[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3662.1337954002@redhat.com>
Date: Fri, 25 May 2012 14:53:22 +0100
From: David Howells <dhowells@...hat.com>
To: Mimi Zohar <zohar@...ux.vnet.ibm.com>
Cc: dhowells@...hat.com,
"Kasatkin, Dmitry" <dmitry.kasatkin@...el.com>,
Rusty Russell <rusty@...tcorp.com.au>, kyle@...artin.ca,
linux-kernel@...r.kernel.org,
linux-security-module@...r.kernel.org, keyrings@...ux-nfs.org
Subject: Re: [PATCH 00/23] Crypto keys and module signing
Mimi Zohar <zohar@...ux.vnet.ibm.com> wrote:
> The issue here is whether we want the integrity metadata for kernel
> modules to be stored differently than for all other files.
Surely it's handled differently. The kernel is told by insmod what the
signature should be in your scheme rather than going looking for it itself. In
such a case, why not include the signature in the module file? It's more
efficient on the filesystem, doesn't require xattr support and is easier for
things like the initramfs composer to deal with.
Btw, am I right in thinking that with IMA, the kernel itself normally goes and
finds the signature (if there is one) for a file when it needs to open a file?
Do you only check the IMA when exec'ing a file or whenever you open it?
David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists