Menu
▾
▴
Re: [Linux-ima-user] How can I make kernel loads a signature from a .sig file ?
|
From: Rock L. <roc...@gm...> - 2017-06-09 10:06:33
|
> > tar and rpm have support for storing file signatures in extended > attributes, and many backup tools support storing and restoring xattrs as > well. I agree with you. But I tried tar for many times, it seems doesn't work. Since tar is under GPLv3, and I don't want GPLv3, so I don't bother with tar ;-). Instead, dar is perfect tools to keep the xattrs as I expected. It is kind of tricky to keep xattrs during update. For example, sometimes I need to transmit(like scp) files with signature to a IMA enabled device, it is hard to keep the signature (although rsync is capable of doing this). And some filesystems, they don't support xattrs (like vfat, sorry to metion this fs, but sometimes I need to use adb to push files), which makes me a little headache. If signature can be kept in a sig file, and IMA is able to load signature from this .sig, it would be perfect. I noticed Tizen supports loading .sig files https://wiki.tizen.org/Security:IntegrityMeasurement/Examples But it seems Linux doesn't support this feature yet. > >> BTW, do the .sig files used for appended signatures feature? And how >> can I generate a file with append signature ? > > My patches allow checking for appended signatures in a limited number of > IMA hooks: FIRMWARE_CHECK, KEXEC_KERNEL_CHECK and KEXEC_INITRAMFS_CHECK. > > The appended signature support uses the same format that the Linux kernel > uses for signing modules, which is different from what evmctl generates. > > You can add appended signatures to files using the sign-file tool from the > Linux kernel source code. See this document for details on how to use it: > > https://www.kernel.org/doc/html/latest/admin-guide/module-signing.html > > -- > Thiago Jung Bauermann > IBM Linux Technology Center > -- Cheers, Rock |
