Menu
▾
▴
Re: [Linux-ima-user] How can I make kernel loads a signature from a .sig file ?
|
From: Thiago J. B. <bau...@li...> - 2017-06-08 18:50:02
|
Rock Lee <roc...@gm...> writes: > Mimi Zohar <zo...@li...> writes: >> You can't, but yesterday Thiago Bauermann posted patches for adding >> appended signature support. > > Wow, it's really a good news. I was looking for a perfect way for > upgrading purpose (through network). And I found IMA is a good way to > support my goals. But IMA stores signature in xattr which is not very > convenient for me to upgrade my device. Because xattrs are seperate > from the real file data and it can be lost easily, so I need to keep > the xattrs carefully. But with the appended signature featues, > signature is treated as a part of file data, I don't need to worry > about the xattrs things. Did I miss something ? tar and rpm have support for storing file signatures in extended attributes, and many backup tools support storing and restoring xattrs as well. > BTW, do the .sig files used for appended signatures feature? And how > can I generate a file with append signature ? My patches allow checking for appended signatures in a limited number of IMA hooks: FIRMWARE_CHECK, KEXEC_KERNEL_CHECK and KEXEC_INITRAMFS_CHECK. The appended signature support uses the same format that the Linux kernel uses for signing modules, which is different from what evmctl generates. You can add appended signatures to files using the sign-file tool from the Linux kernel source code. See this document for details on how to use it: https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html -- Thiago Jung Bauermann IBM Linux Technology Center |
