Menu
▾
▴
Re: [Linux-ima-user] EVM: Using a presigned image
|
From: Martin T. <mto...@gm...> - 2017-10-11 17:32:18
|
Thanks Mimi, A bit of searching in LXR seems to indicate that this went into the v4.5 kernel, is this correct? We are currently using 4.1 but will be upgrading to 4.9 LTSI in the near future so the CONFIG_EVM_X509_PATH looks perfect :) Many Thanks, Martin. On Wed, Oct 11, 2017 at 6:23 PM, Mimi Zohar <zo...@li...> wrote: > On Wed, 2017-10-11 at 18:12 +0100, Martin Townsend wrote: >> Hi, >> >> I want to sign an root filesystem off line using the same private key >> for both IMA and EVM, ie using evmctl sign --imasig >> >> This image is read-only and is on an embedded product. The kernel >> automatically loads the public key as I have >> CONFIG_IMA_TRUSTED_KEYRING=y >> CONFIG_IMA_LOAD_X509=y >> CONFIG_IMA_X509_PATH="/etc/keys/ima_x509.der" >> >> set in the kernel configuration >> >> I can't see how to enable this key for verifying EVM as soon as the >> kernel passes control to the init process. Is this possible? Do I >> have to write my own init processes which could be a script to load >> the /etc/keys/ima_x509.der into the evm keyring, enable evm and then >> pass control to systemd? > > There is a separate CONFIG_EVM_X509_PATH option for EVM. You can > specify the same x509 certificate pathname. > > Mimi > |
