Re: [PATCH v8 00/14] Appended signatures support for IMA appraisal
From: James Morris
Date: Tue Dec 04 2018 - 17:00:40 EST
On Fri, 16 Nov 2018, Thiago Jung Bauermann wrote:
> On the OpenPOWER platform, secure boot and trusted boot are being
> implemented using IMA for taking measurements and verifying signatures.
> Since the kernel image on Power servers is an ELF binary, kernels are
> signed using the scripts/sign-file tool and thus use the same signature
> format as signed kernel modules.
>
> This patch series adds support in IMA for verifying those signatures.
Are you saying you use IMA to verify kernels during boot? From a Linux
bootloader?
> It adds flexibility to OpenPOWER secure boot, because it allows it to boot
> kernels with the signature appended to them as well as kernels where the
> signature is stored in the IMA extended attribute.
Just to clarify, with these patches, IMA will be able to verify the
native form of signed kernel modules? i.e. without xattrs at all, and
this will work with existing signed modules?
--
James Morris
<jmorris@xxxxxxxxx>