On Fri, 2017-11-17 at 09:55 +0100, Roberto Sassu wrote:
> On 11/17/2017 2:08 AM, Kees Cook wrote:
> > On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu
> > wrote:
> >> On 11/7/2017 2:37 PM, Mimi Zohar wrote:
> >>> Normally, the protection of kernel memory is out of scope
On Tue, Nov 7, 2017 at 8:45 AM, Roberto Sassu wrote:
> On 11/7/2017 2:37 PM, Mimi Zohar wrote:
>> Normally, the protection of kernel memory is out of scope for IMA.
>> This patch set introduces an in kernel white list, which would be a
>> prime target for attackers
On 11/9/2017 5:46 PM, Matthew Garrett wrote:
On Thu, Nov 9, 2017 at 11:13 AM, Roberto Sassu wrote:
On 11/9/2017 3:47 PM, Matthew Garrett wrote:
There's no need to have a policy that measures those files, because
they're part of the already-measured initramfs. Just
On Thu, 2017-11-09 at 09:47 -0500, Matthew Garrett wrote:
> This seems very over-complicated, and it's unclear why the kernel
> needs to open the file itself. You *know* that all of userland is
> trustworthy at this point even in the absence of signatures.
Assuming the initramfs is signed, then
On 11/9/2017 3:47 PM, Matthew Garrett wrote:
On Thu, Nov 9, 2017 at 4:51 AM, Roberto Sassu wrote:
On 11/8/2017 4:48 PM, Matthew Garrett wrote:
The code doing the parsing is in the initramfs, which has already been
measured at boot time. You can guarantee that it's
On Thu, Nov 9, 2017 at 4:51 AM, Roberto Sassu wrote:
> On 11/8/2017 4:48 PM, Matthew Garrett wrote:
>> The code doing the parsing is in the initramfs, which has already been
>> measured at boot time. You can guarantee that it's being done by
>> trusted code.
>
>
> The
On 11/8/2017 4:48 PM, Matthew Garrett wrote:
On Wed, Nov 8, 2017 at 7:00 AM, Roberto Sassu wrote:
On 11/7/2017 7:06 PM, Matthew Garrett wrote:
But we're still left in a state where the kernel has to end up
supporting a number of very niche formats, and userland
On Wed, Nov 8, 2017 at 7:00 AM, Roberto Sassu wrote:
> On 11/7/2017 7:06 PM, Matthew Garrett wrote:
>> But we're still left in a state where the kernel has to end up
>> supporting a number of very niche formats, and userland agility is
>> tied to the kernel. I think it
On 11/7/2017 7:06 PM, Matthew Garrett wrote:
On Tue, Nov 7, 2017 at 12:53 PM, Roberto Sassu wrote:
On 11/7/2017 3:49 PM, Matthew Garrett wrote:
RPM's hardly universal, and distributions are in the process of moving
away from using it for distributing non-core
el.org; linux-fsde...@vger.kernel.org;
> linux-doc@vger.kernel.org; linux-ker...@vger.kernel.org;
> silviu.vlasce...@huawei.com; Roberto Sassu <roberto.sa...@huawei.com>
> Subject: EXT: [PATCH v2 00/15] ima: digest list feature
>
> IMA is a security module with the objective of
On Tue, Nov 7, 2017 at 12:53 PM, Roberto Sassu wrote:
> On 11/7/2017 3:49 PM, Matthew Garrett wrote:
>> RPM's hardly universal, and distributions are in the process of moving
>> away from using it for distributing non-core applications (Flatpak and
>> Snap are becoming
On 11/7/2017 3:49 PM, Matthew Garrett wrote:
On Tue, Nov 7, 2017 at 2:36 AM, Roberto Sassu wrote:
Finally, digest lists address also the third issue because Linux
distribution vendors already provide the digests of files included in each
RPM package. The digest list
On 11/7/2017 2:37 PM, Mimi Zohar wrote:
Hi Roberto,
On Tue, 2017-11-07 at 11:36 +0100, Roberto Sassu wrote:
IMA is a security module with the objective of reporting or enforcing the
integrity of a system, by measuring files accessed with the execve(),
mmap() and open() system calls. For
On Tue, Nov 7, 2017 at 2:36 AM, Roberto Sassu wrote:
> Finally, digest lists address also the third issue because Linux
> distribution vendors already provide the digests of files included in each
> RPM package. The digest list is stored in the RPM header, signed by the
Hi Roberto,
On Tue, 2017-11-07 at 11:36 +0100, Roberto Sassu wrote:
> IMA is a security module with the objective of reporting or enforcing the
> integrity of a system, by measuring files accessed with the execve(),
> mmap() and open() system calls. For reporting, it takes advantage of the
> TPM
IMA is a security module with the objective of reporting or enforcing the
integrity of a system, by measuring files accessed with the execve(),
mmap() and open() system calls. For reporting, it takes advantage of the
TPM and extends a PCR with the digest of an evaluated event. For enforcing,
it
16 matches
Mail list logo