On Wed, 2013-01-30 at 06:32 +, Matthew Garrett wrote:
> On Tue, Jan 29, 2013 at 11:58:53AM -0500, Vivek Goyal wrote:
> > On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
> > > The assumption has always been that the initramfs would be measured, for
> > > trusted boot, and appraised,
On Wed, 2013-01-30 at 06:32 +, Matthew Garrett wrote:
On Tue, Jan 29, 2013 at 11:58:53AM -0500, Vivek Goyal wrote:
On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
The assumption has always been that the initramfs would be measured, for
trusted boot, and appraised, for
On Tue, Jan 29, 2013 at 11:58:53AM -0500, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
> > The assumption has always been that the initramfs would be measured, for
> > trusted boot, and appraised, for secure boot, before being executed.
>
> Hi Mimi,
>
> Ok. So
On Tue, 2013-01-29 at 15:10 -0500, Vivek Goyal wrote:
> On Tue, Jan 29, 2013 at 03:01:13PM -0500, Mimi Zohar wrote:
>
> [..]
> > > Hi Mimi,
> > >
> > > Can we add another field to ima_rule_entry, say .enforcement to control
> > > the behavior of .action. Possible values of .enforcement could be,
On Tue, Jan 29, 2013 at 03:01:13PM -0500, Mimi Zohar wrote:
[..]
> > Hi Mimi,
> >
> > Can we add another field to ima_rule_entry, say .enforcement to control
> > the behavior of .action. Possible values of .enforcement could be, say.
> >
> > ALL
> > SIGNED_ONLY
> >
> > ALL will be default. And
On Tue, 2013-01-29 at 13:20 -0500, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
>
> [..]
> > > Hi Mimi,
> > >
> > > By policy you mean ima rules here? So I can either enable default rules
> > > (tcb default rules for appraisal and measurement) by using kernel
On Tue, Jan 29, 2013 at 10:48:00AM +0200, Kasatkin, Dmitry wrote:
> On Mon, Jan 28, 2013 at 8:52 PM, Vivek Goyal wrote:
> > On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
> >
> > [..]
> >> > Ok. I am hoping that it will be more than the kernel command line we
> >> > support. In
On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
[..]
> > Hi Mimi,
> >
> > By policy you mean ima rules here? So I can either enable default rules
> > (tcb default rules for appraisal and measurement) by using kernel command
> > line options or dynamically configure my own rules using
On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
[..]
> > Also given the fact that we allow loading policy from initramfs, root
> > can rebuild initramfs and change the policy which takes effect over next
> > reboot. So in priciple this works only when we are trying to impose some
> >
On Mon, Jan 28, 2013 at 07:14:02PM -0500, Mimi Zohar wrote:
[..]
> The 'trusted' keyring is a solution for installing only distro or third
> party signed packages. How would a developer, for instance, create,
> sign, and install his own package and add his public key safely?
Hi Mimi,
I guess
On Mon, Jan 28, 2013 at 10:13 PM, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 02:51:34PM -0500, Mimi Zohar wrote:
>> On Mon, 2013-01-28 at 13:52 -0500, Vivek Goyal wrote:
>> > On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
>> >
>> > [..]
>> > > > Ok. I am hoping that it will
On Mon, Jan 28, 2013 at 8:52 PM, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
>
> [..]
>> > Ok. I am hoping that it will be more than the kernel command line we
>> > support. In the sense that for digital signatures one needs to parse
>> > the signature,
On Mon, Jan 28, 2013 at 07:14:02PM -0500, Mimi Zohar wrote:
[..]
The 'trusted' keyring is a solution for installing only distro or third
party signed packages. How would a developer, for instance, create,
sign, and install his own package and add his public key safely?
Hi Mimi,
I guess
On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
[..]
Also given the fact that we allow loading policy from initramfs, root
can rebuild initramfs and change the policy which takes effect over next
reboot. So in priciple this works only when we are trying to impose some
policy
On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
[..]
Hi Mimi,
By policy you mean ima rules here? So I can either enable default rules
(tcb default rules for appraisal and measurement) by using kernel command
line options or dynamically configure my own rules using /sysfs
On Tue, Jan 29, 2013 at 10:48:00AM +0200, Kasatkin, Dmitry wrote:
On Mon, Jan 28, 2013 at 8:52 PM, Vivek Goyal vgo...@redhat.com wrote:
On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
[..]
Ok. I am hoping that it will be more than the kernel command line we
support.
On Tue, 2013-01-29 at 13:20 -0500, Vivek Goyal wrote:
On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
[..]
Hi Mimi,
By policy you mean ima rules here? So I can either enable default rules
(tcb default rules for appraisal and measurement) by using kernel command
line
On Tue, Jan 29, 2013 at 03:01:13PM -0500, Mimi Zohar wrote:
[..]
Hi Mimi,
Can we add another field to ima_rule_entry, say .enforcement to control
the behavior of .action. Possible values of .enforcement could be, say.
