Menu
▾
▴
[Linux-ima-user] [RFC PATCH v3 0/4] Include and install file signatures
|
From: <fi...@li...> - 2014-10-07 20:20:16
|
From: Fionnuala Gunter <fi...@li...> The Linux kernel's ima-appraisal module verifies file signatures. The problem with verifying digital signatures of files is how the files are signed in the first place. In our current prototype, we sign all files after system installation, but this doesn't handle ongoing updates. We propose that Linux distributors sign all files as part of the normal package signing. RPM already maintains hashes of all files in the rpm package, and this can be extended to add file signatures. This patch set extends the rpm signing tool to include file signatures in packages, and extends the rpm install tool to install file signatures. Changelog v2: -support for inline signing of files -command line option for file signing key -included missing file -fixed type in rpmDigestAlgo Changelog v3: -split up patch Fionnuala Gunter (4): Add file signature to fsm_file_post parameter list Sign package files and include signatures in package header Label ima xattr when signed files are installed Sign package files during installation configure.ac | 8 ++ doc/rpm.8 | 28 +++-- doc/rpmsign.8 | 22 +++- lib/Makefile.am | 3 +- lib/fsm.c | 68 ++++++++++- lib/poptI.c | 7 ++ lib/rpmcli.h | 2 + lib/rpminstall.c | 10 +- lib/rpmplugin.h | 3 +- lib/rpmplugins.c | 5 +- lib/rpmplugins.h | 4 +- lib/rpmsignfiles.c | 130 +++++++++++++++++++++ lib/rpmsignfiles.h | 45 ++++++++ lib/rpmtag.h | 1 + lib/rpmts.c | 15 +++ lib/rpmts.h | 15 +++ lib/rpmts_internal.h | 2 + macros.in | 1 + plugins/Makefile.am | 4 + plugins/ima.c | 83 ++++++++++++++ rpmpopt.in | 1 + rpmsign.c | 14 ++- sign/rpmgensig.c | 319 +++++++++++++++++++++++++++++++++++++++++++++++---- sign/rpmsign.h | 7 +- 24 files changed, 750 insertions(+), 47 deletions(-) create mode 100644 lib/rpmsignfiles.c create mode 100644 lib/rpmsignfiles.h create mode 100644 plugins/ima.c -- 1.9.3 |
