From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
dhowells@redhat.com, matthewgarrett@google.com,
sashal@kernel.org, jamorris@linux.microsoft.com,
linux-integrity@vger.kernel.org,
linux-security-module@vger.kernel.org, keyrings@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v7 3/5] KEYS: Call the IMA hook to measure keys
Date: Fri, 15 Nov 2019 08:14:39 -0500 [thread overview]
Message-ID: <1573823679.4793.121.camel@linux.ibm.com> (raw)
In-Reply-To: <24262d82-c90b-b64d-f237-9ef038f38d0e@linux.microsoft.com>
On Thu, 2019-11-14 at 10:24 -0800, Lakshmi Ramasubramanian wrote:
> On 11/14/2019 6:54 AM, Mimi Zohar wrote:
> > With this patch, keys are now being measured. With the boot command
> > line, we can verify the measurement entry against /proc/cmdline. How
> > can the key measurement entry be verified? Please include that
> > information, here, in this patch description.
>
> Glad you could verify measurement of keys. Thanks a lot for trying it.
>
> Will add information on testing\validating the feature.
Thank you.
>
> > Also, can the key data, now included in the measurement list, be used
> > to verify signatures in the ima-sig or ima-modsig templates? Is there
> > a way of correlating a signature with a key? Perhaps include a
> > kselftest as an example.
>
> I am not familiar with kselftest. Will take a look and see if it'd be
> possible to correlate a signature with a key.
I'd like the measurement list to be self contained, allowing a
regression test, for example, to walk the measurement list, verifying
the file signatures stored in the measurement list based on the key
measurement(s).
It isn't so much about Kselftest, but implementing a regression test
(eg. Kselftest, LTP, ima-evm-utils, ...) as a PoC, in order to know
that the key measurement contains everything needed to identify the
key (eg. keyid, certificate serial number, ...) and verify file
signatures.
Mimi
next prev parent reply other threads:[~2019-11-15 13:14 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-14 3:11 [PATCH v7 0/5] KEYS: Measure keys when they are created or updated Lakshmi Ramasubramanian
2019-11-14 3:11 ` [PATCH v7 1/5] IMA: Add KEY_CHECK func to measure keys Lakshmi Ramasubramanian
2019-11-14 3:11 ` [PATCH v7 2/5] IMA: Define an IMA hook " Lakshmi Ramasubramanian
2019-11-14 18:30 ` Lakshmi Ramasubramanian
2019-11-14 3:12 ` [PATCH v7 3/5] KEYS: Call the " Lakshmi Ramasubramanian
2019-11-14 14:54 ` Mimi Zohar
2019-11-14 18:24 ` Lakshmi Ramasubramanian
2019-11-15 13:14 ` Mimi Zohar [this message]
2019-11-14 3:12 ` [PATCH v7 4/5] IMA: Add support to limit measuring keys Lakshmi Ramasubramanian
2019-11-14 14:37 ` Mimi Zohar
2019-11-14 18:18 ` Lakshmi Ramasubramanian
2019-11-14 3:12 ` [PATCH v7 5/5] IMA: Read keyrings= option from the IMA policy Lakshmi Ramasubramanian
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1573823679.4793.121.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dhowells@redhat.com \
--cc=jamorris@linux.microsoft.com \
--cc=keyrings@vger.kernel.org \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=matthewgarrett@google.com \
--cc=nramas@linux.microsoft.com \
--cc=sashal@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).