Re: [RFD] linux-firmware key arrangement for firmware signing

From: Petko Manolov
Date: Thu May 21 2015 - 12:51:25 EST

Next message: Alexei Starovoitov: "Re: [PATCH net-next 1/4] bpf: allow bpf programs to tail-call other bpf programs"
Previous message: Andy Lutomirski: "Re: Should we automatically generate a module signing key at all?"
In reply to: Andy Lutomirski: "Re: [RFD] linux-firmware key arrangement for firmware signing"
Next in thread: Andy Lutomirski: "Re: [RFD] linux-firmware key arrangement for firmware signing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 15-05-21 09:39:50, Andy Lutomirski wrote:
>
> It's also a performance cost because the average user of this signature stuff
> doesn't actually want IMA, and IMA is checking the wrong think anyway.
> IMA/EVM tells us "this file validly belongs in /lib/modules/whatever according
> to whomever we trust for the filesystem". We want to check "is this data,
> regardless of where it was read from, a trusted module".

IMA-appraise does not care where the file comes from (although it may be
persuaded to) and verifies file's data and meta-data against a signature. I
guess you should actually read the code. :)

Petko
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alexei Starovoitov: "Re: [PATCH net-next 1/4] bpf: allow bpf programs to tail-call other bpf programs"
Previous message: Andy Lutomirski: "Re: Should we automatically generate a module signing key at all?"
In reply to: Andy Lutomirski: "Re: [RFD] linux-firmware key arrangement for firmware signing"
Next in thread: Andy Lutomirski: "Re: [RFD] linux-firmware key arrangement for firmware signing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]