On Mon, 2013-01-21 at 11:42 -0500, Vivek Goyal wrote: > On Tue, Jan 15, 2013 at 11:55:59PM -0500, Mimi Zohar wrote: > > [..] > > Please remind me why you can't use IMA-appraisal, which was upstreamed > > in Linux 3.7? Why another method is needed? > > So is this IMA-appraisal also supports digital signatures? The IMA white > paper seems to put digital signatures in separate category > (IMA-Appraisal-Signature-Extension).
The white paper was written a couple of years ago, before either EVM or IMA-appraisal were upstreamed. - Linux 3.2: Extended Verification Module (EVM) - protects file metadata from offline modification - Linux 3.3: Dmitry Kasatkin's digital signature verification for use with EVM/IMA-appraisal. - Linux 3.7: IMA-appraisal/with digital signatures > > With IMA-appraisal, there are a couple of issues that would still need > > to be addressed: > > - missing the ability to specify the validation method required. Patches to address this issue are available from linux-integrity-test/ #next-ima-appraise-status and were posted on the LSM mailing list as an RFC (12/18/2012). Review of these patches would be appreciated. > > - modify the ima_appraise_tcb policy policy to require elf executables > > to be digitally signed. > > For my use case, all executable don't have to be digitally signed. If > something is digitally signed then do the signature verification. We already discussed this. Hard coding policy into the Linux kernel is wrong. thanks, Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
