Menu
▾
▴
Re: [Linux-ima-user] EVM: Using a presigned image
|
From: Mimi Z. <zo...@li...> - 2017-10-11 17:24:16
|
On Wed, 2017-10-11 at 18:12 +0100, Martin Townsend wrote: > Hi, > > I want to sign an root filesystem off line using the same private key > for both IMA and EVM, ie using evmctl sign --imasig > > This image is read-only and is on an embedded product. The kernel > automatically loads the public key as I have > CONFIG_IMA_TRUSTED_KEYRING=y > CONFIG_IMA_LOAD_X509=y > CONFIG_IMA_X509_PATH="/etc/keys/ima_x509.der" > > set in the kernel configuration > > I can't see how to enable this key for verifying EVM as soon as the > kernel passes control to the init process. Is this possible? Do I > have to write my own init processes which could be a script to load > the /etc/keys/ima_x509.der into the evm keyring, enable evm and then > pass control to systemd? There is a separate CONFIG_EVM_X509_PATH option for EVM. You can specify the same x509 certificate pathname. Mimi |
