Menu
▾
▴
Re: [Linux-ima-user] [RFC] EVM: system independent signatures, non-modifiable signatures
|
From: Mimi Z. <zo...@li...> - 2014-12-05 15:38:18
|
On Fri, 2014-12-05 at 10:30 -0500, Mimi Zohar wrote: > On Fri, 2014-12-05 at 12:09 +0200, Dmitry Kasatkin wrote: > > On 04/12/14 18:43, Mimi Zohar wrote: > > > On Thu, 2014-12-04 at 17:02 +0200, Dmitry Kasatkin wrote: > > >> On 04/12/14 15:52, Mimi Zohar wrote: > > >>> System images would now have a combination of existing "normal" and new > > >>> non-modifiable signatures. For the existing "normal", wouldn't the new > > >>> system independent signature, we discussed above, be desirable? How > > >>> would they be included? > > >> Basically approach is to have 3 types of signatures > > >> > > >> 1. Normal (sig), system dependent, which includes i_no, fsuuid. They are > > >> converted to HMAC. They are set during image creation.. > > >> > > >> 2. System independent signatures (si-sig). They are set at runtime from > > >> packages and included to the hmac calculation. > > >> > > >> 3. Normal, system dependent, but not convertible. They also include > > >> i_no, fsuui, etc... They are set during image creation.. > > >> > > >> > > >> I think there is no need for combination: normal+si-sig > > >> > > >> What do you think? > > > Agreed, but on flashed systems, everything is signed. Some will now > > > have the non-modifiable signature, but others won't. Those that have > > > the original "normal" signature will be converted to an HMAC. Without > > > storing the si-sig somewhere, it won't be available to append to the > > > HMAC. So, perhaps we do need the si-sig as a separate xattr after all. > > > > > > Mimi > > > > > > > > > > I do not understand you a bit. > > > > Yes some will have signatures which will be replaced with hmac, but some > > not... > > > > For those which replaced with hmac, signature will be gone... > > Right, but there might be some benefit to protect other metadata for > mutable files. Forget this option. The hash is still included in the si-sig. Mimi |