ALL
SIGNED_ONLY
ALL will be default. And with .action=
On Tue, 2013-01-29 at 15:10 -0500, Vivek Goyal wrote:
On Tue, Jan 29, 2013 at 03:01:13PM -0500, Mimi Zohar wrote:
[..]
Hi Mimi,
Can we add another field to ima_rule_entry, say .enforcement to control
the behavior of .action. Possible values of .enforcement could be, say.
On Tue, Jan 29, 2013 at 11:58:53AM -0500, Vivek Goyal wrote:
On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
The assumption has always been that the initramfs would be measured, for
trusted boot, and appraised, for secure boot, before being executed.
Hi Mimi,
Ok. So for
On Mon, Jan 28, 2013 at 8:52 PM, Vivek Goyal vgo...@redhat.com wrote:
On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
[..]
Ok. I am hoping that it will be more than the kernel command line we
support. In the sense that for digital signatures one needs to parse
the
On Mon, Jan 28, 2013 at 10:13 PM, Vivek Goyal vgo...@redhat.com wrote:
On Mon, Jan 28, 2013 at 02:51:34PM -0500, Mimi Zohar wrote:
On Mon, 2013-01-28 at 13:52 -0500, Vivek Goyal wrote:
On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
[..]
Ok. I am hoping that it will
On Mon, 2013-01-28 at 15:22 -0500, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 03:15:49PM -0500, Mimi Zohar wrote:
> > On Mon, 2013-01-28 at 13:56 -0500, Vivek Goyal wrote:
> > > On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
> > >
> > > [..]
> > > > > Ok. I am hoping that it
On Mon, 2013-01-28 at 15:13 -0500, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 02:51:34PM -0500, Mimi Zohar wrote:
> > On Mon, 2013-01-28 at 13:52 -0500, Vivek Goyal wrote:
> > > On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
> > >
> > > [..]
> > > > > Ok. I am hoping that it
On Mon, Jan 28, 2013 at 03:15:49PM -0500, Mimi Zohar wrote:
> On Mon, 2013-01-28 at 13:56 -0500, Vivek Goyal wrote:
> > On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
> >
> > [..]
> > > > Ok. I am hoping that it will be more than the kernel command line we
> > > > support. In
On Mon, 2013-01-28 at 13:56 -0500, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
>
> [..]
> > > Ok. I am hoping that it will be more than the kernel command line we
> > > support. In the sense that for digital signatures one needs to parse
> > > the
On Mon, Jan 28, 2013 at 02:51:34PM -0500, Mimi Zohar wrote:
> On Mon, 2013-01-28 at 13:52 -0500, Vivek Goyal wrote:
> > On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
> >
> > [..]
> > > > Ok. I am hoping that it will be more than the kernel command line we
> > > > support. In
On Mon, 2013-01-28 at 13:52 -0500, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
>
> [..]
> > > Ok. I am hoping that it will be more than the kernel command line we
> > > support. In the sense that for digital signatures one needs to parse
> > > the
On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
[..]
> > Ok. I am hoping that it will be more than the kernel command line we
> > support. In the sense that for digital signatures one needs to parse
> > the signature, look at what hash algorithm has been used and then
> >
On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
[..]
> > Ok. I am hoping that it will be more than the kernel command line we
> > support. In the sense that for digital signatures one needs to parse
> > the signature, look at what hash algorithm has been used and then
> >
On Mon, Jan 28, 2013 at 5:15 PM, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 04:54:06PM +0200, Kasatkin, Dmitry wrote:
>> On Fri, Jan 25, 2013 at 11:01 PM, Vivek Goyal wrote:
>> > Hi,
>> >
>> > I am trying to read and understand IMA code. How does digital signature
>> > mechanism work.
>> >
>>
On Mon, Jan 28, 2013 at 04:54:06PM +0200, Kasatkin, Dmitry wrote:
> On Fri, Jan 25, 2013 at 11:01 PM, Vivek Goyal wrote:
> > Hi,
> >
> > I am trying to read and understand IMA code. How does digital signature
> > mechanism work.
> >
> > IIUC, evmctl will install a file's signature in
On Fri, Jan 25, 2013 at 11:01 PM, Vivek Goyal wrote:
> Hi,
>
> I am trying to read and understand IMA code. How does digital signature
> mechanism work.
>
> IIUC, evmctl will install a file's signature in security.ima. And later
> process_measurement() will do following.
>
> Calculate digest of
On Fri, Jan 25, 2013 at 11:01 PM, Vivek Goyal vgo...@redhat.com wrote:
Hi,
I am trying to read and understand IMA code. How does digital signature
mechanism work.
IIUC, evmctl will install a file's signature in security.ima. And later
process_measurement() will do following.
Calculate
On Mon, Jan 28, 2013 at 04:54:06PM +0200, Kasatkin, Dmitry wrote:
On Fri, Jan 25, 2013 at 11:01 PM, Vivek Goyal vgo...@redhat.com wrote:
Hi,
I am trying to read and understand IMA code. How does digital signature
mechanism work.
