Re: [PATCH 2/7] integrity: IMA as an integrity service provider

From: Serge E. Hallyn
Date: Fri Feb 06 2009 - 15:28:31 EST


Quoting Mimi Zohar (zohar@xxxxxxxxxxxxxxxxxx):
> IMA provides hardware (TPM) based measurement and attestation for
> file measurements. As the Trusted Computing (TPM) model requires,
> IMA measures all files before they are accessed in any way (on the
> integrity_bprm_check, integrity_path_check and integrity_file_mmap
> hooks), and commits the measurements to the TPM. Once added to the
> TPM, measurements can not be removed.
>
> In addition, IMA maintains a list of these file measurements, which
> can be used to validate the aggregate value stored in the TPM. The
> TPM can sign these measurements, and thus the system can prove, to
> itself and to a third party, the system's integrity in a way that
> cannot be circumvented by malicious or compromised software.
>
> - alloc ima_template_entry before calling ima_store_template()
> - log ima_add_boot_aggregate() failure
> - removed unused IMA_TEMPLATE_NAME_LEN
> - replaced hard coded string length with #define name
>
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxx>

Acked-by: Serge Hallyn <serue@xxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/