lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1581016217.5585.449.camel@linux.ibm.com>
Date:   Thu, 06 Feb 2020 14:10:17 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Eric Snowberg <eric.snowberg@...cle.com>
Cc:     dmitry.kasatkin@...il.com, jmorris@...ei.org, serge@...lyn.com,
        dhowells@...hat.com, geert@...ux-m68k.org,
        gregkh@...uxfoundation.org, nayna@...ux.ibm.com,
        tglx@...utronix.de, bauerman@...ux.ibm.com, mpe@...erman.id.au,
        linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH 1/2] ima: Implement support for uncompressed module
 appended signatures

On Thu, 2020-02-06 at 12:01 -0700, Eric Snowberg wrote:
> > On Feb 6, 2020, at 11:05 AM, Mimi Zohar <zohar@...ux.ibm.com> wrote:
> > 
> > On Thu, 2020-02-06 at 11:42 -0500, Eric Snowberg wrote:
> >> Currently IMA can validate compressed modules containing appended
> >> signatures.  This adds the ability to also validate uncompressed
> >> modules when appraise_type=imasig|modsig.
> >> 
> >> Signed-off-by: Eric Snowberg <eric.snowberg@...cle.com>
> > 
> > Your patch description in no way matches the code.
> > 
> 
> How about if I changed the description to the following:
> 
> Currently IMA can only validate compressed modules containing appended
> signatures when appraise_type=imasig|modsig.  An uncompressed module that 
> is internally signed must still be ima signed.  
> 
> Add the ability to validate the uncompress module by validating it against
> keys contained within the .builtin_trusted_keys keyring. Now when using a
> policy such as:
> 
> appraise func=MODULE_CHECK appraise_type=imasig|modsig
> 
> It will load modules containing an appended signature when either compressed
> or uncompressed.

We - Nayna and I - will be commenting on the cover letter shortly.  I
think that will help clarify the problem(s).

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