| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1432227565.2450.23.camel@linux.vnet.ibm.com> Date: Thu, 21 May 2015 12:59:25 -0400 From: Mimi Zohar <zohar@...ux.vnet.ibm.com> To: Petko Manolov <petkan@...-labs.com> Cc: David Howells <dhowells@...hat.com>, "Luis R. Rodriguez" <mcgrof@...e.com>, Andy Lutomirski <luto@...nel.org>, linux-security-module@...r.kernel.org, james.l.morris@...cle.com, serge@...lyn.com, linux-kernel@...r.kernel.org, linux-wireless@...r.kernel.org, Kyle McMartin <kyle@...nel.org>, David Woodhouse <david.woodhouse@...el.com>, Seth Forshee <seth.forshee@...onical.com>, Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Joey Lee <jlee@...e.de>, Rusty Russell <rusty@...tcorp.com.au>, mricon@...nel.org, Michal Marek <mmarek@...e.cz>, Abelardo Ricart III <aricart@...nix.com>, Sedat Dilek <sedat.dilek@...il.com>, keyrings@...ux-nfs.org, Borislav Petkov <bp@...en8.de>, Jiri Kosina <jkosina@...e.cz>, Linus Torvalds <torvalds@...ux-foundation.org> Subject: Re: [RFD] linux-firmware key arrangement for firmware signing On Thu, 2015-05-21 at 19:43 +0300, Petko Manolov wrote: > On 15-05-21 16:51:49, David Howells wrote: > > > > I do have patches to parse PGP key data and add the public keys found therein > > onto the kernel keyring, but that would mean adding an extra key data parser. > > PGP is widely used so i would gladly have one more parser in the kernel. > > > You could probably do this with the integrity functions - but turning them on > > has a performance cost and you have to load things in the right order as I > > understand it. > > The performance hit is negligible, especially on modern hardware. The problem > is that Joe user must wrap his head around IMA as a concept and go through the > pains of doing everything right. Failing to do so will result in a lot of > frustration, and i speak from experience. > > Once you make it run properly it mostly stays out of your way. To put it > another way: IMA is not for sissies... :) The main problem today is that software doesn't come and isn't installed with file signatures. Once file signatures are installed with the files, then it is just a matter of the machine owner signing the software's public keys. Dracut (or equivalent) would load the signed keys onto the trusted IMA keyring. Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists