On Wed, 2013-01-16 at 13:57 -0500, Vivek Goyal wrote: > On Wed, Jan 16, 2013 at 01:45:12PM -0500, Mimi Zohar wrote: > > [..] > > > Given the fact that signatures are stored in extended attributes, to me > > > the only way to sign executables in current IMA framework would to be > > > prepare file system image at build server and ship that image. And > > > then installer simply mounts that image (after making sure that proper > > > verification keys have been loaded in kernel). > > > > That is one scenario. Another scenario is to update packages to include > > extended attributes and to write those extended attributes on > > installation. > > Ok, that's the point I am missing. So I can sign a file and signatures > are in a separate file. And these signatures are installed in extended > attributes at file installation time (IOW rpm installation time) on > target. > > If all this works, this sounds reasonable so far. Except the point of > disabling ptrace and locking down memory. > > So what's the state of above work. Is there something I can play with.
Sorry, I'm not sure of the RPM implementation details of where/how the signatures are stored in the package, nor of the status of these changes. Perhaps someone else on the mailing list knows. thanks, Mimi -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
