From: Mimi Zohar <zohar@linux.ibm.com>
To: Jordan Hand <jorhand@linux.microsoft.com>,
Thiago Jung Bauermann <bauerman@linux.ibm.com>,
linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Jessica Yu <jeyu@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Jonathan Corbet <corbet@lwn.net>,
"AKASHI, Takahiro" <takahiro.akashi@linaro.org>
Subject: Re: [PATCH v12 00/11] Appended signatures support for IMA appraisal
Date: Wed, 28 Aug 2019 13:43:41 +0000 [thread overview]
Message-ID: <1566999821.6115.14.camel@linux.ibm.com> (raw)
In-Reply-To: <9682b5d0-1634-2dd0-2cbb-eb1fa8ba7423@linux.microsoft.com>
Hi Jordan,
On Mon, 2019-08-26 at 15:46 -0700, Jordan Hand wrote:
> On 6/27/19 7:19 PM, Thiago Jung Bauermann wrote:
> > On the OpenPOWER platform, secure boot and trusted boot are being
> > implemented using IMA for taking measurements and verifying signatures.
> > Since the kernel image on Power servers is an ELF binary, kernels are
> > signed using the scripts/sign-file tool and thus use the same signature
> > format as signed kernel modules.
> >
> > This patch series adds support in IMA for verifying those signatures.
> > It adds flexibility to OpenPOWER secure boot, because it allows it to boot
> > kernels with the signature appended to them as well as kernels where the
> > signature is stored in the IMA extended attribute.
>
> I know this is pretty late, but I just wanted to let you know that I
> tested this patch set on x86_64 with QEMU.
>
> That is, I enrolled a key to _ima keyring, signed my kernel and modules
> with appended signatures (with scripts/sign-file), set the IMA policy to
> appraise and measure my kernel and modules. Also tested kexec appraisal.
>
> You can add my tested-by if you'd like.
I really appreciate your testing. Based on the recent
Documentation/maintainer/rebasing-and-merging.rst, I'm trying not to
rebase patches already staged in linux-next. Patches are first being
staged in the next-queued-testing branch.
FYI, I just posted a patch that adds IMA appended signature support to
test_kexec_file_load.sh.
thanks,
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Jordan Hand <jorhand@linux.microsoft.com>,
Thiago Jung Bauermann <bauerman@linux.ibm.com>,
linux-integrity@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
James Morris <jmorris@namei.org>,
"Serge E. Hallyn" <serge@hallyn.com>,
David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
Jessica Yu <jeyu@kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Jonathan Corbet <corbet@lwn.net>,
"AKASHI, Takahiro" <takahiro.akashi@linaro.org>
Subject: Re: [PATCH v12 00/11] Appended signatures support for IMA appraisal
Date: Wed, 28 Aug 2019 09:43:41 -0400 [thread overview]
Message-ID: <1566999821.6115.14.camel@linux.ibm.com> (raw)
In-Reply-To: <9682b5d0-1634-2dd0-2cbb-eb1fa8ba7423@linux.microsoft.com>
Hi Jordan,
On Mon, 2019-08-26 at 15:46 -0700, Jordan Hand wrote:
> On 6/27/19 7:19 PM, Thiago Jung Bauermann wrote:
> > On the OpenPOWER platform, secure boot and trusted boot are being
> > implemented using IMA for taking measurements and verifying signatures.
> > Since the kernel image on Power servers is an ELF binary, kernels are
> > signed using the scripts/sign-file tool and thus use the same signature
> > format as signed kernel modules.
> >
> > This patch series adds support in IMA for verifying those signatures.
> > It adds flexibility to OpenPOWER secure boot, because it allows it to boot
> > kernels with the signature appended to them as well as kernels where the
> > signature is stored in the IMA extended attribute.
>
> I know this is pretty late, but I just wanted to let you know that I
> tested this patch set on x86_64 with QEMU.
>
> That is, I enrolled a key to _ima keyring, signed my kernel and modules
> with appended signatures (with scripts/sign-file), set the IMA policy to
> appraise and measure my kernel and modules. Also tested kexec appraisal.
>
> You can add my tested-by if you'd like.
I really appreciate your testing. Based on the recent
Documentation/maintainer/rebasing-and-merging.rst, I'm trying not to
rebase patches already staged in linux-next. Patches are first being
staged in the next-queued-testing branch.
FYI, I just posted a patch that adds IMA appended signature support to
test_kexec_file_load.sh.
thanks,
Mimi
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Jordan Hand <jorhand@linux.microsoft.com>,
Thiago Jung Bauermann <bauerman@linux.ibm.com>,
linux-integrity@vger.kernel.org
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
linux-doc@vger.kernel.org,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Jonathan Corbet <corbet@lwn.net>,
linux-kernel@vger.kernel.org, James Morris <jmorris@namei.org>,
David Howells <dhowells@redhat.com>,
"AKASHI, Takahiro" <takahiro.akashi@linaro.org>,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-crypto@vger.kernel.org, Jessica Yu <jeyu@kernel.org>,
linuxppc-dev@lists.ozlabs.org,
David Woodhouse <dwmw2@infradead.org>,
"Serge E. Hallyn" <serge@hallyn.com>
Subject: Re: [PATCH v12 00/11] Appended signatures support for IMA appraisal
Date: Wed, 28 Aug 2019 09:43:41 -0400 [thread overview]
Message-ID: <1566999821.6115.14.camel@linux.ibm.com> (raw)
In-Reply-To: <9682b5d0-1634-2dd0-2cbb-eb1fa8ba7423@linux.microsoft.com>
Hi Jordan,
On Mon, 2019-08-26 at 15:46 -0700, Jordan Hand wrote:
> On 6/27/19 7:19 PM, Thiago Jung Bauermann wrote:
> > On the OpenPOWER platform, secure boot and trusted boot are being
> > implemented using IMA for taking measurements and verifying signatures.
