From: Vivek Goyal <vgoyal@redhat.com>
To: "Kasatkin, Dmitry" <dmitry.kasatkin@intel.com>
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>,
dhowells@redhat.com, jmorris@namei.org,
linux-security-module@vger.kernel.org,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [RFC 1/1] ima: digital signature verification using asymmetric keys
Date: Mon, 28 Jan 2013 13:56:25 -0500 [thread overview]
Message-ID: <20130128185625.GC5868@redhat.com> (raw)
In-Reply-To: <CALLzPKbjmoLGMVgY-GygZ9ScV1GNHKaKHGYsHc4=CeoYPL4rmw@mail.gmail.com>
On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
[..]
> > Ok. I am hoping that it will be more than the kernel command line we
> > support. In the sense that for digital signatures one needs to parse
> > the signature, look at what hash algorithm has been used and then
> > collect the hash accordingly. It is little different then IMA requirement
> > of calculating one pre-determine hash for all files.
>
> Yes... It is obvious. It's coming.
> But in general, signer should be aware of requirements and limitation
> of the platform.
> It is not really a problem...
One more question. I specified "ima_appraise_tcb" on kernel command line
and I had an unbootable system. It refused to run "init" as it was not
labeled/signed. Is there any policy/way where it appraises only signed
files and does not refuse to open/execute unsigned ones.
Thanks
Vivek
next prev parent reply other threads:[~2013-01-28 18:56 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-01-15 10:34 [RFC 0/1] ima/evm: signature verification support using asymmetric keys Dmitry Kasatkin
2013-01-15 10:34 ` [RFC 1/1] ima: digital signature verification " Dmitry Kasatkin
2013-01-17 17:52 ` David Howells
2013-01-17 18:00 ` Kasatkin, Dmitry
2013-01-22 22:53 ` Mimi Zohar
2013-01-23 9:03 ` Kasatkin, Dmitry
2013-01-25 21:01 ` Vivek Goyal
2013-01-28 14:54 ` Kasatkin, Dmitry
2013-01-28 15:15 ` Vivek Goyal
2013-01-28 15:20 ` Kasatkin, Dmitry
2013-01-28 18:52 ` Vivek Goyal
2013-01-28 19:51 ` Mimi Zohar
2013-01-28 20:13 ` Vivek Goyal
2013-01-29 0:14 ` Mimi Zohar
2013-01-29 16:30 ` Vivek Goyal
2013-01-29 8:53 ` Kasatkin, Dmitry
2013-01-29 8:48 ` Kasatkin, Dmitry
2013-01-29 18:39 ` Vivek Goyal
2013-01-28 18:56 ` Vivek Goyal [this message]
2013-01-28 20:15 ` Mimi Zohar
2013-01-28 20:22 ` Vivek Goyal
2013-01-29 1:48 ` Mimi Zohar
2013-01-29 16:58 ` Vivek Goyal
2013-01-30 6:32 ` Matthew Garrett
2013-01-30 22:22 ` Mimi Zohar
2013-01-29 18:20 ` Vivek Goyal
2013-01-29 20:01 ` Mimi Zohar
2013-01-29 20:10 ` Vivek Goyal
2013-01-29 22:26 ` Mimi Zohar
2013-01-16 19:45 ` [RFC 0/1] ima/evm: signature verification support " Mimi Zohar
2013-01-17 18:03 ` David Howells
2013-01-18 15:16 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130128185625.GC5868@redhat.com \
--to=vgoyal@redhat.com \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@intel.com \
--cc=jmorris@namei.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.