IIUC, evmctl will install a file's signature in
On Mon, Jan 28, 2013 at 5:15 PM, Vivek Goyal vgo...@redhat.com wrote:
On Mon, Jan 28, 2013 at 04:54:06PM +0200, Kasatkin, Dmitry wrote:
On Fri, Jan 25, 2013 at 11:01 PM, Vivek Goyal vgo...@redhat.com wrote:
Hi,
I am trying to read and understand IMA code. How does digital signature
On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
[..]
Ok. I am hoping that it will be more than the kernel command line we
support. In the sense that for digital signatures one needs to parse
the signature, look at what hash algorithm has been used and then
collect the
On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
[..]
Ok. I am hoping that it will be more than the kernel command line we
support. In the sense that for digital signatures one needs to parse
the signature, look at what hash algorithm has been used and then
collect the
On Mon, 2013-01-28 at 13:52 -0500, Vivek Goyal wrote:
On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
[..]
Ok. I am hoping that it will be more than the kernel command line we
support. In the sense that for digital signatures one needs to parse
the signature, look at
On Mon, Jan 28, 2013 at 02:51:34PM -0500, Mimi Zohar wrote:
On Mon, 2013-01-28 at 13:52 -0500, Vivek Goyal wrote:
On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
[..]
Ok. I am hoping that it will be more than the kernel command line we
support. In the sense that
On Mon, 2013-01-28 at 13:56 -0500, Vivek Goyal wrote:
On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
[..]
Ok. I am hoping that it will be more than the kernel command line we
support. In the sense that for digital signatures one needs to parse
the signature, look at
On Mon, Jan 28, 2013 at 03:15:49PM -0500, Mimi Zohar wrote:
On Mon, 2013-01-28 at 13:56 -0500, Vivek Goyal wrote:
On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
[..]
Ok. I am hoping that it will be more than the kernel command line we
support. In the sense that
On Mon, 2013-01-28 at 15:13 -0500, Vivek Goyal wrote:
On Mon, Jan 28, 2013 at 02:51:34PM -0500, Mimi Zohar wrote:
On Mon, 2013-01-28 at 13:52 -0500, Vivek Goyal wrote:
On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
[..]
Ok. I am hoping that it will be more than
On Mon, 2013-01-28 at 15:22 -0500, Vivek Goyal wrote:
On Mon, Jan 28, 2013 at 03:15:49PM -0500, Mimi Zohar wrote:
On Mon, 2013-01-28 at 13:56 -0500, Vivek Goyal wrote:
On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
[..]
Ok. I am hoping that it will be more than
Hi,
I am trying to read and understand IMA code. How does digital signature
mechanism work.
IIUC, evmctl will install a file's signature in security.ima. And later
process_measurement() will do following.
Calculate digest of file in ima_collect_measurement() and then
ima_appraise_measurement()
Hi,
I am trying to read and understand IMA code. How does digital signature
mechanism work.
IIUC, evmctl will install a file's signature in security.ima. And later
process_measurement() will do following.
Calculate digest of file in ima_collect_measurement() and then
ima_appraise_measurement()
On Wed, Jan 23, 2013 at 12:53 AM, Mimi Zohar wrote:
> On Tue, 2013-01-15 at 12:34 +0200, Dmitry Kasatkin wrote:
>> Asymmetric keys were introduced in linux-3.7 to verify the signature on
>> signed kernel modules. The asymmetric keys infrastructure abstracts the
>> signature verification from the
On Wed, Jan 23, 2013 at 12:53 AM, Mimi Zohar zo...@linux.vnet.ibm.com wrote:
On Tue, 2013-01-15 at 12:34 +0200, Dmitry Kasatkin wrote:
Asymmetric keys were introduced in linux-3.7 to verify the signature on
signed kernel modules. The asymmetric keys infrastructure abstracts the
signature
On Tue, 2013-01-15 at 12:34 +0200, Dmitry Kasatkin wrote:
> Asymmetric keys were introduced in linux-3.7 to verify the signature on
> signed kernel modules. The asymmetric keys infrastructure abstracts the
> signature verification from the crypto details. This patch adds IMA/EVM
> signature
On Tue, 2013-01-15 at 12:34 +0200, Dmitry Kasatkin wrote:
Asymmetric keys were introduced in linux-3.7 to verify the signature on
signed kernel modules. The asymmetric keys infrastructure abstracts the
signature verification from the crypto details. This patch adds IMA/EVM
signature
On Thu, Jan 17, 2013 at 7:52 PM, David Howells wrote:
>
> Looks reasonable, I think, so you can add:
>
> Acked-by: David Howells
>
> David
Thank you.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More
Looks reasonable, I think, so you can add:
Acked-by: David Howells
David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the
Looks reasonable, I think, so you can add:
Acked-by: David Howells dhowe...@redhat.com
David
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thu, Jan 17, 2013 at 7:52 PM, David Howells dhowe...@redhat.com wrote:
Looks reasonable, I think, so you can add:
Acked-by: David Howells dhowe...@redhat.com
David
Thank you.
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to
54 matches
Mail list logo
