| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.DEB.2.02.1412291824550.15184@nftneq.ynat.uz> Date: Mon, 29 Dec 2014 18:25:55 -0800 (PST) From: David Lang <david@...g.hm> To: Mimi Zohar <zohar@...ux.vnet.ibm.com> cc: Rob Landley <rob@...dley.net>, Christophe Fillot <cf@....fr>, linux-ima-user@...ts.sourceforge.net, linux-security-module <linux-security-module@...r.kernel.org>, linux-kernel <linux-kernel@...r.kernel.org> Subject: Re: [Linux-ima-user] Initramfs and IMA Appraisal On Mon, 29 Dec 2014, Mimi Zohar wrote: > Thanks Rob for the explanation. The problem is that ramfs does not > support extended attributes, while tmpfs does. The boot loader could > "measure" (trusted boot) the initramfs, but as the initramfs is > generated on the target system, the initramfs is not signed, preventing > it from being appraised (secure Boot). To close the initramfs integrity > appraisal gap requires verifying the individual initramfs file > signatures, which are stored as extended attributes. what's the point of checking the files on the filesystem against signatures stored on the same filesystem? If someone could alter the file contents they can alter the signatures as well. David Lang -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists