On Mon, 2013-01-21 at 10:45 -0500, Vivek Goyal wrote:
> On Sun, Jan 20, 2013 at 12:20:00PM -0500, Mimi Zohar wrote:
> > On Thu, 2013-01-17 at 12:36 -0500, Vivek Goyal wrote:
> > > On Thu, Jan 17, 2013 at 11:32:45AM -0500, Mimi Zohar wrote:
> > >
> > > [..]
> > > > > > At this point, why would you
On Mon, 2013-01-21 at 11:42 -0500, Vivek Goyal wrote:
> On Tue, Jan 15, 2013 at 11:55:59PM -0500, Mimi Zohar wrote:
>
> [..]
> > Please remind me why you can't use IMA-appraisal, which was upstreamed
> > in Linux 3.7? Why another method is needed?
>
> So is this IMA-appraisal also supports digit
On Sun, Jan 20, 2013 at 12:20:00PM -0500, Mimi Zohar wrote:
> On Thu, 2013-01-17 at 12:36 -0500, Vivek Goyal wrote:
> > On Thu, Jan 17, 2013 at 11:32:45AM -0500, Mimi Zohar wrote:
> >
> > [..]
> > > > > At this point, why would you want yet another method for signing
> > > > > files?
> > > >
> >
On Tue, Jan 15, 2013 at 11:55:59PM -0500, Mimi Zohar wrote:
[..]
> Please remind me why you can't use IMA-appraisal, which was upstreamed
> in Linux 3.7? Why another method is needed?
So is this IMA-appraisal also supports digital signatures? The IMA white
paper seems to put digital signatures i
On Thu, 2013-01-17 at 12:36 -0500, Vivek Goyal wrote:
> On Thu, Jan 17, 2013 at 11:32:45AM -0500, Mimi Zohar wrote:
>
> [..]
> > > > At this point, why would you want yet another method for signing files?
> > >
> > > Are you saying that append signature instead of putting them in a section
> > >
On 01/20/2013 08:55 AM, Mimi Zohar wrote:
> On Sun, 2013-01-20 at 08:17 -0800, H. Peter Anvin wrote:
>> You then get into issues like: do we have to ban prelink as a result?
>
> Once you change a file, the original signature shouldn't match. If you
> really trust prelink, then make prelink a trus
On Sun, 2013-01-20 at 08:17 -0800, H. Peter Anvin wrote:
> You then get into issues like: do we have to ban prelink as a result?
Once you change a file, the original signature shouldn't match. If you
really trust prelink, then make prelink a trusted application that can
resign the modified file.
On Thu, 2013-01-17 at 16:52 -0500, Vivek Goyal wrote:
> On Thu, Jan 17, 2013 at 11:46:57PM +0200, Kasatkin, Dmitry wrote:
> > On Thu, Jan 17, 2013 at 10:55 PM, Vivek Goyal wrote:
> > > On Thu, Jan 17, 2013 at 03:33:47PM -0500, Frank Ch. Eigler wrote:
> > >> Vivek Goyal writes:
> > >>
> > >> > [..
You then get into issues like: do we have to ban prelink as a result?
Mimi Zohar wrote:
>On Thu, 2013-01-17 at 10:51 -0500, Vivek Goyal wrote:
>> On Thu, Jan 17, 2013 at 10:37:01AM -0500, Mimi Zohar wrote:
>> > On Tue, 2013-01-15 at 16:34 -0500, Vivek Goyal wrote:
>> > > If a binary is signed, v
On Thu, Jan 17, 2013 at 11:46:57PM +0200, Kasatkin, Dmitry wrote:
> On Thu, Jan 17, 2013 at 10:55 PM, Vivek Goyal wrote:
> > On Thu, Jan 17, 2013 at 03:33:47PM -0500, Frank Ch. Eigler wrote:
> >> Vivek Goyal writes:
> >>
> >> > [...]
> >> >> Can you please tell a bit more how this patch protect a
On Thu, Jan 17, 2013 at 10:55 PM, Vivek Goyal wrote:
> On Thu, Jan 17, 2013 at 03:33:47PM -0500, Frank Ch. Eigler wrote:
>> Vivek Goyal writes:
>>
>> > [...]
>> >> Can you please tell a bit more how this patch protect against direct
>> >> writing to the blocks?
>> >
>> > If you have loaded all th
On Thu, Jan 17, 2013 at 03:33:47PM -0500, Frank Ch. Eigler wrote:
> Vivek Goyal writes:
>
> > [...]
> >> Can you please tell a bit more how this patch protect against direct
> >> writing to the blocks?
> >
> > If you have loaded all the pages from disk and locked them in memory and
> > verified t
Vivek Goyal writes:
> [...]
>> Can you please tell a bit more how this patch protect against direct
>> writing to the blocks?
>
> If you have loaded all the pages from disk and locked them in memory and
> verified the signature, then even if somebody modifies a block on disk
> it does not matter.
On Thu, Jan 17, 2013 at 07:01:40PM +0200, Kasatkin, Dmitry wrote:
> commit f6bf2c4c0339dabac435f518bb1fcb617fdef8f1
> Author: Dmitry Kasatkin
> Date: Thu Jan 17 18:50:43 2013 +0200
>
> ima: lock down memory if binary is digitally signed
>
> This patch set a flag in the linux_binprm str
On Thu, Jan 17, 2013 at 11:32:45AM -0500, Mimi Zohar wrote:
[..]
> > > At this point, why would you want yet another method for signing files?
> >
> > Are you saying that append signature instead of putting them in a section
> > or are you saying that just use IMA.
> >
> > - For the first, I am
Hello.
This is just a quick-patch for IMA to lock digitally signed binaries
in similar manner as the patch of this thread does...
No policy here. No optimization here. Just tests if binary has signature.
Rather simple.
- Dmitry
On Thu, Jan 17, 2013 at 7:01 PM, Kasatkin, Dmitry
wrote:
> commit
commit f6bf2c4c0339dabac435f518bb1fcb617fdef8f1
Author: Dmitry Kasatkin
Date: Thu Jan 17 18:50:43 2013 +0200
ima: lock down memory if binary is digitally signed
This patch set a flag in the linux_binprm structure if binary is
digitally signed. The flag is used to lock down memory w
On Thu, 2013-01-17 at 10:51 -0500, Vivek Goyal wrote:
> On Thu, Jan 17, 2013 at 10:37:01AM -0500, Mimi Zohar wrote:
> > On Tue, 2013-01-15 at 16:34 -0500, Vivek Goyal wrote:
> > > If a binary is signed, verify its signature. If signature is not valid, do
> > > not allow execution. If binary is not
On Thu, Jan 17, 2013 at 5:18 PM, Vivek Goyal wrote:
> On Thu, Jan 17, 2013 at 04:58:02PM +0200, Kasatkin, Dmitry wrote:
>> On Wed, Jan 16, 2013 at 11:53 PM, Vivek Goyal wrote:
>> > On Wed, Jan 16, 2013 at 02:24:50PM -0500, Mimi Zohar wrote:
>> > [..]
>> >> > > Sorry, this is out of scope for IMA.
On Thu, Jan 17, 2013 at 10:37:01AM -0500, Mimi Zohar wrote:
> On Tue, 2013-01-15 at 16:34 -0500, Vivek Goyal wrote:
> > If a binary is signed, verify its signature. If signature is not valid, do
> > not allow execution. If binary is not signed, execution is allowed
> > unconditionally.
> >
> > CON
On Tue, 2013-01-15 at 16:34 -0500, Vivek Goyal wrote:
> If a binary is signed, verify its signature. If signature is not valid, do
> not allow execution. If binary is not signed, execution is allowed
> unconditionally.
>
> CONFIG_BINFMT_ELF_SIGNATURE controls whether elf binary signature support
>
On Thu, Jan 17, 2013 at 05:06:09PM +0200, Kasatkin, Dmitry wrote:
[..]
> One important thing to mention.
> Protecting ELF-only does not help too much in protecting the system.
> There are plenty of init, upstart and systemd scripts which must be
> verified as well. IMA does it.
Actually that woul
On Thu, Jan 17, 2013 at 04:58:02PM +0200, Kasatkin, Dmitry wrote:
> On Wed, Jan 16, 2013 at 11:53 PM, Vivek Goyal wrote:
> > On Wed, Jan 16, 2013 at 02:24:50PM -0500, Mimi Zohar wrote:
> > [..]
> >> > > Sorry, this is out of scope for IMA. Dmitry has looked into this, but
> >> > > I'm not sure wh
On Thu, Jan 17, 2013 at 4:58 PM, Kasatkin, Dmitry
wrote:
> On Wed, Jan 16, 2013 at 11:53 PM, Vivek Goyal wrote:
>> On Wed, Jan 16, 2013 at 02:24:50PM -0500, Mimi Zohar wrote:
>> [..]
>>> > > Sorry, this is out of scope for IMA. Dmitry has looked into this, but
>>> > > I'm not sure where it stand
On Wed, Jan 16, 2013 at 11:53 PM, Vivek Goyal wrote:
> On Wed, Jan 16, 2013 at 02:24:50PM -0500, Mimi Zohar wrote:
> [..]
>> > > Sorry, this is out of scope for IMA. Dmitry has looked into this, but
>> > > I'm not sure where it stands at the moment.
