Re: [Linux-ima-user] IMA/EVM

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Tue, 2015-03-24 at 15:35 +0200, Petko Manolov wrote:

> On 15-03-23 18:47:43, Mimi Zohar wrote:
> > On Mon, 2015-03-23 at 16:43 +0200, Petko Manolov wrote: 
> > > 
> > > I've gotten the above to work.  The question is, does this make sense:
> > > 
> > > local-CA ----> IMA_key_1 (signed certificate (eg. selfsigned/CA 1))  
> > >          |
> > >          |---> local-CA2 (on the .system keyring) ---> IMA_key_3 (signed cert/CA3)
> > > 
> > > Here local-CA2 (that belongs to trusted entity) is used to sign
> > > IMA_key_3 (and possibly others) which on turn IMA signs immutable
> > > files.
> > 
> > Assuming you trust all the keys on the system keyring, then any key on
> > the system keyring can verify the certificate. Otherwise, use the
> > "ca_keys=" boot command line option to specify the specific key.
> 
> Another useful option, thanks.
> 
> BTW, where can i download these (MOK related) kernel patches from?  Are they public?

The original patches were posted on LKML and are available from
fedoraproject.org.

Mimi