey area. Yet to be figured out
how /sbin/kexec will ensure a signed kernel is being loaded.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at