Re: [RFC PATCH 0/6][v3] ima: Support a mode to appraise signed files only

[Vivek Goyal <vgoyal@redhat.com>]

On Thu, Feb 14, 2013 at 03:51:24PM -0500, Mimi Zohar wrote:
> On Thu, 2013-02-14 at 14:55 -0500, Vivek Goyal wrote:
> > Hi,
> > 
> > Currently ima appraises all the files as specified by the rule.
> 
> Currently IMA appraises files based on policy.

And policy is composed of multiple rules. Ok, will change it.

> 
> >  So
> > if one wants to create a system where only few executables are
> > signed, that system will not work with IMA.
> 
> This statement misrepresents the IMA policy.  You can definitely define
> a policy that only measures/appraises a few specific files. In your
> usecase scenario, you are not willing to rely on LSM labels.  Policy
> rules can also be based on file owner.  We could also add support for
> gid.

Ok, will change it. How about following.

We want to create a system where only few executables are signed. This
patch extends IMA policy syntax so that one can specify that signatures
are optional.

> 
> > With secureboot, one needs to disable kexec so that unsigned kernels
> > can't be booted. To avoid this problem, it was proposed that sign
> > /sbin/kexec binary and if signatures are verified successfully, give
> > an special capability to the /sbin/kexec process. And in secureboot
> > mode processes with that special capability can invoke sys_kexec()
> > system call.
> 
> Please add here that you then rely on /sbin/kexec to verify the
> integrity of the kernel image.

Ok, will do that. This is infact a grey area. Yet to be figured out
how /sbin/kexec will ensure a signed kernel is being loaded.

Thanks
Vivek