| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 May 2012 14:53:22 +0100 From: David Howells <dhowells@...hat.com> To: Mimi Zohar <zohar@...ux.vnet.ibm.com> Cc: dhowells@...hat.com, "Kasatkin, Dmitry" <dmitry.kasatkin@...el.com>, Rusty Russell <rusty@...tcorp.com.au>, kyle@...artin.ca, linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, keyrings@...ux-nfs.org Subject: Re: [PATCH 00/23] Crypto keys and module signing Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote: > The issue here is whether we want the integrity metadata for kernel > modules to be stored differently than for all other files. Surely it's handled differently. The kernel is told by insmod what the signature should be in your scheme rather than going looking for it itself. In such a case, why not include the signature in the module file? It's more efficient on the filesystem, doesn't require xattr support and is easier for things like the initramfs composer to deal with. Btw, am I right in thinking that with IMA, the kernel itself normally goes and finds the signature (if there is one) for a file when it needs to open a file? Do you only check the IMA when exec'ing a file or whenever you open it? David -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists