linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mehmet Kayaalp <mkayaalp@linux.vnet.ibm.com>
To: Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com>
Cc: kbuild test robot <lkp@intel.com>,
	kbuild-all@01.org, LSM <linux-security-module@vger.kernel.org>,
	linux-ima-devel@lists.sourceforge.net,
	keyrings <keyrings@vger.kernel.org>,
	linux-crypto@vger.kernel.org,
	kernel <linux-kernel@vger.kernel.org>,
	Mimi Zohar <zohar@linux.vnet.ibm.com>,
	Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
	David Howells <dhowells@redhat.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	Claudio Carvalho <cclaudio@linux.vnet.ibm.com>
Subject: Re: [PATCH 6/6] ima: Support appended signatures for appraisal
Date: Thu, 27 Apr 2017 18:17:30 -0400	[thread overview]
Message-ID: <027C5B04-376A-4340-9C6D-A5DB26327A3A@linux.vnet.ibm.com> (raw)
In-Reply-To: <1565385.DQpqeaisNG@morokweng>


> On Apr 27, 2017, at 5:41 PM, Thiago Jung Bauermann <bauerman@linux.vnet.ibm.com> wrote:
> 
> Am Mittwoch, 26. April 2017, 18:18:34 BRT schrieb Mehmet Kayaalp:
>>> On Apr 20, 2017, at 7:41 PM, Thiago Jung Bauermann
>>> <bauerman@linux.vnet.ibm.com> wrote:
>>> 
>>> This patch introduces the appended_imasig keyword to the IMA policy syntax
>>> to specify that a given hook should expect the file to have the IMA
>>> signature appended to it. Here is how it can be used in a rule:
>>> 
>>> appraise func=KEXEC_KERNEL_CHECK appraise_type=appended_imasig
>>> appraise func=KEXEC_KERNEL_CHECK appraise_type=appended_imasig|imasig
>>> 
>>> In the second form, IMA will accept either an appended signature or a
>>> signature stored in the extended attribute. In that case, it will first
>>> check whether there is an appended signature, and if not it will read it
>>> from the extended attribute.
>>> 
>>> The format of the appended signature is the same used for signed kernel
>>> modules. This means that the file can be signed with the scripts/sign-file
>> 
>>> tool, with a command line such as this:
>> I would suggest naming the appraise_type as modsig (or some variant) to
>> clarify that the format is defined by how module signatures are handled.
>> Maybe we'd like to define a different appended/inline signature format for
>> IMA in the future.
> 
> I like the suggestion. Would that mean that we will keep refering to it as 
> "module signature format", and thus nothing changes in patch 5?

I think so. If we want IMA to own the format, we might want to go further than
just changing the word "module" in the marker. We might consider having more
flexibility and some additional fields, for example multiple signatures, or certificate
chains, ascii/binary encodings etc. We could maybe add a different type for CMS
Signed-Data.

Mehmet

  reply	other threads:[~2017-04-27 22:13 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-04-18 20:17 [PATCH 0/6] Appended signatures support for IMA appraisal Thiago Jung Bauermann
2017-04-18 20:17 ` [PATCH 1/6] integrity: Small code improvements Thiago Jung Bauermann
2017-04-18 20:17 ` [PATCH 2/6] ima: Tidy up constant strings Thiago Jung Bauermann
2017-04-18 20:17 ` [PATCH 3/6] ima: Simplify policy_func_show Thiago Jung Bauermann
2017-04-20 12:13   ` Mimi Zohar
2017-04-20 20:40     ` Thiago Jung Bauermann
2017-04-21 13:57       ` Mimi Zohar
2017-04-24 17:14         ` Thiago Jung Bauermann
2017-04-18 20:17 ` [PATCH 4/6] ima: Log the same audit cause whenever a file has no signature Thiago Jung Bauermann
2017-04-18 20:17 ` [PATCH 5/6] MODSIGN: Export module signature definitions Thiago Jung Bauermann
2017-04-20 12:35   ` Mimi Zohar
2017-04-20 14:37   ` David Howells
2017-04-20 21:07     ` Thiago Jung Bauermann
2017-04-18 20:17 ` [PATCH 6/6] ima: Support appended signatures for appraisal Thiago Jung Bauermann
2017-04-20  3:04   ` kbuild test robot
2017-04-20 23:41     ` Thiago Jung Bauermann
2017-04-26 22:18       ` Mehmet Kayaalp
2017-04-27 21:41         ` Thiago Jung Bauermann
2017-04-27 22:17           ` Mehmet Kayaalp [this message]
2017-04-26 11:21   ` Mimi Zohar
2017-04-26 20:40     ` Thiago Jung Bauermann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=027C5B04-376A-4340-9C6D-A5DB26327A3A@linux.vnet.ibm.com \
    --to=mkayaalp@linux.vnet.ibm.com \
    --cc=bauerman@linux.vnet.ibm.com \
    --cc=cclaudio@linux.vnet.ibm.com \
    --cc=davem@davemloft.net \
    --cc=dhowells@redhat.com \
    --cc=dmitry.kasatkin@gmail.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=kbuild-all@01.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-ima-devel@lists.sourceforge.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=lkp@intel.com \
    --cc=zohar@linux.vnet.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).