On Tue, Jan 29, 2013 at 03:01:13PM -0500, Mimi Zohar wrote:
[..]
> > Hi Mimi,
> >
> > Can we add another field to ima_rule_entry, say .enforcement to control
> > the behavior of .action. Possible values of .enforcement could be, say.
> >
> > ALL
> > SIGNED_ONLY
> >
> > ALL will be default. And
On Tue, Jan 29, 2013 at 10:48:00AM +0200, Kasatkin, Dmitry wrote:
> On Mon, Jan 28, 2013 at 8:52 PM, Vivek Goyal wrote:
> > On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
> >
> > [..]
> >> > Ok. I am hoping that it will be more than the kernel c
On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
[..]
> > Hi Mimi,
> >
> > By policy you mean ima rules here? So I can either enable default rules
> > (tcb default rules for appraisal and measurement) by using kernel command
> > line options or dynamically configure my own rules using
On Mon, Jan 28, 2013 at 08:48:55PM -0500, Mimi Zohar wrote:
[..]
> > Also given the fact that we allow loading policy from initramfs, root
> > can rebuild initramfs and change the policy which takes effect over next
> > reboot. So in priciple this works only when we are trying to impose some
> > p
On Mon, Jan 28, 2013 at 07:14:02PM -0500, Mimi Zohar wrote:
[..]
> The 'trusted' keyring is a solution for installing only distro or third
> party signed packages. How would a developer, for instance, create,
> sign, and install his own package and add his public key safely?
Hi Mimi,
I guess us
On Mon, Jan 28, 2013 at 03:15:49PM -0500, Mimi Zohar wrote:
> On Mon, 2013-01-28 at 13:56 -0500, Vivek Goyal wrote:
> > On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
> >
> > [..]
> > > > Ok. I am hoping that it will be more than the kernel co
On Mon, Jan 28, 2013 at 02:51:34PM -0500, Mimi Zohar wrote:
> On Mon, 2013-01-28 at 13:52 -0500, Vivek Goyal wrote:
> > On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
> >
> > [..]
> > > > Ok. I am hoping that it will be more than the kernel co
On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
[..]
> > Ok. I am hoping that it will be more than the kernel command line we
> > support. In the sense that for digital signatures one needs to parse
> > the signature, look at what hash algorithm has been used and then
> > collec
On Mon, Jan 28, 2013 at 05:20:20PM +0200, Kasatkin, Dmitry wrote:
[..]
> > Ok. I am hoping that it will be more than the kernel command line we
> > support. In the sense that for digital signatures one needs to parse
> > the signature, look at what hash algorithm has been used and then
> > collec
On Mon, Jan 28, 2013 at 04:54:06PM +0200, Kasatkin, Dmitry wrote:
> On Fri, Jan 25, 2013 at 11:01 PM, Vivek Goyal wrote:
> > Hi,
> >
> > I am trying to read and understand IMA code. How does digital signature
> > mechanism work.
> >
> > IIUC, evmctl will ins
Hi,
I am trying to read and understand IMA code. How does digital signature
mechanism work.
IIUC, evmctl will install a file's signature in security.ima. And later
process_measurement() will do following.
Calculate digest of file in ima_collect_measurement() and then
ima_appraise_measurement()
11 matches
Mail list logo
