Public bug reported:
I would be doubly happy if this also went into the raring backport
kernel.
I chatted with apw and kees on #ubuntu-kernel earlier in the week. From
a security engineer on our team:
so I was mistaken. if CONFIG_IMA=y, the default policy is NULL unless
you boot with ima_tcb=on. without ima_tcb=y, nothing is measured,
nothing is audited, no performance/memory hit is incurred.
Same is true for CONFIG_IMA_APPRAISE, except with the
ima_appraise_tcb=on commandline parameter. ima appraise gives us the
ability to sign binaries at installation time and check the signature at
runtime.
So we are asking that you enable CONFIG_IMA, but to not enable it via
the kernel command line options. IMA would boot with an empty policy and
should incur no overhead. Enterprising folks who want to run IMA can
enable it in grub at their option.
CONFIG_IMA=y
and possibly:
CONFIG_IMA_MEASURE_PCR_IDX=10
CONFIG_IMA_AUDIT=y
CONFIG_IMA_LSM_RULES=y
-A
** Affects: linux-meta-lts-saucy (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1244627
Title:
Please enable CONFIG_IMA in the ubuntu kernel
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-meta-lts-saucy/+bug/1244627/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
