Re: [PATCH 00/23] Crypto keys and module signing

[Mimi Zohar <zohar@linux.vnet.ibm.com>]

On Fri, 2012-05-25 at 14:53 +0100, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
> 
> > The issue here is whether we want the integrity metadata for kernel
> > modules to be stored differently than for all other files.
> 
> Surely it's handled differently.  The kernel is told by insmod what the
> signature should be in your scheme rather than going looking for it itself.  In
> such a case, why not include the signature in the module file?  It's more
> efficient on the filesystem, doesn't require xattr support and is easier for
> things like the initramfs composer to deal with.

Yes, unfortunately, it is handled differently.  Instead of passing a
file descriptor, a buffer containing the file data is passed.  Without
the file descriptor, you also need to pass the file metadata, in this
case, the signature as well.  Whether the signature is passed as a
separate parameter or appended to the file, it still is being passed to
the kernel.

> Btw, am I right in thinking that with IMA, the kernel itself normally goes and
> finds the signature (if there is one) for a file when it needs to open a file?
> Do you only check the IMA when exec'ing a file or whenever you open it?
> 
> David

IMA measures a file and appraises file data integrity based on the IMA
measurement/appraisal policy.  There are currently 3 hooks: open -
ima_file_check(), exec - ima_bprm_check() and mmap - ima_file_mapp().

I don't know the reasons or history for passing the file data content,
instead of a file descriptor, but if a file descriptor were passed, then
module integrity appraisal could simply be another integrity hook.

Mimi