lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 8 Feb 2012 16:02:28 +0200
From:	"Kasatkin, Dmitry" <dmitry.kasatkin@...el.com>
To:	Mimi Zohar <zohar@...ux.vnet.ibm.com>
Cc:	Rusty Russell <rusty@...abs.org>, James Morris <jmorris@...ei.org>,
	linux-security-module@...r.kernel.org,
	linux-kernel@...r.kernel.org, David Howells <dhowells@...hat.com>,
	Lucas De Marchi <lucas.demarchi@...fusion.mobi>,
	Jon Masters <jcm@...hat.com>
Subject: Re: [RFC][PATCH v1 0/2] integrity: module integrity verification

On Wed, Feb 8, 2012 at 3:45 PM, Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote:
> On Wed, 2012-02-08 at 10:09 +1030, Rusty Russell wrote:
>> On Tue, 7 Feb 2012 23:18:38 +0200, "Kasatkin, Dmitry" <dmitry.kasatkin@...el.com> wrote:
>> > On Tue, Feb 7, 2012 at 7:13 PM, Rusty Russell <rusty@...abs.org> wrote:
>> > > On Mon, 6 Feb 2012 08:59:00 +0200, "Kasatkin, Dmitry" <dmitry.kasatkin@...el.com> wrote:
>> > >> On Mon, Feb 6, 2012 at 3:51 AM, James Morris <jmorris@...ei.org> wrote:
>> > >> > On Wed, 1 Feb 2012, Dmitry Kasatkin wrote:
>> > >> >
>> > >> >> Hi,
>> > >> >>
>> > >> >> Here is another module verification patchset, which is based on the recently
>> > >> >> upstreamed digital signature support used by EVM and IMA-appraisal.
>> > >> >
>> > >> > You should cc: Rusty on any changes to the module code.
>> > >> >
>> > >>
>> > >> Hello,
>> > >>
>> > >> Mimi already has pointed that out.
>> > >> I have sent him an email with the link..
>> > >
>> > > Thanks.
>> > >
>> > > Using an external signature (via cmdline arguments) is simple, at
>> > > least.  Not sure what the userspace side of this looks like?
>> > >
>> >
>> > Hello,
>> >
>> > There are couple of patches for modprobe and insmod...
>> >
>> > You could see them on the top at:
>> > http://linux-ima.git.sourceforge.net/git/gitweb.cgi?p=linux-ima/module-init-tools.git;a=summary
>> >
>> > It first tries to read signature from xattr, then from file...
>> > "modprobe -v" will show 'ima='  parameter with signature.
>> >
>> > - Dmitry
>>
>> The problem is that distributions tend to have two variants of modules:
>> stripped and unstripped.  Thus you may want to support multiple
>> signatures, any *one* of which may match.
>>
>> I've cc'd the module-init-tools and libkmod maintainers for their
>> comments, too.
>>
>> Cheers,
>> Rusty.
>
> Hi Rusty,
>
> As a distro knows what it is shipping, why would you need support for
> both stripped/unstripped versions.  Unless "stripping" occurs post
> install.  Perhaps something similar to 'prelink'?
>

How are they distributed? In separate packages?
And striped during package creation?
Then during package building, before archiving, signing tool is simply
invoked for each binary package,
so "same" modules from different packages will get own signature.

Or it goes some other way?

> thanks,
>
> Mimi
>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