>> >
>> > Ok, so that's one reason that why I w
On Wed, Jan 16, 2013 at 8:21 PM, Vivek Goyal wrote:
> On Wed, Jan 16, 2013 at 12:24:39PM -0500, Mimi Zohar wrote:
>> On Wed, 2013-01-16 at 10:54 -0500, Vivek Goyal wrote:
>> > On Wed, Jan 16, 2013 at 10:33:11AM -0500, Mimi Zohar wrote:
>> >
>> > [..]
>> > > > - Also I really could not figure out w
On Wed, Jan 16, 2013 at 5:54 PM, Vivek Goyal wrote:
> On Wed, Jan 16, 2013 at 10:33:11AM -0500, Mimi Zohar wrote:
>
> [..]
>> > - Also I really could not figure out where does the private signing key
>> > lives. I got the impression that we need to trust installer and
>> > signing somehow happ
>> > Ok, that's the point I am missing. So I can sign a file and signatures
>> > are in a separate file. And these signatures are installed in extended
>> > attributes at file installation time (IOW rpm installation time) on
>> > target.
>> >
>> > If all this works, this sounds reasonable so far. E
Vivek Goyal writes:
> On Wed, Jan 16, 2013 at 05:35:23PM -0500, Mimi Zohar wrote:
>> On Tue, 2013-01-15 at 16:34 -0500, Vivek Goyal wrote:
>> > If a binary is signed, verify its signature. If signature is not valid, do
>> > not allow execution. If binary is not signed, execution is allowed
>> > u
On Wed, Jan 16, 2013 at 05:35:23PM -0500, Mimi Zohar wrote:
> On Tue, 2013-01-15 at 16:34 -0500, Vivek Goyal wrote:
> > If a binary is signed, verify its signature. If signature is not valid, do
> > not allow execution. If binary is not signed, execution is allowed
> > unconditionally.
>
> Basical
On Tue, 2013-01-15 at 16:34 -0500, Vivek Goyal wrote:
> If a binary is signed, verify its signature. If signature is not valid, do
> not allow execution. If binary is not signed, execution is allowed
> unconditionally.
Basically you're building the policy into the executable. Anyone can
rebuild t
On Wed, Jan 16, 2013 at 03:25:57PM -0500, Mimi Zohar wrote:
[..]
> > So irrespective of fact how RPM does it. What are basic commands/steps to
> > generate signature of a file and how to store it later in an extended
> > attribute?
>
> evmctl calculates and writes out the 'security.evm' and 'secu
On Wed, Jan 16, 2013 at 02:24:50PM -0500, Mimi Zohar wrote:
[..]
> > > Sorry, this is out of scope for IMA. Dmitry has looked into this, but
> > > I'm not sure where it stands at the moment.
> >
> > Ok, so that's one reason that why I wrote these patcehs. IMA currently
> > is not doing following
On Wed, 2013-01-16 at 14:47 -0500, Vivek Goyal wrote:
> On Wed, Jan 16, 2013 at 02:37:24PM -0500, Mimi Zohar wrote:
> > On Wed, 2013-01-16 at 13:57 -0500, Vivek Goyal wrote:
> > > On Wed, Jan 16, 2013 at 01:45:12PM -0500, Mimi Zohar wrote:
> > >
> > > [..]
> > > > > Given the fact that signatures
On Wed, Jan 16, 2013 at 02:37:24PM -0500, Mimi Zohar wrote:
> On Wed, 2013-01-16 at 13:57 -0500, Vivek Goyal wrote:
> > On Wed, Jan 16, 2013 at 01:45:12PM -0500, Mimi Zohar wrote:
> >
> > [..]
> > > > Given the fact that signatures are stored in extended attributes, to me
> > > > the only way to s
On Wed, 2013-01-16 at 13:57 -0500, Vivek Goyal wrote:
> On Wed, Jan 16, 2013 at 01:45:12PM -0500, Mimi Zohar wrote:
>
> [..]
> > > Given the fact that signatures are stored in extended attributes, to me
> > > the only way to sign executables in current IMA framework would to be
> > > prepare file
On Wed, 2013-01-16 at 13:28 -0500, Vivek Goyal wrote:
> On Wed, Jan 16, 2013 at 01:08:35PM -0500, Mimi Zohar wrote:
> > On Wed, 2013-01-16 at 11:34 -0500, Vivek Goyal wrote:
> >
> > > I read the comment in ima_bprm_check() being called from
> > > security_bprm_check().
> > > It says that files a
On Wed, Jan 16, 2013 at 01:45:12PM -0500, Mimi Zohar wrote:
[..]
> > Given the fact that signatures are stored in extended attributes, to me
> > the only way to sign executables in current IMA framework would to be
> > prepare file system image at build server and ship that image. And
> > then ins
On Wed, 2013-01-16 at 13:21 -0500, Vivek Goyal wrote:
> On Wed, Jan 16, 2013 at 12:24:39PM -0500, Mimi Zohar wrote:
> > On Wed, 2013-01-16 at 10:54 -0500, Vivek Goyal wrote:
> > > On Wed, Jan 16, 2013 at 10:33:11AM -0500, Mimi Zohar wrote:
> > >
> > > [..]
