From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: David Howells <dhowells@redhat.com>
Cc: keyrings@vger.kernel.org, linux-security-module@vger.kernel.org,
linux-kernel@vger.kernel.org, tadeusz.struk@intel.com
Subject: Re: [PATCH 0/8] X.509: Software public key subtype changes
Date: Tue, 23 Feb 2016 07:28:00 -0500 [thread overview]
Message-ID: <1456230480.4799.45.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <10100.1456222613@warthog.procyon.org.uk>
On Tue, 2016-02-23 at 10:16 +0000, David Howells wrote:
> Mimi Zohar <zohar@linux.vnet.ibm.com> wrote:
>
> > To measure and appraise just the kexec initramfs, define a policy
> > containing:
>
> Doesn't this require a TPM?
For appraising file signatures, a TPM is definitely not required! Even
in the case of making sure that the file measurements are being taken, a
TPM is not required. For purposes of testing changes to the asymmetric
keys or the key subsystem in general, a TPM is not required.
The TPM is needed for quoting PCRs. When a TPM is available, IMA, in
addition to adding the file measurements to the run time measurement
list, extends a TPM PCR with the file measurements. A trusted third
party, can then validate the measurement list against the PCR quote.
The real question is which files need to be measured and appraised in
order to either prevent or, at least, to be able to detect a system
compromise. But for your use case scenario, of making sure that changes
to the asymmetric keys or the key subsystem in general has not broken
IMA, measuring and appraising a single file should be enough.
Mimi
prev parent reply other threads:[~2016-02-23 12:28 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-19 17:18 [PATCH 0/8] X.509: Software public key subtype changes David Howells
2016-02-19 17:18 ` [PATCH 1/8] crypto: KEYS: convert public key and digsig asym to the akcipher api David Howells
2016-02-19 17:18 ` [PATCH 2/8] integrity: convert digsig to " David Howells
2016-02-19 17:18 ` [PATCH 3/8] crypto: public_key: remove MPIs from public_key_signature struct David Howells
2016-02-19 17:18 ` [PATCH 4/8] akcipher: Move the RSA DER encoding to the crypto layer David Howells
2016-02-22 19:59 ` Tadeusz Struk
2016-02-22 22:28 ` David Howells
2016-02-22 23:35 ` Tadeusz Struk
2016-02-23 0:01 ` Andrew Zaborowski
2016-02-23 10:53 ` David Howells
2016-02-24 17:12 ` [PATCH 0/2] KEYS: Use pkcs1pad for padding in software_pkey Tadeusz Struk
2016-02-24 17:12 ` [PATCH 1/2] crypto: Add hash param to pkcs1pad Tadeusz Struk
2016-02-24 17:12 ` [PATCH 2/2] crypto: remove padding logic from rsa.c Tadeusz Struk
2016-02-27 18:40 ` Herbert Xu
2016-02-28 3:20 ` Tadeusz Struk
2016-02-26 14:00 ` David Howells
2016-02-26 15:02 ` David Howells
2016-02-24 17:28 ` [PATCH 0/2] KEYS: Use pkcs1pad for padding in software_pkey David Howells
2016-02-23 10:55 ` [PATCH 4/8] akcipher: Move the RSA DER encoding to the crypto layer David Howells
2016-02-23 11:25 ` Andrew Zaborowski
2016-02-26 11:42 ` David Howells
2016-02-24 5:04 ` Mimi Zohar
2016-02-24 5:59 ` Mimi Zohar
2016-02-29 15:37 ` David Howells
2016-02-19 17:18 ` [PATCH 5/8] X.509: Make algo identifiers text instead of enum David Howells
2016-02-19 17:18 ` [PATCH 6/8] X.509: Make the public_key asymmetric key type internal data private David Howells
2016-02-19 17:18 ` [PATCH 7/8] X.509: Rename public_key.c to software_pkey.c David Howells
2016-02-19 17:19 ` [PATCH 8/8] X.509: Rename public_key* to software_pkey* David Howells
2016-02-22 18:57 ` [PATCH 0/8] X.509: Software public key subtype changes Mimi Zohar
2016-02-22 19:59 ` Tadeusz Struk
2016-02-22 22:29 ` David Howells
2016-02-23 0:03 ` Mimi Zohar
2016-02-23 10:16 ` David Howells
2016-02-23 12:28 ` Mimi Zohar [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1456230480.4799.45.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=dhowells@redhat.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=tadeusz.struk@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).