From: Mimi Z. <zo...@li...> - 2012-03-02 16:30:05
|
On Wed, 2012-02-22 at 10:45 +1100, m.c...@gm... wrote: > Hi Mimi, > Could you please elaborate on the wiki what the ima_appraise options > actually mean? I can take a guess, but a simple table explaining > exactly what they are would be useful. Same with the evm options. Thanks for the suggestions. > Additionally, the wiki (as I have read it) suggests that measuring is > enabled and on when the ima_tcb kernel option is given. From what > you've written on the list, it should be possible to appraise when a > file is mmapped, opened or executed according to the policy without > being measured. Can you make this a bit more explicit in the wiki, > explaining what the measurement options are to enable/disable > measurement? If this is done via the policy instead of via a kernel > option, can you adjust that as well (I don't know if there's a policy > option of appraise only)? These are all good questions. For IMA measurement, the chain of trust needs to be there before we access any files, including the measurement policy; so we require a builtin policy. Is this also necessary for appraisal? Perhaps, but I'm not sure. It might suffice to provide dracut, or equivalent, with the measurement/appraisal policy name on the boot command line. > You're doing some great work here. While I'm not using IMA for > attestation, I'm planning on verifying all my configuration files and > executables. The features you've got ready for the 3.3 merge seem to > fit exactly what I'm after, but I need to know what to set in kernel > first. Keep up the good work. Thank you for your support! Unfortunately, the benefits of the 3.3 features - verifying and appraising files - requires IMA-appraisal, which is still a proposed patch set. git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity #next-ima-appraisal For the IMA-appraisal patches to be upstreamed, we most likely need some additional reviews/Acks. :) The patches were last posted http://marc.info/?l=linux-security-module&m=133062939721505&w=2 thanks, Mimi |