> > > > > - Also I really could not figur
On Wed, Jan 16, 2013 at 01:08:35PM -0500, Mimi Zohar wrote:
> On Wed, 2013-01-16 at 11:34 -0500, Vivek Goyal wrote:
>
> > I read the comment in ima_bprm_check() being called from
> > security_bprm_check().
> > It says that files already open for write can't executed and files already
> > open fo
On Wed, Jan 16, 2013 at 12:24:39PM -0500, Mimi Zohar wrote:
> On Wed, 2013-01-16 at 10:54 -0500, Vivek Goyal wrote:
> > On Wed, Jan 16, 2013 at 10:33:11AM -0500, Mimi Zohar wrote:
> >
> > [..]
> > > > - Also I really could not figure out where does the private signing key
> > > > lives. I got th
On Wed, 2013-01-16 at 11:34 -0500, Vivek Goyal wrote:
> I read the comment in ima_bprm_check() being called from
> security_bprm_check().
> It says that files already open for write can't executed and files already
> open for exec can't be open for writes. That's fine.
>
> I was worried about
On Wed, 2013-01-16 at 10:54 -0500, Vivek Goyal wrote:
> On Wed, Jan 16, 2013 at 10:33:11AM -0500, Mimi Zohar wrote:
>
> [..]
> > > - Also I really could not figure out where does the private signing key
> > > lives. I got the impression that we need to trust installer and
> > > signing somehow
On Wed, Jan 16, 2013 at 10:33:11AM -0500, Mimi Zohar wrote:
> On Wed, 2013-01-16 at 09:48 -0500, Vivek Goyal wrote:
> > On Wed, Jan 16, 2013 at 09:00:59AM -0500, Mimi Zohar wrote:
> > > On Tue, 2013-01-15 at 23:10 -0800, Eric W. Biederman wrote:
> > > > Mimi Zohar writes:
> > > >
> > > > > Please
On Wed, Jan 16, 2013 at 10:33:11AM -0500, Mimi Zohar wrote:
[..]
> > - Also I really could not figure out where does the private signing key
> > lives. I got the impression that we need to trust installer and
> > signing somehow happens at installation time. And we wanted signing
> > to happ
On Wed, 2013-01-16 at 09:48 -0500, Vivek Goyal wrote:
> On Wed, Jan 16, 2013 at 09:00:59AM -0500, Mimi Zohar wrote:
> > On Tue, 2013-01-15 at 23:10 -0800, Eric W. Biederman wrote:
> > > Mimi Zohar writes:
> > >
> > > > Please remind me why you can't use IMA-appraisal, which was upstreamed
> > > >
On Wed, Jan 16, 2013 at 09:00:59AM -0500, Mimi Zohar wrote:
> On Tue, 2013-01-15 at 23:10 -0800, Eric W. Biederman wrote:
> > Mimi Zohar writes:
> >
> > > Please remind me why you can't use IMA-appraisal, which was upstreamed
> > > in Linux 3.7? Why another method is needed?
> >
> > Good questi
On Tue, 2013-01-15 at 23:10 -0800, Eric W. Biederman wrote:
> Mimi Zohar writes:
>
> > Please remind me why you can't use IMA-appraisal, which was upstreamed
> > in Linux 3.7? Why another method is needed?
>
> Good question Vivek?
>
> I remeber there was a slight mismatch in the desired attr
Mimi Zohar writes:
> Please remind me why you can't use IMA-appraisal, which was upstreamed
> in Linux 3.7? Why another method is needed?
Good question Vivek?
I remeber there was a slight mismatch in the desired attributes. In
particular we want signatures that are not generated on the loca
On Tue, 2013-01-15 at 20:30 -0800, Eric W. Biederman wrote:
> Vivek Goyal writes:
>
> > If a binary is signed, verify its signature. If signature is not valid, do
> > not allow execution. If binary is not signed, execution is allowed
> > unconditionally.
> >
> > CONFIG_BINFMT_ELF_SIGNATURE contro
Vivek Goyal writes:
> If a binary is signed, verify its signature. If signature is not valid, do
> not allow execution. If binary is not signed, execution is allowed
> unconditionally.
>
> CONFIG_BINFMT_ELF_SIGNATURE controls whether elf binary signature support
> is compiled in or not.
>
> Signa
If a binary is signed, verify its signature. If signature is not valid, do
not allow execution. If binary is not signed, execution is allowed
unconditionally.
CONFIG_BINFMT_ELF_SIGNATURE controls whether elf binary signature support
is compiled in or not.
Signature are expected to be present in e
52 matches
Mail list logo
