From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
To: Mimi Zohar <zohar@linux.ibm.com>, linux-integrity@vger.kernel.org
Cc: James Morris <jamorris@linuxonhyperv.com>
Subject: IMA: Data included in the key measurement
Date: Thu, 21 Nov 2019 08:17:11 -0800 [thread overview]
Message-ID: <19242774-688e-58ff-40f8-e346d6ba4339@linux.microsoft.com> (raw)
Hi Mimi,
>>> everything needed for verifying a signature is included in
>>> the key measurement.
Regarding the requirement you had stated above, I would like some
clarification.
When I started this change to measure keys through IMA, the use case we
had in mind was enabling an attestation service, for instance, to verify
if the client has only known good (trusted) keys - for example, in
keyrings such as ".builtin_trusted_keys", ".ima", etc.
On the client IMA verifies the signature of system binaries using keys
in the IMA keyring. And, if the config namely
CONFIG_IMA_KEYRINGS_PERMIT_SIGNED_BY_BUILTIN_OR_SECONDARY is enabled,
only keys signed by a built-in trusted key can be added to the IMA keyring.
An attestation service can keep a list of public keys of "known good
(trusted)" keys for various keyrings, and verify against the measurement
data provided by the client.
To achieve the above we decided to include only the public key in the
key measurement buffer.
I would like to know what benefit we'd get by including "everything
needed for verifying a signature in the key measurement"?
From testing point of view, if we have the certificate (like the .DER
file), we can validate the key measurement data in the IMA log.
Do you see a need to include more data or the entire cert for the
product code?
thanks,
-lakshmi
next reply other threads:[~2019-11-21 16:17 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-21 16:17 Lakshmi Ramasubramanian [this message]
2019-11-21 16:38 ` IMA: Data included in the key measurement James Bottomley
2019-11-22 1:15 ` Lakshmi Ramasubramanian
2019-11-22 16:17 ` James Bottomley
2019-11-22 17:39 ` Lakshmi Ramasubramanian
2019-11-22 19:32 ` James Bottomley
2019-11-25 17:33 ` Lakshmi Ramasubramanian
2019-11-25 18:14 ` Mimi Zohar
2019-11-25 18:19 ` Lakshmi Ramasubramanian
2019-11-22 17:38 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=19242774-688e-58ff-40f8-e346d6ba4339@linux.microsoft.com \
--to=nramas@linux.microsoft.com \
--cc=jamorris@linuxonhyperv.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.