Re: [PATCH 00/23] Crypto keys and module signing

From: Kasatkin, Dmitry
Date: Tue Jun 05 2012 - 10:36:41 EST


On Tue, Jun 5, 2012 at 4:37 PM, David Howells <dhowells@xxxxxxxxxx> wrote:
> Mimi Zohar <zohar@xxxxxxxxxxxxxxxxxx> wrote:
>
>> As the signature would be stored as an extended attribute, we wouldn't
>> need to pass it. ÂUnfortunately not all filesystems have xattr support,
>> nor do all of the package installation mechanims. ÂThe benefit of
>> storing the signature as an extended attribute, however, is that there
>> is a consistent mechanism for verifying file data integrity for all
>> files, not only ELF.
>
> We also want to be able to do module signature verification with CONFIG_IMA=n.

Sure. In the patchset I sent some time ago, signature verification
does not require CONFIG_IMA=y.
modprobe reads signature from xattr or .sig file and pass it as kernel
module parameter.

- Dmitry


>
> David
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/