[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <1581016217.5585.449.camel@linux.ibm.com>
Date: Thu, 06 Feb 2020 14:10:17 -0500
From: Mimi Zohar <zohar@...ux.ibm.com>
To: Eric Snowberg <eric.snowberg@...cle.com>
Cc: dmitry.kasatkin@...il.com, jmorris@...ei.org, serge@...lyn.com,
dhowells@...hat.com, geert@...ux-m68k.org,
gregkh@...uxfoundation.org, nayna@...ux.ibm.com,
tglx@...utronix.de, bauerman@...ux.ibm.com, mpe@...erman.id.au,
linux-integrity@...r.kernel.org,
linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module
appended signatures
On Thu, 2020-02-06 at 12:01 -0700, Eric Snowberg wrote:
> > On Feb 6, 2020, at 11:05 AM, Mimi Zohar <zohar@...ux.ibm.com> wrote:
> >
> > On Thu, 2020-02-06 at 11:42 -0500, Eric Snowberg wrote:
> >> Currently IMA can validate compressed modules containing appended
> >> signatures. This adds the ability to also validate uncompressed
> >> modules when appraise_type=imasig|modsig.
> >>
> >> Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
> >
> > Your patch description in no way matches the code.
> >
>
> How about if I changed the description to the following:
>
> Currently IMA can only validate compressed modules containing appended
> signatures when appraise_type=imasig|modsig. An uncompressed module that
> is internally signed must still be ima signed.
>
> Add the ability to validate the uncompress module by validating it against
> keys contained within the .builtin_trusted_keys keyring. Now when using a
> policy such as:
>
> appraise func=MODULE_CHECK appraise_type=imasig|modsig
>
> It will load modules containing an appended signature when either compressed
> or uncompressed.
We - Nayna and I - will be commenting on the cover letter shortly. I
think that will help clarify the problem(s).
Mimi
Powered by blists - more mailing lists