Re: [PATCH v8 00/14] Appended signatures support for IMA appraisal

[PATCH v8 00/14] Appended signatures support for IMA appraisal · Thiago Jung Bauermann <hidden> · 2018-11-16
[PATCH v8 01/14] MODSIGN: Export module signature definitions · Thiago Jung Bauermann <hidden> · 2018-11-16
[PATCH v8 02/14] PKCS#7: Refactor verify_pkcs7_signature() and add pkcs7_get_message_sig() · Thiago Jung Bauermann <hidden> · 2018-11-16
[PATCH v8 03/14] PKCS#7: Introduce pkcs7_get_digest() · Thiago Jung Bauermann <hidden> · 2018-11-16
[PATCH v8 04/14] integrity: Introduce struct evm_xattr · Thiago Jung Bauermann <hidden> · 2018-11-16
Re: [PATCH v8 04/14] integrity: Introduce struct evm_xattr · Mimi Zohar <zohar@linux.ibm.com> · 2018-11-29
[PATCH v8 05/14] integrity: Introduce integrity_keyring_from_id() · Thiago Jung Bauermann <hidden> · 2018-11-16
[PATCH v8 06/14] integrity: Introduce asymmetric_sig_has_known_key() · Thiago Jung Bauermann <hidden> · 2018-11-16
[PATCH v8 07/14] integrity: Select CONFIG_KEYS instead of depending on it · Thiago Jung Bauermann <hidden> · 2018-11-16
[PATCH v8 08/14] ima: Introduce is_signed() · Thiago Jung Bauermann <hidden> · 2018-11-16
[PATCH v8 09/14] ima: Export func_tokens · Thiago Jung Bauermann <hidden> · 2018-11-16
[PATCH v8 11/14] ima: Implement support for module-style appended signatures · Thiago Jung Bauermann <hidden> · 2018-11-16
[PATCH v8 12/14] ima: Add new "d-sig" template field · Thiago Jung Bauermann <hidden> · 2018-11-16
[PATCH v8 13/14] ima: Write modsig to the measurement list · Thiago Jung Bauermann <hidden> · 2018-11-16
[PATCH v8 14/14] ima: Store the measurement again when appraising a modsig · Thiago Jung Bauermann <hidden> · 2018-11-16
[PATCH v8 10/14] ima: Add modsig appraise_type option for module-style appended signatures · Thiago Jung Bauermann <hidden> · 2018-11-16
Re: [PATCH v8 00/14] Appended signatures support for IMA appraisal · James Morris <jmorris@namei.org> · 2018-12-04
Re: [PATCH v8 00/14] Appended signatures support for IMA appraisal · Thiago Jung Bauermann <hidden> · 2018-12-04

From: James Morris <jmorris@namei.org>
Date: 2018-12-04 22:00:39
Also in: keyrings, linux-crypto, linux-doc, linux-integrity, linux-security-module, lkml

On Fri, 16 Nov 2018, Thiago Jung Bauermann wrote:

On the OpenPOWER platform, secure boot and trusted boot are being
implemented using IMA for taking measurements and verifying signatures.
Since the kernel image on Power servers is an ELF binary, kernels are
signed using the scripts/sign-file tool and thus use the same signature
format as signed kernel modules.

This patch series adds support in IMA for verifying those signatures.

Are you saying you use IMA to verify kernels during boot?  From a Linux 
bootloader?

It adds flexibility to OpenPOWER secure boot, because it allows it to boot
kernels with the signature appended to them as well as kernels where the
signature is stored in the IMA extended attribute.

Just to clarify, with these patches, IMA will be able to verify the 
native form of signed kernel modules?  i.e. without xattrs at all, and 
this will work with existing signed modules?



-- 
James Morris
[off-list ref]

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help