Re: [RFC][PATCH v1 0/2] integrity: module integrity verification
From: Rusty Russell
Date: Tue Feb 07 2012 - 19:19:21 EST
On Tue, 7 Feb 2012 23:18:38 +0200, "Kasatkin, Dmitry" <dmitry.kasatkin@xxxxxxxxx> wrote:
> On Tue, Feb 7, 2012 at 7:13 PM, Rusty Russell <rusty@xxxxxxxxxx> wrote:
> > On Mon, 6 Feb 2012 08:59:00 +0200, "Kasatkin, Dmitry" <dmitry.kasatkin@xxxxxxxxx> wrote:
> >> On Mon, Feb 6, 2012 at 3:51 AM, James Morris <jmorris@xxxxxxxxx> wrote:
> >> > On Wed, 1 Feb 2012, Dmitry Kasatkin wrote:
> >> >
> >> >> Hi,
> >> >>
> >> >> Here is another module verification patchset, which is based on the recently
> >> >> upstreamed digital signature support used by EVM and IMA-appraisal.
> >> >
> >> > You should cc: Rusty on any changes to the module code.
> >> >
> >>
> >> Hello,
> >>
> >> Mimi already has pointed that out.
> >> I have sent him an email with the link..
> >
> > Thanks.
> >
> > Using an external signature (via cmdline arguments) is simple, at
> > least. ÂNot sure what the userspace side of this looks like?
> >
>
> Hello,
>
> There are couple of patches for modprobe and insmod...
>
> You could see them on the top at:
> http://linux-ima.git.sourceforge.net/git/gitweb.cgi?p=linux-ima/module-init-tools.git;a=summary
>
> It first tries to read signature from xattr, then from file...
> "modprobe -v" will show 'ima=' parameter with signature.
>
> - Dmitry
The problem is that distributions tend to have two variants of modules:
stripped and unstripped. Thus you may want to support multiple
signatures, any *one* of which may match.
I've cc'd the module-init-tools and libkmod maintainers for their
comments, too.
Cheers,
Rusty.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/