diff for duplicates of <1517100440.29187.120.camel@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index 782b484..80a8d66 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,20 +1,20 @@ On Fri, 2018-01-26 at 18:51 +0100, Petr Vorel wrote: > > It would be nice to be able to define policies that limit testing to a -> > specific filesystem/device. Without being able to limit IMA-appraisal +> > specific filesystem/device. Without being able to limit IMA-appraisal > > testing to specific devices, things might stop working rather quickly. > Not sure how to define it, I need to study the specification. Or can > you be more specific? These tests are for the IMA-measurement aspect only, not IMA- -appraisal. Adding measurements to the measurement list won't cause +appraisal. Adding measurements to the measurement list won't cause the system to stop working, unless keys are sealed to a particular TPM -PCR value. Nobody is or should be sealing keys to PCR-10, since the +PCR value. Nobody is or should be sealing keys to PCR-10, since the ordering of the measurements is non deterministic. As we add IMA-appraisal tests requiring files to be signed, things will fail if either the public key isn't on the IMA keyring or the -file isn't properly signed. For this reason, limiting file IMA- +file isn't properly signed. For this reason, limiting file IMA- appraisal tests to a particular filesystem simplifies testing. > BTW I suppose that kernel code supports both TPM 2.0 and the old 1.2. @@ -24,9 +24,9 @@ Yes, Jarkko added TPM 2.0 support, including IMA support. > > > > Originally IMA allowed a builtin policy to be replaced with a custom > > > > policy, by simply cat'ing a file into the securityfs IMA policy file. > > > > Currently, if new rules can be added to the custom policy (Kconfig -> > > > IMA_WRITE_POLICY enabled), the policy file must be signed. Similarly, +> > > > IMA_WRITE_POLICY enabled), the policy file must be signed. Similarly, > > > > if the builtin "secure-boot" policy is defined on the boot command -> > > > line, the custom policy must be signed. Test "ima01 ima_policy.sh" +> > > > line, the custom policy must be signed. Test "ima01 ima_policy.sh" > > > > should first detect if the policy must be signed, before running the > > > > tests. > @@ -38,7 +38,7 @@ Yes, Jarkko added TPM 2.0 support, including IMA support. > security/integrity/ima/ima_fs.c which handles IMA sysfs doesn't have this functionality. > Is it deliberate (security reason), that it's not exported to users? -This isn't really an IMA issue, but a TPM one. The TPM device driver +This isn't really an IMA issue, but a TPM one. The TPM device driver would need to export this information. Mimi diff --git a/a/content_digest b/N1/content_digest index 346bdf7..a077744 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -4,32 +4,28 @@ "ref\01516919365.6513.72.camel@linux.vnet.ibm.com\0" "ref\020180126175110.boaepz6dqe3uojq6@dell5510\0" "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" - "Subject\0Re: [RFC PATCH 0/2] IMA: Rewrite tests into new API + fixes\0" + "Subject\0[LTP] [RFC PATCH 0/2] IMA: Rewrite tests into new API + fixes\0" "Date\0Sat, 27 Jan 2018 19:47:20 -0500\0" - "To\0Petr Vorel <pvorel@suse.cz>\0" - "Cc\0ltp@lists.linux.it" - Dmitry Kasatkin <dmitry.kasatkin@huawei.com> - linux-integrity@vger.kernel.org - " Roberto Sassu <roberto.sassu@polito.it>\0" + "To\0ltp@lists.linux.it\0" "\00:1\0" "b\0" "On Fri, 2018-01-26 at 18:51 +0100, Petr Vorel wrote:\n" "\n" "> > It would be nice to be able to define policies that limit testing to a\n" - "> > specific filesystem/device. Without being able to limit IMA-appraisal \n" + "> > specific filesystem/device. \302\240Without being able to limit IMA-appraisal \n" "> > testing to specific devices, things might stop working rather quickly.\n" "> Not sure how to define it, I need to study the specification. Or can\n" "> you be more specific?\n" "\n" "These tests are for the IMA-measurement aspect only, not IMA-\n" - "appraisal. Adding measurements to the measurement list won't cause\n" + "appraisal. \302\240Adding measurements to the measurement list won't cause\n" "the system to stop working, unless keys are sealed to a particular TPM\n" - "PCR value. Nobody is or should be sealing keys to PCR-10, since the\n" + "PCR value. \302\240Nobody is or should be sealing keys to PCR-10, since the\n" "ordering of the measurements is non deterministic.\n" "\n" "As we add IMA-appraisal tests requiring files to be signed, things\n" "will fail if either the public key isn't on the IMA keyring or the\n" - "file isn't properly signed. For this reason, limiting file IMA-\n" + "file isn't properly signed. \302\240For this reason, limiting file IMA-\n" "appraisal tests to a particular filesystem simplifies testing.\n" "\n" "> BTW I suppose that kernel code supports both TPM 2.0 and the old 1.2.\n" @@ -39,9 +35,9 @@ "> > > > Originally IMA allowed a builtin policy to be replaced with a custom\n" "> > > > policy, by simply cat'ing a file into the securityfs IMA policy file.\n" "> > > > Currently, if new rules can be added to the custom policy (Kconfig\n" - "> > > > IMA_WRITE_POLICY enabled), the policy file must be signed. Similarly,\n" + "> > > > IMA_WRITE_POLICY enabled), the policy file must be signed. \302\240Similarly,\n" "> > > > if the builtin \"secure-boot\" policy is defined on the boot command\n" - "> > > > line, the custom policy must be signed. Test \"ima01 ima_policy.sh\"\n" + "> > > > line, the custom policy must be signed. \302\240Test \"ima01 ima_policy.sh\"\n" "> > > > should first detect if the policy must be signed, before running the\n" "> > > > tests.\n" "> \n" @@ -53,9 +49,9 @@ "> security/integrity/ima/ima_fs.c which handles IMA sysfs doesn't have this functionality.\n" "> Is it deliberate (security reason), that it's not exported to users?\n" "\n" - "This isn't really an IMA issue, but a TPM one. The TPM device driver\n" + "This isn't really an IMA issue, but a TPM one. \302\240The TPM device driver\n" "would need to export this information.\n" "\n" Mimi -a6dd8d636bbc7b995e7f658c15add10851f548e1c8fe170b129ecb82211c24f3 +05c0b06f34d6f898594948b0e87acd1e7ea9d01f4476e21e9a6811ee75e40e83
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.