From: Rusty Russell <rusty@ozlabs.org>
To: "Kasatkin\, Dmitry" <dmitry.kasatkin@intel.com>,
Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: James Morris <jmorris@namei.org>,
linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
Lucas De Marchi <lucas.demarchi@profusion.mobi>,
Jon Masters <jcm@redhat.com>
Subject: Re: [RFC][PATCH v1 0/2] integrity: module integrity verification
Date: Thu, 09 Feb 2012 04:32:57 +1030 [thread overview]
Message-ID: <8762fhgq3y.fsf@rustcorp.com.au> (raw)
In-Reply-To: <CALLzPKb=6hSAW0-QxEhkH8wih8c20cLqcLVjm+CcXBGp0a901Q@mail.gmail.com>
On Wed, 8 Feb 2012 16:02:28 +0200, "Kasatkin, Dmitry" <dmitry.kasatkin@intel.com> wrote:
> On Wed, Feb 8, 2012 at 3:45 PM, Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> > On Wed, 2012-02-08 at 10:09 +1030, Rusty Russell wrote:
> >> The problem is that distributions tend to have two variants of modules:
> >> stripped and unstripped. Thus you may want to support multiple
> >> signatures, any *one* of which may match.
> >>
> >> I've cc'd the module-init-tools and libkmod maintainers for their
> >> comments, too.
> > Hi Rusty,
> >
> > As a distro knows what it is shipping, why would you need support for
> > both stripped/unstripped versions. Unless "stripping" occurs post
> > install. Perhaps something similar to 'prelink'?
>
> How are they distributed? In separate packages?
> And striped during package creation?
> Then during package building, before archiving, signing tool is simply
> invoked for each binary package,
> so "same" modules from different packages will get own signature.
>
> Or it goes some other way?
I don't know. Perhaps it isn't an issue; David Howells and Jon Masters
might have comments.
Cheers,
Rusty.
next prev parent reply other threads:[~2012-02-08 18:03 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-01 20:25 [RFC][PATCH v1 0/2] integrity: module integrity verification Dmitry Kasatkin
2012-02-01 20:25 ` [RFC][PATCH v1 1/2] integrity: add ima_module_check hook Dmitry Kasatkin
2012-02-01 20:25 ` [RFC][PATCH v1 2/2] integrity: verify module integrity based on signature Dmitry Kasatkin
2012-02-06 1:51 ` [RFC][PATCH v1 0/2] integrity: module integrity verification James Morris
2012-02-06 6:59 ` Kasatkin, Dmitry
2012-02-07 17:13 ` Rusty Russell
2012-02-07 21:18 ` Kasatkin, Dmitry
2012-02-07 23:39 ` Rusty Russell
2012-02-08 13:45 ` Mimi Zohar
2012-02-08 14:02 ` Kasatkin, Dmitry
2012-02-08 18:02 ` Rusty Russell [this message]
2012-02-13 16:20 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8762fhgq3y.fsf@rustcorp.com.au \
--to=rusty@ozlabs.org \
--cc=dhowells@redhat.com \
--cc=dmitry.kasatkin@intel.com \
--cc=jcm@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=lucas.demarchi@profusion.mobi \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.