> > Since the kernel image on Power servers is an ELF binary, kernels are
> > signed using the scripts/sign-file tool and thus use the same signature
> > format as signed kernel modules.
> >
> > This patch series adds support in IMA for verifying those signatures.
> > It adds flexibility to OpenPOWER secure boot, because it allows it to boot
> > kernels with the signature appended to them as well as kernels where the
> > signature is stored in the IMA extended attribute.
>
> I know this is pretty late, but I just wanted to let you know that I
> tested this patch set on x86_64 with QEMU.
>
> That is, I enrolled a key to _ima keyring, signed my kernel and modules
> with appended signatures (with scripts/sign-file), set the IMA policy to
> appraise and measure my kernel and modules. Also tested kexec appraisal.
>
> You can add my tested-by if you'd like.
I really appreciate your testing. Based on the recent
Documentation/maintainer/rebasing-and-merging.rst, I'm trying not to
rebase patches already staged in linux-next. Patches are first being
staged in the next-queued-testing branch.
FYI, I just posted a patch that adds IMA appended signature support to
test_kexec_file_load.sh.
thanks,
Mimi
next prev parent reply other threads:[~2019-08-28 13:43 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-28 2:19 [PATCH v12 00/11] Appended signatures support for IMA appraisal Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` [PATCH v12 01/11] MODSIGN: Export module signature definitions Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-07-01 14:47 ` Jessica Yu
2019-07-01 14:47 ` Jessica Yu
2019-07-01 14:47 ` Jessica Yu
2019-07-04 6:42 ` Thiago Jung Bauermann
2019-07-04 6:42 ` Thiago Jung Bauermann
2019-07-04 6:42 ` Thiago Jung Bauermann
2019-07-04 6:42 ` Thiago Jung Bauermann
2019-07-04 10:54 ` Philipp Rudo
2019-07-04 10:54 ` Philipp Rudo
2019-07-04 10:54 ` Philipp Rudo
2019-07-04 10:54 ` Philipp Rudo
2019-07-04 18:57 ` Thiago Jung Bauermann
2019-07-04 18:57 ` Thiago Jung Bauermann
2019-07-04 18:57 ` Thiago Jung Bauermann
2019-07-04 18:57 ` Thiago Jung Bauermann
2019-07-05 13:00 ` Philipp Rudo
2019-07-05 13:00 ` Philipp Rudo
2019-07-05 13:00 ` Philipp Rudo
2019-07-05 13:00 ` Philipp Rudo
2019-07-23 22:39 ` Thiago Jung Bauermann
2019-07-23 22:39 ` Thiago Jung Bauermann
2019-07-23 22:39 ` Thiago Jung Bauermann
2019-07-23 22:39 ` Thiago Jung Bauermann
2019-08-05 13:11 ` Philipp Rudo
2019-08-05 13:11 ` Philipp Rudo
2019-08-05 13:11 ` Philipp Rudo
2019-08-05 13:11 ` Philipp Rudo
2019-08-05 14:25 ` Mimi Zohar
2019-08-05 14:25 ` Mimi Zohar
2019-08-05 14:25 ` Mimi Zohar
2019-06-28 2:19 ` [PATCH v12 02/11] PKCS#7: Refactor verify_pkcs7_signature() Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` [PATCH v12 03/11] PKCS#7: Introduce pkcs7_get_digest() Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` [PATCH v12 04/11] integrity: Select CONFIG_KEYS instead of depending on it Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` [PATCH v12 05/11] ima: Add modsig appraise_type option for module-style appended signatures Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` [PATCH v12 06/11] ima: Factor xattr_verify() out of ima_appraise_measurement() Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` [PATCH v12 07/11] ima: Implement support for module-style appended signatures Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` [PATCH v12 08/11] ima: Collect modsig Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` [PATCH v12 09/11] ima: Define ima-modsig template Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` [PATCH v12 10/11] ima: Store the measurement again when appraising a modsig Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` [PATCH v12 11/11] ima: Allow template= option for appraise rules as well Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-06-28 2:19 ` Thiago Jung Bauermann
2019-07-01 14:38 ` [PATCH v12 00/11] Appended signatures support for IMA appraisal Mimi Zohar
2019-07-01 14:38 ` Mimi Zohar
2019-07-01 14:38 ` Mimi Zohar
2019-07-04 6:45 ` Thiago Jung Bauermann
2019-07-04 6:45 ` Thiago Jung Bauermann
2019-07-04 6:45 ` Thiago Jung Bauermann
2019-08-26 22:46 ` Jordan Hand
2019-08-26 22:46 ` Jordan Hand
2019-08-26 22:46 ` Jordan Hand
2019-08-27 1:04 ` Thiago Jung Bauermann
2019-08-27 1:04 ` Thiago Jung Bauermann
2019-08-27 1:04 ` Thiago Jung Bauermann
2019-08-28 13:43 ` Mimi Zohar [this message]
2019-08-28 13:43 ` Mimi Zohar
2019-08-28 13:43 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1566999821.6115.14.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=bauerman@linux.ibm.com \
--cc=corbet@lwn.net \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=dwmw2@infradead.org \
--cc=herbert@gondor.apana.org.au \
--cc=jeyu@kernel.org \
--cc=jmorris@namei.org \
--cc=jorhand@linux.microsoft.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=serge@hallyn.com \
--cc=takahiro.akashi@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.