On Tue, Jan 29, 2013 at 11:58:53AM -0500, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
> > The assumption has always been that the initramfs would be measured, for
> > trusted boot, and appraised, for secure boot, before being executed.
>
> Hi Mimi,
>
> Ok. So
On Tue, 2013-01-29 at 15:10 -0500, Vivek Goyal wrote:
> On Tue, Jan 29, 2013 at 03:01:13PM -0500, Mimi Zohar wrote:
>
> [..]
> > > Hi Mimi,
> > >
> > > Can we add another field to ima_rule_entry, say .enforcement to control
> > > the behavior of .action. Possible values of .enforcement could be,
On Tue, Jan 29, 2013 at 03:01:13PM -0500, Mimi Zohar wrote:
[..]
> > Hi Mimi,
> >
> > Can we add another field to ima_rule_entry, say .enforcement to control
> > the behavior of .action. Possible values of .enforcement could be, say.
> >
> > ALL
> > SIGNED_ONLY
> >
> > ALL will be default. And
On Tue, 2013-01-29 at 13:20 -0500, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
>
> [..]
> > > Hi Mimi,
> > >
> > > By policy you mean ima rules here? So I can either enable default rules
> > > (tcb default rules for appraisal and measurement) by using kernel c
On Tue, Jan 29, 2013 at 10:48:00AM +0200, Kasatkin, Dmitry wrote:
> On Mon, Jan 28, 2013 at 8:52 PM, Vivek Goyal wrote:
> > On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
> >
> > [..]
> >> > Ok. I am hoping that it will be more than the kernel command line we
> >> > support. In
On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
[..]
> > Hi Mimi,
> >
> > By policy you mean ima rules here? So I can either enable default rules
> > (tcb default rules for appraisal and measurement) by using kernel command
> > line options or dynamically configure my own rules using
On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
[..]
> > Also given the fact that we allow loading policy from initramfs, root
> > can rebuild initramfs and change the policy which takes effect over next
> > reboot. So in priciple this works only when we are trying to impose some
> > p
On Mon, Jan 28, 2013 at 07:14:02PM -0500, Mimi Zohar wrote:
[..]
> The 'trusted' keyring is a solution for installing only distro or third
> party signed packages. How would a developer, for instance, create,
> sign, and install his own package and add his public key safely?
Hi Mimi,
I guess us
On Thu, Jan 24, 2013 at 01:25:46PM +0200, Jussi Kivilinna wrote:
>
> Maybe it would be cleaner to not mess with pfkeyv2.h at all, but instead mark
> algorithms that do not support pfkey with flag. See patch below.
>
As nobody seems to have another opinion, we could go either with your
approach,
On Mon, Jan 28, 2013 at 10:13 PM, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 02:51:34PM -0500, Mimi Zohar wrote:
>> On Mon, 2013-01-28 at 13:52 -0500, Vivek Goyal wrote:
>> > On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
>> >
>> > [..]
>> > > > Ok. I am hoping that it will be
On Mon, Jan 28, 2013 at 8:52 PM, Vivek Goyal wrote:
> On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
>
> [..]
>> > Ok. I am hoping that it will be more than the kernel command line we
>> > support. In the sense that for digital signatures one needs to parse
>> > the signature, l
11 matches
Mail list logo
