Re: [PATCH v7 7/8] ima: check against blacklisted hashes for files with modsig

From: Nayna
Date: Sat Oct 19 2019 - 14:31:18 EST

Next message: Jacek Anaszewski: "Re: [PATCH v13 04/18] leds: multicolor: Introduce a multicolor class definition"
Previous message: Nayna: "Re: [PATCH v7 4/8] powerpc/ima: add measurement rules to ima arch specific policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Mimi,

On 10/11/2019 09:19 AM, Mimi Zohar wrote:

On Mon, 2019-10-07 at 21:14 -0400, Nayna Jain wrote:

Asymmetric private keys are used to sign multiple files. The kernel
currently support checking against the blacklisted keys. However, if the
public key is blacklisted, any file signed by the blacklisted key will
automatically fail signature verification. We might not want to blacklist
all the files signed by a particular key, but just a single file.
Blacklisting the public key is not fine enough granularity.

This patch adds support for blacklisting binaries with appended signatures,
based on the IMA policy. Defined is a new policy option
"appraise_flag=check_blacklist".

The blacklisted hash is not the same as the file hash, but is the file
hash without the appended signature. ÂAre there tools for calculating
the blacklisted hash? ÂCan you provide an example?

I have updated the patch description to specify that the blacklisted hash is the file hash without the appended signature. I hope that makes it clear now.

Thanks & Regards,
ÂÂÂ - Nayna

Next message: Jacek Anaszewski: "Re: [PATCH v13 04/18] leds: multicolor: Introduce a multicolor class definition"
Previous message: Nayna: "Re: [PATCH v7 4/8] powerpc/ima: add measurement rules to ima arch specific policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]